{"id":19908660,"url":"https://github.com/attackiq/sigmaiq","last_synced_at":"2025-10-14T00:08:21.462Z","repository":{"id":182859195,"uuid":"653257106","full_name":"AttackIQ/SigmAIQ","owner":"AttackIQ","description":"A pySigma wrapper and langchain toolkit for automatic rule creation/translation","archived":false,"fork":false,"pushed_at":"2025-05-20T03:39:31.000Z","size":1567,"stargazers_count":81,"open_issues_count":3,"forks_count":12,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-05-24T20:06:53.534Z","etag":null,"topics":["detection-engineering","langchain","llm","python3","security","security-tools","sigma","sigma-rules"],"latest_commit_sha":null,"homepage":"https://attackiq.com","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-2.1","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AttackIQ.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-06-13T17:44:32.000Z","updated_at":"2025-05-14T08:41:43.000Z","dependencies_parsed_at":"2023-12-27T23:59:24.210Z","dependency_job_id":"eb0f62a3-2c5c-46c1-8689-846f777b81f1","html_url":"https://github.com/AttackIQ/SigmAIQ","commit_stats":null,"previous_names":["attackiq/sigmaiq"],"tags_count":63,"template":false,"template_full_name":null,"purl":"pkg:github/AttackIQ/SigmAIQ","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AttackIQ%2FSigmAIQ","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AttackIQ%2FSigmAIQ/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AttackIQ%2FSigmAIQ/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AttackIQ%2FSigmAIQ/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AttackIQ","download_url":"https://codeload.github.com/AttackIQ/SigmAIQ/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AttackIQ%2FSigmAIQ/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279017381,"owners_count":26086052,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-13T02:00:06.723Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["detection-engineering","langchain","llm","python3","security","security-tools","sigma","sigma-rules"],"created_at":"2024-11-12T21:12:52.932Z","updated_at":"2025-10-14T00:08:21.446Z","avatar_url":"https://github.com/AttackIQ.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n \u003ca href=\"https://www.attackiq.com\" target=\"_blank\"\u003e\n \u003cimg src=\"https://www.attackiq.com/wp-content/uploads/2021/10/col-dflt.png\" height=\"300\" alt=\"AttackIQ\"\u003e\n \u003c/a\u003e\n\u003c/div\u003e\n\u003ch1 align=\"center\"\u003eSigmAIQ: pySigma Wrapper \u0026 Utils\u003c/h1\u003e\n\n![Tests](https://github.com/AttackIQ/SigmAIQ/actions/workflows/test.yml/badge.svg)\n![Coverage Badge](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/slincoln-aiq/f6d72f7ec2b300546a114fd80d371f7e/raw/slincoln-aiq-SigmAIQ.json)\n![Status](https://img.shields.io/badge/Status-pre--release-orange)\n![PyPI version](https://badge.fury.io/py/sigmaiq.svg)\n![Python versions](https://img.shields.io/pypi/pyversions/sigmaiq.svg)\n![pySigma version](https://img.shields.io/badge/pySigma-%3E%3D0.11.17-blue)\n![License](https://img.shields.io/github/license/AttackIQ/SigmAIQ.svg)\n\n# Table of Contents\n- [Table of Contents](#table-of-contents)\n- [Introduction](#introduction)\n- [Project Status](#project-status)\n- [LLM Support](#llm-support)\n- [Installation \\\u0026 Usage](#installation--usage)\n - [Requirements](#requirements)\n - [Installation](#installation)\n - [Usage Quickstart](#usage-quickstart)\n - [Usage Examples](#usage-examples)\n- [Supported Options](#supported-options)\n - [Backends](#backends-1)\n - [Pipelines](#pipelines-1)\n- [Contributing](#contributing)\n- [License](#license)\n- [Maintainers](#maintainers)\n\n# Introduction\n\nSigmAIQ is a wrapper for [pySigma](https://github.com/SigmaHQ/pySigma) and pySigma backends \u0026 pipelines. It allows\ndetection engineers to easily convert Sigma rules and rule collections to SIEM/product queries without having to worry\nabout the overhead of ensuring the correct pipelines and output formats are used by each pySigma supported backend.