# Sigma Rule Starter Template
# Fill in the detection section with your specific detection logic.
# The structure is provided -- the detection pattern is yours to write.

title: [Rule title -- describe what this rule detects]
id: [Generate a UUID for this rule]
status: test
description: |
  [Describe what attack or activity this rule detects,
  what log source it works against, and what conditions trigger it.]

# Log source tells Sigma where to look for the data
logsource:
  category: webserver
  # product: [specific product if needed, e.g., nginx, apache]
  # service: [specific service if needed]

# Detection defines what patterns to match
detection:
  selection:
    # Field names must match your actual log labels in Loki.
    # Check Grafana > Explore > Loki > your log stream labels
    # before writing field names here.
    #
    # Example fields (replace with your actual label names):
    # fieldname: 'pattern to match'
    # fieldname|contains: 'partial match'
    # fieldname|re: 'regex pattern'
    pass: placeholder
  condition: selection

# Severity level
level: medium

# Tags for categorization (ATT&CK technique IDs)
tags:
  # - attack.initial_access
  # - attack.t1190