Skip to content

timescale/rsigma

Repository files navigation

RSigma logotype

A complete Sigma detection engineering toolkit

CI Documentation crates.io MSRV Docker GitHub Release License: MIT

RSigma is a complete detection engineering toolkit for the Sigma detection standard, including a parser, evaluation engine, rule conversion, streaming runtime, linter, CLI, MCP, and LSP.

RSigma parses Sigma YAML rules into a strongly-typed AST, compiles them into optimized matchers, and evaluates them against log events in real time. It handles stateful correlation logic in-process with memory-efficient compressed event storage. Or as Zack Allen put it in DEW #149, "RSigma is essentially a SIEM."

You can send events in many formats, including JSON, syslog (RFC 3164/5424), logfmt, CEF, EVTX (Windows Event Log), plain text, and OTLP (OpenTelemetry Protocol), with auto-detection by default. pySigma-compatible processing pipelines handle field mapping and backend configuration. OTLP support lets any OpenTelemetry-compatible agent (Grafana Alloy, Vector, Fluent Bit, OTel Collector) forward logs to RSigma via HTTP or gRPC for detection.

For rule quality and editor integration, a built-in linter validates rules against 85 checks derived from the Sigma v2.1.0 specification, and an LSP server provides real-time diagnostics, completions, hover documentation, and quick-fix code actions in any editor.

Full documentation, including guides, CLI reference, and library API docs, lives at timescale.github.io/rsigma.

Detection Engineering Loop

Supported Features

Author

  • Sigma parsing: Parses Sigma YAML into a strongly-typed AST with support for detection, correlation, and filter rules
  • Array matching (experimental): Matches members of arrays in nested event data with any/all-member semantics, same-element correlation, and positional indexing, opt-in via sigma-version: 3
  • Rule drafting: Drafts a detection rule from exemplar events contrasted against a baseline corpus with rule draft
  • Built-in linter: Validates rules with 85 checks, four severity levels, suppressions, custom tag namespaces, and auto-fix for 14 safe rules
  • ADS metadata: Documents rules with Palantir ADS sections under rsigma.ads.*, enforced by the linter and scaffolded with rule doc
  • LSP server: Provides real-time diagnostics, completions, hover documentation, document symbols, and quick-fix code actions in VSCode, Neovim, and any LSP-capable editor
  • MCP server: Exposes the toolchain to AI agents (Cursor, Claude Code, ...) as structured MCP tools over stdio or Streamable HTTP with rsigma mcp serve

Test

  • Detection diagnostics: Explains why a rule did or did not match an event with engine explain, diffs pipeline transformations with pipeline diff, and introspects live correlation windows
  • Corpus backtesting: Replays an event corpus against declared per-rule expectations with rule backtest, emitting a JSON or JUnit XML report for CI
  • Output formats: Renders every command's results as JSON, NDJSON, table, CSV, or TSV with a TTY-aware default via a global --output-format flag

Deploy

  • CI integration: Gates a rule repository in one pull-request check with the timescale/rsigma-action GitHub Action, wrapping lint, validate, fields-drift diff, backtest, and coverage
  • Configuration: Layers settings from YAML config files, environment variables, and CLI flags, managed with the rsigma config command group
  • Signed artifacts: Ships multi-arch Docker images with cosign signatures, SBOM, and SLSA Build L3 provenance, plus prebuilt binaries for Linux, macOS, and Windows

Detect

  • Rule evaluation: Compiles rules into optimized matchers and evaluates them against events in real time, with stateless detection and stateful correlation (sliding/tumbling/session windows, group-by, chaining, suppression)
  • Streaming daemon: Runs as a long-lived detection daemon with hot-reload, Prometheus metrics, stdin/HTTP/NATS/OTLP/Unix-socket input, and async sinks (stdout, file, NATS, OTLP, webhook, Unix socket) with per-sink retry and DLQ
  • Input formats: Ingests JSON, syslog (RFC 3164/5424), logfmt, CEF, EVTX (Windows Event Log), plain text, and OTLP logs with format auto-detection
  • Processing pipelines: Maps fields and transforms rules with pySigma-compatible pipelines (transformations, conditions, finalizers)
  • Dynamic pipelines: Populates any pipeline value from external sources (HTTP, files, commands, NATS) with template expansion, auto-refresh, and extraction via jq, JSONPath, or CEL
  • Schema recognition: Recognizes which schema each event uses (ECS, Sysmon, CEF, OCSF, or user-defined) with engine classify, watches a live daemon for unrecognized sources, and mines candidate signatures with engine discover-schemas
  • Schema routing: Builds one engine per pipeline set and dispatches each classified event to its engine, feeding a shared correlation store
  • Logsource routing: Skips rules whose logsource conflicts with an event's declared product/service/category, so a mixed-product stream only pays for the rules that can match
  • Eval prefilters: Prunes large rule sets before evaluation with a bloom substring prefilter and a cross-rule Aho-Corasick index
  • NATS JetStream: Consumes and publishes over JetStream with authentication (credentials, mTLS), replay, consumer groups, and dead-letter queues
  • OTLP integration: Receives logs from any OpenTelemetry-compatible agent (Grafana Alloy, Vector, Fluent Bit, OTel Collector) via HTTP or gRPC, and exports detections to an OTLP collector
  • TLS termination: Terminates TLS in-process on the daemon API listener with optional mutual TLS and cross-platform certificate hot-reload
  • State persistence: Persists correlation, alert-pipeline, risk, and disposition state to SQLite with --state-db and restores it across restarts
  • Live operations: Inspects a running daemon with engine status, records replayable fixtures with engine tap, and streams live detections with engine tail