\nSigmAIQ also contains custom pipelines and output formats for various backends that are not found in the original\nbackend\nsource code. If you don't see a backend that's currently supported, please consider contributing to the Sigma/pySigma\ncommunity by making it with\nthis [pySigma Cookiecutter Template](https://github.com/SigmaHQ/cookiecutter-pySigma-backend)\n\nIn addition, SigmAIQ contains pySigma related tools and scripts, including easy\nSigma rule searching, LLM support, an automatic rule creation from IOCs.\n\nThis library is currently maintained by:\n\n* [Stephen Lincoln](https://github.com/slincoln-aiq) via [AttackIQ](https://github.com/AttackIQ)\n\n# Project Status\n\nSigmAIQ is currently in pre-release status. It is a constant work-in-progress and bugs may be encountered. Please report any issues [here](https://github.com/AttackIQ/SigmAIQ/issues/new).\n\nFeature requests are always welcome! pySigma tools/utils are currently not in the pre-release version,\nand will be added in future releases.\n\n# LLM Support\nFor LLM usage, see the [LLM README](sigmaiq/llm/README.md)\n\n# Installation \u0026 Usage\n\n## Requirements\n- Python 3.9+\n- pip, pipenv, or poetry\n\n## Installation\n\nSigmAIQ can be installed with your favorite package manager:\n\n```\npip install sigmaiq\npipenv install sigmaiq\npoetry add sigmaiq\n```\n\nTo install the LLM dependencies, use the `llm` extra:\n\n```\npip install sigmaiq[llm]\npipenv install sigmaiq[llm]\npoetry add sigmaiq[llm]\n```\n\n## Usage Quickstart\n\nCreate a backend from the list of available backends, then give a valid Sigma rule to convert to a query. You\ncan find the list of available backends in this README, or `SigmAIQBackend.display_available_backends()`.\n\n```python\nfrom sigmaiq import SigmAIQBackend\n\nsigma_rule = \"\"\"\n title: Test Rule\n logsource:\n category: process_creation\n product: windows\n detection:\n sel:\n CommandLine: mimikatz.exe\n condition: sel\n\"\"\"\n\n# Create backend\nbackend = SigmAIQBackend(backend=\"microsoft365defender\").create_backend()\n\n# Convert Rule or Collection\noutput = backend.translate(sigma_rule)\nprint(output)\n```\n\nOutput:\n\n```\n['DeviceProcessEvents\n| where ProcessCommandLine =~ \"mimikatz.exe\"']\n```\n\nAlthough you _can_ pass a SigmaRule or SigmaCollection object to `translate()` like you would to `convert()`\nor `convert_rule()` for a typical pySigma backend, there is no need with SigmAIQ. As long as a valid Sigma rule is given\nas a YAML str or dictionary (or list of), SigmAIQ will take care of it for you.\n\n## Usage Examples\n\n### Backends\n\nTypical usage will be using the `SigmAIQBackend` class from `sigmaiq` to create a\ncustomized pySigma backend, then use `translate()` to convert a SigmaRule or SigmaCollection to a query:\n\n```python\nfrom sigmaiq import SigmAIQBackend\nfrom sigma.rule import SigmaRule\n\nsigma_rule = SigmaRule.from_yaml(\n \"\"\"\n title: Test Rule\n logsource:\n category: process_creation\n product: windows\n detection:\n sel:\n CommandLine: mimikatz.exe\n condition: sel\n \"\"\"\n)\n\nbackend = SigmAIQBackend(backend=\"splunk\").create_backend()\nprint(backend.translate(sigma_rule))\n```\n\nOutput:\n`['CommandLine=\"mimikatz.exe\"']`\n\n#### Specifying Output Formats\n\nPassing the `output_format` arg will use an original output specified by the original backend, or a custom format\nimplemented by SigmAIQ. You can find information about output formats specific to each backend\nvia `SigmAIQBackend.display_backends_and_outputs()`The necessary processing pipelines are automatically\napplied, even if the original pySigma backend does not automatically apply it:\n\n```python\nfrom sigmaiq import SigmAIQBackend\nfrom