{"id":16766412,"url":"https://github.com/bradleyjkemp/sigma-go","last_synced_at":"2025-03-04T15:20:38.821Z","repository":{"id":42975383,"uuid":"294521044","full_name":"bradleyjkemp/sigma-go","owner":"bradleyjkemp","description":"A Go implementation and parser for Sigma rules.","archived":false,"fork":false,"pushed_at":"2024-09-05T11:59:47.000Z","size":366,"stargazers_count":86,"open_issues_count":11,"forks_count":18,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-02-25T12:18:43.288Z","etag":null,"topics":["detection-engineering","sigma"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bradleyjkemp.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-09-10T20:58:09.000Z","updated_at":"2025-01-05T08:23:04.000Z","dependencies_parsed_at":"2022-08-12T10:10:56.828Z","dependency_job_id":"a7d16893-bfe4-4229-aa2c-5a4f86534844","html_url":"https://github.com/bradleyjkemp/sigma-go","commit_stats":null,"previous_names":[],"tags_count":31,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bradleyjkemp%2Fsigma-go","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bradleyjkemp%2Fsigma-go/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bradleyjkemp%2Fsigma-go/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bradleyjkemp%2Fsigma-go/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bradleyjkemp","download_url":"https://codeload.github.com/bradleyjkemp/sigma-go/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241868817,"owners_count":20033903,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["detection-engineering","sigma"],"created_at":"2024-10-13T06:06:22.019Z","updated_at":"2025-03-04T15:20:38.795Z","avatar_url":"https://github.com/bradleyjkemp.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sigma-go ![Build Status](https://github.com/bradleyjkemp/sigma-go/workflows/Go/badge.svg) [![GitHub release](https://img.shields.io/github/release/bradleyjkemp/sigma-go.svg)](https://github.com/bradleyjkemp/sigma-go/releases/latest)\n\u003cimg src=\".github/mascot.png\" alt=\"Mascot\" width=\"150\" align=\"right\"\u003e\n\nA Go implementation and parser of [Sigma rules](https://github.com/Neo23x0/sigma). Useful for building your own detection pipelines.\n\nWho's using `sigma-go` in production?\n* [Monzo Bank](https://monzo.com/blog/2022/08/05/scaling-our-security-detection-pipeline-with-sigma)\n* [Phish Report](https://phish.report/IOK)\n* [SysFlow](https://github.com/sysflow-telemetry)\n\n## Usage\n\nThis library is designed for you to build your own alert systems.\nIt exposes the ability to check whether a rule matches a given event but not much else.\nIt's up to you to use this building block in your own detection pipeline.\n\nA basic usage of this library might look like this:\n```go\n// You can load/create rules dynamically or use sigmac to load Sigma rule files\nvar rule, _ = sigma.ParseRule(contents)\n\n// Rules need to be wrapped in an evaluator.\n// This is also where (if needed) you provide functions implementing the count, max, etc. aggregation functions\ne := sigma.Evaluator(rule, options...)\n\n// Get a stream of events from somewhere e.g. audit logs\nfor event := range events {\n    if e.Matches(ctx, event) {\n        // Raise your alert here\n        newAlert(rule.ID, rule.Description, ...)\n    }\n}\n```\n\n### Aggregation functions\n\nIf your Sigma rules make use of the count, max, min, or any other aggregation function in your conditions then you'll need some extra setup.\n\nWhen creating an evaluator, you can pass in implementations of each of the aggregation functions:\n```go\nsigma.Evaluator(rule, sigma.CountFunc(countImplementation), sigma.MaxFunc(maxImplementation))\n```\n\nThis repo includes some toy implementations in the `aggregators` package but for production use cases you'll need to supply your own.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbradleyjkemp%2Fsigma-go","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbradleyjkemp%2Fsigma-go","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbradleyjkemp%2Fsigma-go/lists"}