Alert & Triage

  • Enrichment: Injects context (asset info, IP reputation, identity, GeoIP, runbook URLs, ...) into detection and correlation results via template, lookup, http, and command primitives
  • Risk-based alerting: Scores each firing per entity (user, host, source IP) and raises a single incident when an entity's accumulated risk crosses a threshold
  • Alert pipeline: Silences, inhibits, and deduplicates results, then groups the survivors into incidents, modeled on Alertmanager
  • Webhook alerts: Delivers detections to Slack, Teams, Discord, PagerDuty, or any HTTP endpoint with templated payloads, HMAC request signing, per-webhook retry, rate limiting, and DLQ
  • Triage feedback: Ingests analyst dispositions into a per-rule false-positive ratio that feeds the detection scorecard

Measure

  • ATT&CK coverage: Exports an ATT&CK Navigator layer with rule coverage and reports gaps against Atomic Red Team, the SigmaHQ baseline, and a target technique list
  • Telemetry visibility: Scores data-source maturity with rule visibility, exporting DeTT&CT administration files and a Navigator layer that surfaces blind spots
  • Field observability: Surfaces which event fields no rule references and which rule fields never appear in events, live on the daemon or as a one-shot report from engine eval
  • Detection scorecard: Fuses backtest, coverage, production-volume, and triage signals with rule scorecard into per-rule keep/tune/retire verdicts
  • Rule hygiene: Flags retirement candidates with rule hygiene: silent, noisy, untagged, unowned, incomplete ADS, broken field coverage, or stale status

Hunt

  • Rule conversion: Converts rules into backend-native queries via a pluggable backend trait, with native PostgreSQL/TimescaleDB, LynxDB, and Fibratus backends plus sigma-cli delegation for 30+ pySigma backends (Splunk, Elasticsearch, Microsoft Sentinel, ...)
  • Field catalog: Lists every field a ruleset references, before or after pipeline mapping, with rule fields

Crates

Crate Description
rsigma-parser Parse Sigma YAML into a strongly-typed AST
rsigma-eval Compile and evaluate rules against JSON events
rsigma-convert Transform rules into backend-native query strings
rsigma-runtime Streaming runtime with input adapters, log processor, and hot-reload
rsigma-mcp Model Context Protocol (MCP) server exposing the toolchain as tools for AI agents
rsigma CLI for parsing, validating, linting, evaluating, converting rules, field catalog, and running a detection daemon
rsigma-lsp Language Server Protocol (LSP) server for IDE support
rstix STIX 2.1 library: typed objects, bundle parse/stream, semantic validation, and pattern engine

Note

RSigma has been featured in:

  • Detection Engineering Weekly #149 (March 2026) "Building a tool like RSigma is challenging because the Sigma specification has evolved into a robust domain-specific language over the years."
  • tl;dr sec #320 (March 2026) "Accurately evaluating the full spectrum of what Sigma rules can express is quite complex, it's pretty neat to read about how RSigma handles all of these conditional expressions, correlating across rules, etc."
  • The Deep Purple Sec by BlackNoise - March 2026 (April 2026) "Defensive teams can pipe logs through CLI commands, apply field-mapping pipelines, and chain correlations for multi-stage attack detection."
  • Detection Engineering Weekly #154 (April 2026) "RSigma is not a SIEM, but it's an impressive feat to build a self-contained Rust binary that operates much like one. For teams doing pre-SIEM rule validation or forensics, it's a solid plug-and-play option."
  • Detection Engineering Weekly #157 (May 2026) "Instead of hardcoding IOC values in rule YAML, you declare external sources in the pipeline config, and RSigma fetches and injects them at evaluation time. This works very similarly to how I've seen SIEMs implement threat intelligence pipelines, but since it's RSigma, it's self-contained within its ecosystem."

Installation

Prebuilt binaries for Linux, macOS, and Windows (amd64 and arm64), with SLSA Build L3 provenance, are attached to every GitHub release.