sigma.rule import SigmaRule\nfrom sigma.backends.splunk import SplunkBackend\n\nsigma_rule = SigmaRule.from_yaml(\n \"\"\"\n title: Test Rule\n logsource:\n category: process_creation\n product: windows\n detection:\n sel:\n CommandLine: mimikatz.exe\n condition: sel\n \"\"\"\n)\n# Raises sigma.exceptions.SigmaFeatureNotSupportedByBackendError\norig_backend = SplunkBackend()\nprint(\"Original Backend:\")\ntry:\n print(orig_backend.convert_rule(sigma_rule, output_format=\"data_model\"))\nexcept Exception as exc:\n print(exc)\nprint(\"\\n\")\n\n# Necessary pipeline for output_format automatically applied\nprint(\"SigmAIQ Backend:\")\nsigmaiq_backend = SigmAIQBackend(backend=\"splunk\", output_format=\"data_model\").create_backend()\nprint(sigmaiq_backend.translate(sigma_rule))\n```\n\nOutput:\n\n```\nOriginal Backend:\nNo data model specified by processing pipeline\n\nSigmAIQ Backend:\n['| tstats summariesonly=false allow_old_summaries=true fillnull_value=\"null\" count min(_time) as firstTime max(_time) \nas lastTime from datamodel=Endpoint.Processes where Processes.process=\"mimikatz.exe\" by Processes.process \nProcesses.dest Processes.process_current_directory Processes.process_path Processes.process_integrity_level \nProcesses.parent_process Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id \nProcesses.process_guid Processes.process_id Processes.user | `drop_dm_object_name(Processes)` \n| convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime(firstTime) | convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime(lastTime) ']\n```\n\n### Pipelines\n\n#### Specifying Pipelines\n\nYou can specify a specific pipeline to be applied to the SigmaRule by passing it to the backend factory. Generally, you\nwant to only apply pipelines to a backend meant for that specific backend. You can use a name of a pipeline as defined\nin `SigmAIQPipeline.display_available_pipelines()`, or pass any pySigma ProcessingPipeline object. The\npipeline can be passed directory to `SigmAIQPipeline`, or created with `SigmAIQPipeline`.\n\n```python\nfrom sigmaiq import SigmAIQBackend, SigmAIQPipeline\n\n# Directly to backend\nbackend = SigmAIQBackend(backend=\"elasticsearch\",\n processing_pipeline=\"ecs_zeek_beats\").create_backend()\n\n# Create pipeline first, then pass to backend\npipeline = SigmAIQPipeline(processing_pipeline=\"ecs_zeek_beats\").create_pipeline()\nbackend = SigmAIQBackend(backend=\"elasticsearch\",\n processing_pipeline=pipeline).create_backend()\n```\n\n#### Combining Multiple Pipelines\n\nThe `SigmAIQPipelineResolver` class automates combining multiple pipelines together via\npySigma's `ProcessingPipelineResolver` class. This results in a single ProcessingPipeline object that are applied in\norder of priority of each ProcessingPipeline's priority. You can pass any named available pipeline, ProcessingPipeline\nobject, or callable that returns any valid combination of these two types:\n\n```python\nfrom sigmaiq import SigmAIQPipelineResolver\nfrom sigma.pipelines.sysmon import sysmon_pipeline\nfrom sigma.pipelines.sentinelone import sentinelone_pipeline\n\n# ProcessingPipeline Object\nproc_pipeline_obj = sysmon_pipeline()\n\n# Available Pipeline Name\npipeline_named = \"splunk_windows\"\n\nmy_pipelines = [sysmon_pipeline(), # ProcessingPipeline type\n \"splunk_windows\", # Available pipeline name\n sentinelone_pipeline # Callable that returns a ProcessingPipeline type\n ]\n\nmy_pipeline = SigmAIQPipelineResolver(processing_pipelines=my_pipelines).process_pipelines(\n name=\"My New Optional Pipeline Name\")\n\nprint(f\"Created single new pipeline from {len(my_pipelines)} pipelines.\")\nprint(f\"New pipeline '{my_pipeline.name}' contains {len(my_pipeline.items)} ProcessingItems.\")\n```\n\nOutput:\n\n```\nCreated single new pipeline from 3 pipelines.\nNew pipeline 'My New Optional Pipeline Name' contains 103 ProcessingItems.