pySigma 1.2.0

Sigma rule processing and conversion tools

pySigma

pySigma is a python library that parses and converts Sigma rules into queries. It is a replacement for the legacy Sigma toolchain (sigmac) with a much cleaner design and is almost fully tested. Backends for support of conversion into query languages and processing pipelines for transforming rule for log data models are separated into dedicated projects to keep pySigma itself slim and vendor-agnostic. See the Related Projects section below to get an overview.

Getting Started

To start using pySigma, you need Python 3.10 or later. Install it using your python package manager of choice. Examples:

pip install pysigma
pipenv install pysigma
poetry add pysigma

Documentation with some usage examples can be found here.

Create Your Own Backend for pySigma

The creation of a backend has become much easier with pySigma. We recommend using the "Cookie Cutter Template" and reviewing the existing backends listed in the "Related Projects" section of this README.

pySigma Cookie Cutter Template

Features

pySigma brings a number of additional features compared to the all in one sigmac, as well as some changes.

sigma-cli is the equivalent of sigmac for command-line conversion

Modifier

use sigma list modifiers

Backends

use sigma plugin list --plugin-type backend

Overview

Conversion Overview

Pipelines

More details are described in the documentation.

Testing

pySigma uses pytest as testing framework. Simply run pytest to run all tests. Run pytest --cov=sigma to get a coverage report.

Building

To build your own package run poetry build.

Linting

To lint the code run poetry run black. To check for linting errors run poetry run black --check.

This project also uses pre-commit, which is installed by poetry as part of dev dependencies. To install the git hooks run poetry run pre-commit install after cloning the repository and installing the dependencies.

Contributing

Pull requests are welcome. Please feel free to lodge any issues/PRs as discussion points.

This blog post by Micah Babinski explains the process from a developer's perspective.

Maintainers

The project is currently maintained by:

• Thomas Patzke thomas@patzke.org
• François Hubaut

Related Projects

pySigma isn't a monolithic library attempting to support everything but the core. Support for target query languages and log data models is provided by additional packages that extend pySigma:

• sigma-cli: a command line interface for conversion of Sigma rules based on pySigma.
• pySigma-backend-splunk
• pySigma-pipeline-sysmon
• pySigma-pipeline-crowdstrike
• pySigma-backend-netwitness
• pySigma-backend-panther

All packages can also be installed from PyPI if not mentioned otherwise by the Python package manager of your choice.

License

GNU Lesser General Public License v2.1. For details, please see the full license file located here.