Sigma rule syntax to generate an alert whenever an "alert" syslog message is received

[S6T0Sa0B1v]

Hello Security Onion,

We are currently in the process of tuning our Onion instance which will be used primarily for the ingestion and analysis of syslog messages from our network perimeter. I have tried to write a simple Sigma detection rule to generate an Onion alert on all "alert" level syslog messages forwarded from our network devices, of which we receive about a dozen a day.

I am new to Sigma configuration so I have read the documentation on rule creation and log sources from the default rule template and have rewritten the detection rule several times, but haven't managed to get it to work. Since it appears that there is something I am not understanding about the correct Sigma syntax for such a rule, I wanted to provide the latest version of the rule below for review by the Onion community. Any other examples of simple Sigma rules that generate similar alerts would be very helpful as well:

# This is a Sigma rule template, which uses YAML. Replace all template values with your own values.
# The id (UUIDv4) is pregenerated and can safely be used.
# Click "Convert" to convert the Sigma rule to use Security Onion field mappings within an EQL query
#
# Rule Creation Guide: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide
# Logsources: https://sigmahq.io/docs/basics/log-sources.html

title: 'Syslog ALERT findings rule'
id:  219f747e-2bbc-48bf-bdb5-4a1ca488289e
status: 'experimental'
description: |
    This rule, 219f747e-2bbc-48bf-bdb5-4a1ca488289e, is designed to trigger an alert in Onion whenever a syslog level 1 ("ALERT") message is received from the perimeter.
date: '2025/03/23'
tags:
  - detection.threat_hunting
  - attack.technique_id
logsource:
  service: syslog
detection:
    selection:
        message:"alert"
    condition: selection
level: 'high'  # info | low | medium | high | critical

To reiterate: the rule's intended function is to trigger an Onion alert whenever an "alert" level syslog message is received from any of the perimeter network appliances that are currently forwarding to our Onion instance.

Any suggestions/insight on how I can make this rule function as intended would be very much appreciated. Please let me know if you have any questions and I would be glad to respond ASAP.

Thank you!

[S6T0Sa0B1v]

After testing this further I believe I've landed on the correct configuration for the rule:

# This is a Sigma rule template, which uses YAML. Replace all template values with your own values.
# The id (UUIDv4) is pregenerated and can safely be used.
# Click "Convert" to convert the Sigma rule to use Security Onion field mappings within an EQL query
#
# Rule Creation Guide: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide
# Logsources: https://sigmahq.io/docs/basics/log-sources.html

title: 'Syslog ALERT findings rule 2'
id:  [UUID]
status: 'experimental'
description: |
    This rule, [UUID], is designed to trigger an alert in Onion whenever a syslog level 1 ("ALERT") message is received from the perimeter.
date: '2025/03/5'
tags:
  - detection.threat_hunting
  - attack.technique_id
logsource:
  category: firewall
  service: syslog
detection:
    selection:
        syslog.severity_label : "ALERT"
    condition: selection
level: 'high'  # info | low | medium | high | critical