\n```\n\n#### Custom Fieldmappings\n\nA dictionary can be used to create a custom fieldmappings pipeline on the fly. Each key should be the original\nfieldname, with each value being a new fieldname or list of new fieldnames:\n\n```python\nfrom sigmaiq import SigmAIQPipeline\nfrom sigma.rule import SigmaRule\n\nsigma_rule = SigmaRule.from_yaml(\n \"\"\"\n title: Test Rule\n logsource:\n category: process_creation\n product: windows\n detection:\n sel:\n CommandLine: mimikatz.exe\n condition: sel\n \"\"\"\n)\n\ncustom_fieldmap = {'CommandLine': 'NewCommandLineField'}\ncustom_pipeline = SigmAIQPipeline.from_fieldmap(custom_fieldmap).create_pipeline()\nprint(f\"Original Fieldname: {list(sigma_rule.detection.detections.values())[0].detection_items[0].field}\")\ncustom_pipeline.apply(sigma_rule)\nprint(f\"New Fieldname: {list(sigma_rule.detection.detections.values())[0].detection_items[0].field}\")\n```\n\nOutput:\n\n```\nOriginal Fieldname: CommandLine\nNew Fieldname: NewCommandLineField\n```\n\n### All-In-One Conversion\n\nThe `create_all_and_translate()` method for the backend factory will automatically create backends for all possible\navailable backends, and create queries for all possible pipelines \u0026 output formats for each backend.\nIf `show_errors=False` (default), any invalid queries due to pipeline errors, such as unsupported fields, will be left\nout of the results dictionary:\n\n```python\nfrom sigmaiq import SigmAIQBackend\nfrom sigma.rule import SigmaRule\nfrom pprint import pprint\n\nsigma_rule = SigmaRule.from_yaml(\n \"\"\"\n title: Test Rule\n logsource:\n category: process_creation\n product: windows\n detection:\n sel:\n CommandLine: mimikatz.exe\n condition: sel\n \"\"\"\n)\n\noutput = SigmAIQBackend.create_all_and_translate(sigma_rule)\npprint(output)\n```\n\nOutput:\n\n{backend: {pipeline: {output_format: query} } }\n\n```\n{'carbonblack': {'carbonblack': {'default': ['os_type:windows '\n 'cmdline:mimikatz.exe'],\n 'json': [{'description': None,\n 'id': None,\n 'query': 'os_type:windows '\n 'cmdline:mimikatz.exe',\n 'title': 'Test Rule'}]},\n 'carbonblack_enterprise': {'default': ['device_os:WINDOWS '\n 'process_cmdline:mimikatz.exe'],\n 'json': [{'description': None,\n 'id': None,\n 'query': 'device_os:WINDOWS '\n 'process_cmdline:mimikatz.exe',\n 'title': 'Test Rule'}]}},\n 'crowdstrike_splunk': {'crowdstrike': {'default': ['event_simpleName=\"ProcessRollup2\" '\n 'CommandLine=\"mimikatz.exe\"']}},\n 'crowdstrike_logscale': {'crowdstrike': {'default': ['event_simpleName=\"ProcessRollup2\" '\n 'CommandLine=\"mimikatz.exe\"']}},\n 'elasticsearch': {'ecs_windows': {'default': ['process.command_line:mimikatz.exe'],\n ...\n```\n\n# Supported Options\n\n## Backends\n\n### Available Backends\n\n| Backend Option | Description | Associated Pipelines | Default Pipeline |\n| ----------------------- | --------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------- |\n| carbonblack | Carbon Black EDR | carbonblack\u003cbr\u003ecarbonblack_enterprise | carbonblack |\n| cortexxdr | Palo Alto Cortex XDR | cortexxdr | cortexxdr |\n| crowdstrike_splunk | Crowdstrike FDR Splunk Query | crowdstrike_fdr | crowdstrike_fdr |\n| crowdstrike_logscale | Crowdstrike Logscale Query | crowdstrike_falcon | crowdstrike_falcon |\n| elasticsearch | Elastic Elasticsearch SIEM | ecs_windows\u003cbr\u003eecs_kubernetes\u003cbr\u003eecs_windows_old\u003cbr\u003eecs_zeek_beats\u003cbr\u003eecs_zeek_corelight\u003cbr\u003ezeek_raw | ecs_windows |\n| insightidr | Rapid7 InsightIDR SIEM | insightidr | insightidr |\n| loki | Grafana Loki LogQL SIEM | loki_grafana_logfmt\u003cbr\u003eloki_promtail_sysmon\u003cbr\u003eloki_okta_system_log | loki_grafana_logfmt |\n| microsoft_xdr | Microsoft XDR Advanced Hunting Query (KQL) (Defender, Office365, etc) | microsoft_xdr | microsoft_xdr |\n| microsoft_sentinel_asim | Microsoft Sentinel ASIM Query (KQL) | sentinel_asim | sentinel_asim |\n| microsoft_azure_monitor | Microsoft Azure Monitor Query (KQL) | azure_monitor | azure_monitor |\n| netwitness | Netwitness Query | netwitness_windows | netwitness_windows |\n| opensearch | OpenSearch Lucene | ecs_windows\u003cbr\u003eecs_windows_old\u003cbr\u003eecs_zeek_beats\u003cbr\u003eecs_zeek_corelight\u003cbr\u003ezeek_raw | ecs_windows |\n| qradar | IBM QRadar | qradar_fields\u003cbr\u003eqradar_payload | qradar_fields |\n| secops | Google SecOps (Chronicle) | secops_udm | secops_udm |\n| sentinelone | SentinelOne EDR | sentinelone | sentinelone |\n| splunk | Splunk SIEM | splunk_windows\u003cbr\u003esplunk_wineventlog\u003cbr\u003esplunk_windows_sysmon_acc\u003cbr\u003esplunk_cim_dm | splunk_windows |\n| sigma | Original YAML/JSON Sigma Rule Output | sigma_default | sigma_default |\n| stix | STIX 2.0 \u0026 STIX Shifter Queries | stix_2_0\u003cbr\u003estix_shifter | stix_2_0 |\n\n\n### Backend Output Formats\n\n| Backend Option | Output Format Option | Description |\n| ----------------------- | ----------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| carbonblack | default\u003cbr\u003ejson | Plain CarbonBlack queries\u003cbr\u003eCarbonBlack JSON query |\n| cortexxdr | default\u003cbr\u003ejson | Plain CortexXDR queries\u003cbr\u003ejson output format |\n| crowdstrike_splunk | default | Plain SPL queries |\n| crowdstrike_logscale | default | CrowdStrike LogScale queries |\n| elasticsearch | default\u003cbr\u003ekibana_ndjson\u003cbr\u003edsl_lucene\u003cbr\u003esiem_rule\u003cbr\u003esiem_rule_ndjson | Plain Elasticsearch Lucene queries\u003cbr\u003eKibana NDJSON import file with Lucene queries\u003cbr\u003eElasticsearch query DSL with embedded Lucene queries\u003cbr\u003eElasticsearch query DSL as SIEM Rules in JSON Format\u003cbr\u003eElasticsearch query DSL as SIEM Rules in NDJSON Format |\n| insightidr | default\u003cbr\u003eleql_advanced_search\u003cbr\u003eleql_detection_definition | Simple log search query mode\u003cbr\u003eAdvanced Log Entry Query Language (LEQL) queries\u003cbr\u003eLEQL format roughly matching the 'Rule Logic' tab in ABA detection rule definition |\n| loki | default\u003cbr\u003eruler | Plain Loki queries\u003cbr\u003eLoki 'ruler' output format for generating alerts |\n| microsoft_xdr | default | Kusto Query Language search strings |\n| microsoft_sentinel_asim | default | Kusto Query Language search strings |\n| microsoft_azure_monitor | default | Kusto Query Language search strings |\n| netwitness | default | Plain netwitness queries |\n| opensearch | default\u003cbr\u003edashboards_ndjson\u003cbr\u003emonitor_rule\u003cbr\u003edsl_lucene | Plain OpenSearch Lucene queries\u003cbr\u003eOpenSearch Dashboards NDJSON import file with Lucene queries\u003cbr\u003eOpenSearch monitor rule with embedded Lucene query\u003cbr\u003eOpenSearch query DSL with embedded Lucene queries |\n| qradar | default | Plain QRadar queries |\n| secops | default\u003cbr\u003eyara_l | Plain UDM queries\u003cbr\u003eYARA-L 2.0 Detection Rules Output Format |\n| sentinelone | default\u003cbr\u003ejson | Plaintext\u003cbr\u003eJSON format |\n| splunk | default\u003cbr\u003esavedsearches\u003cbr\u003edata_model\u003cbr\u003estanza | Plain SPL queries\u003cbr\u003ePlain SPL in a savedsearches.conf file\u003cbr\u003eData model queries with tstats\u003cbr\u003eEnterprise Security savedsearches.conf stanza |\n| sigma | default\u003cbr\u003eyaml\u003cbr\u003ejson | Default output format\u003cbr\u003eDefault Sigma Rule output format\u003cbr\u003eJSON style Sigma Rule Output |\n| stix | default | Plain stix queries |\n\n## Pipelines\n\n### Available Named Pipelines\n\n| Pipeline Option | Description | Display Name |\n| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- |\n| splunk_wineventlog | SigmAIQ Custom combined windows_audit and splunk_windows pipelines to convert Sysmon fields to Windows Event Log fields for Splunk searches | Splunk WinEventLog |\n| carbonblack | Uses Carbon Black EDR field mappings | CB |\n| cortexxdr | Uses Palo Alto Cortex XDR field mappings | Palo Alto Cortex XDR |\n| carbonblack_enterprise | Uses Carbon Black Enterprise EDR field mappings | CB |\n| crowdstrike_fdr | Crowdstrike FDR Splunk Mappings | CrowdStrike FDR SPL |\n| crowdstrike_falcon | Crowdstrike Falcon Logscale Mappings | CrowdStrike Falcon Logscale |\n| ecs_kubernetes | Elastic Common Schema (ECS) Kubernetes audit log mappings | ECS Kubernetes |\n| ecs_windows | Elastic Common Schema (ECS) Windows log mappings from Winlogbeat from version 7 | ECS Winlogbeat |\n| ecs_windows_old | Elastic Common Schema (ECS) Windows log mappings from Winlogbeat up to version 6 | ESC Winlogbeat (\u003c= v6.x) |\n| ecs_zeek_beats | Elastic Common Schema (ECS) for Zeek using filebeat \u003e= 7.6.1 | ECS Zeek (Elastic) |\n| ecs_zeek_corelight | Elastic Common Schema (ECS) mapping from Corelight | ESC Zeek (Corelight) |\n| zeek_raw | Zeek raw JSON field naming | Zeek Raw JSON |\n| insightidr | InsightIDR Log Entry Query Language (LEQL) Transformations | InsightIDR LEQL |\n| loki_grafana_logfmt | Converts field names to logfmt labels used by Grafana | Logfmt Labels |\n| loki_promtail_sysmon | Parse and adjust field names for Windows sysmon data produced by promtail | WinSysmon Promtail |\n| loki_okta_system_log | Parse the Okta System Log event json, adjusting field-names appropriately | Okta System Event |\n| microsoft_xdr | Mappings for Sysmon -\u003e XDR Advanced Hunting Query Table Schema | Microsoft XDR KustoQL |\n| sentinel_asim | Mappings for Sysmon -\u003e Sentinel ASIM Query Table Schema | Sentinel ASIM KustoQL |\n| azure_monitor | Mappings for Sysmon -\u003e Azure Monitor Query Table Schema | Azure Monitor KustoQL |\n| netwitness_windows | Netwitness Windows log mappings | Netwitness Windows |\n| qradar_fields | Supports only the Sigma fields in the Field Mapping | Sigma Fields |\n| qradar_payload | Uses UTF8(payload) instead of fields unsupported by the Field Mapping. | UTF8(payload) (Non-Sigma Fields) |\n| sigma_default | Empty ProcessingPipeline placeholder | Sigma |\n| secops_udm | Mappings for Google SecOps (Chronicle) UDM | Google SecOps UDM |\n| sentinelone | Mappings for SentinelOne Deep Visibility Queries | SentinelOne Deep Visibility |\n| splunk_windows | Splunk Query, Windows Mappings | Splunk Query (Windows) |\n| splunk_windows_sysmon_acc | Splunk Windows Sysmon search acceleration keywords | Splunk Query (Sysmon) |\n| splunk_cim_dm | Splunk Datamodel Field Mappings | Splunk Datamodel Query |\n| stix_2_0 | STIX 2.0 Mappings | STIX 2.0 |\n| stix_shifter | STIX Shifter Mappings | STIX Shifter |\n| windows_sysmon | Sysmon for Windows | Sysmon |\n| windows_audit | Windows Event Logs | Windows Event Logs |\n| windows_logsource | Windows Logs, General | Windows Logs, General |\n\n# Contributing\n\nWe welcome contributions to SigmAIQ! Here's how you can contribute:\n\n1. Fork the repository\n2. Create a new branch for your feature or bug fix\n3. Make your changes and commit them with a clear commit message\n4. Push your changes to your fork\n5. Submit a pull request to the main repository\n\nPlease ensure your code adheres to the project's coding standards and includes appropriate tests.\n\n# License\n\nThis project is licensed under the [LGPL License](LICENSE).\n\n# Maintainers\n\nThis library is currently maintained by:\n\n* [Stephen Lincoln](https://github.com/slincoln-aiq) via [AttackIQ](https://github.com/AttackIQ)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fattackiq%2Fsigmaiq","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fattackiq%2Fsigmaiq","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fattackiq%2Fsigmaiq/lists"}