Or install from crates.io:

# Install the CLI
cargo install --locked rsigma

# Install the LSP server
cargo install --locked rsigma-lsp

To build from source:

cargo build --release --all-features --workspace

Docker

Multi-arch images (linux/amd64, linux/arm64) are published to GHCR on every release, signed with cosign and carrying an SPDX SBOM and SLSA Build L3 provenance. See the Docker deployment guide.

docker pull ghcr.io/timescale/rsigma:latest
docker run --rm ghcr.io/timescale/rsigma:latest --help

Run with full runtime hardening:

docker run --rm \
  --read-only \
  --cap-drop=ALL \
  --security-opt=no-new-privileges:true \
  -v /path/to/rules:/rules:ro \
  ghcr.io/timescale/rsigma:latest rule validate /rules/

Verify the image signature:

cosign verify \
  --certificate-identity-regexp 'github.com/timescale/rsigma' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/timescale/rsigma:latest

Quick Start

# Evaluate a single event against Sigma rules
rsigma engine eval -r rules/ -e '{"CommandLine": "cmd /c whoami"}'

# Stream NDJSON from stdin (auto-selected when stdout is piped)
cat events.ndjson | rsigma engine eval -r rules/

# Interactive triage in a terminal: width-aligned table view
rsigma engine eval -r rules/ -e @events.ndjson --output-format table

# Recognize which schema each event is (ECS, Sysmon, CEF, OCSF, ...)
cat events.ndjson | rsigma engine classify --output-format table

# Pipe a CSV view into a spreadsheet or data tool
rsigma engine eval -r rules/ -e @events.ndjson --output-format csv > matches.csv

# Run as a daemon with hot-reload and Prometheus metrics
rsigma engine daemon -r rules/ -p ecs.yml --api-addr 0.0.0.0:9090

# Accept events via HTTP POST
rsigma engine daemon -r rules/ --input http

# Check a running daemon's status (rules loaded, events processed, uptime)
rsigma engine status

# Record 30s of a running daemon's live events to a replayable fixture
# (opt-in: start the daemon with --enable-tap)
rsigma engine tap --duration 30s --redact-fields user.email,src_ip -o fixture.ndjson

# Stream a running daemon's live detections to the terminal
# (opt-in: start the daemon with --enable-tail)
rsigma engine tail --level high

# Convert rules to PostgreSQL SQL for historical threat hunting
rsigma backend convert rules/ -t postgres

# Any non-native target delegates to sigma-cli when it is installed (pipx install sigma-cli)
rsigma backend convert rules/ -t splunk

# Draft a detection rule from exemplar events, contrasted against a baseline corpus
rsigma rule draft -e @incident.ndjson --baseline @normal-day.ndjson

# Backtest a corpus against per-rule expectations (CI fixture harness)
rsigma rule backtest -r rules/ --corpus ci/corpus/ --expectations ci/expectations.yml

# Map coverage onto MITRE ATT&CK: export a Navigator layer and gate on a target list
rsigma rule coverage -r rules/ --navigator coverage.json --targets threat-model.txt --fail-on-gaps

See the Quick Start guide for a guided tour and the CLI README for complete documentation of all subcommands and flags.

MCP Server (AI agents)

Expose the toolchain to MCP-aware agents (Cursor, Claude Code, ...) over stdio:

# Run the MCP server (register it in your agent's mcp.json / via `claude mcp add`)
rsigma mcp serve --rules-dir rules/

The agent then calls structured tools (parse_rule, lint_rules, validate_rules, evaluate_events, convert_rules, list_fields, ...) and gets back JSON. See the MCP server guide.

Library Usage

Use the crates directly from Rust:

use rsigma_parser::parse_sigma_yaml;
use rsigma_eval::Engine;
use rsigma_eval::event::JsonEvent;
use serde_json::json;

let yaml = r#"
title: Detect Whoami
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains: 'whoami'
    condition: selection
level: medium
"#;

let collection = parse_sigma_yaml(yaml).unwrap();
let mut engine = Engine::new();
engine.add_collection(&collection).unwrap();

let event = JsonEvent::borrow(&json!({"CommandLine": "cmd /c whoami"}));
let matches = engine.evaluate(&event);
assert_eq!(matches[0].rule_title, "Detect Whoami");

Architecture

rsigma streaming detection architecture

A Sigma rule is parsed into a strongly-typed AST (rsigma-parser), then compiled and evaluated against live events (rsigma-eval inside rsigma-runtime), converted into backend-native queries (rsigma-convert), or served to editors and AI agents (rsigma-lsp, rsigma-mcp). The full walkthrough, covering every module and all four execution shapes, lives in the Architecture reference.

rsigma internal architecture

Performance

RSigma is designed for high-throughput detection. On an Apple M4 Pro:

  • Parsing: 12.4 MiB/s for 1000 rules
  • Detection: 1.12M events/sec (JSON runtime pipeline, 100 rules)
  • Correlation: 501K events/sec (temporal + event-count)
  • Dynamic pipelines: 2.85M events/sec once built (no per-event overhead)

See BENCHMARKS.md for full Criterion results across all subsystems.

Reference

License

MIT

About

A complete Sigma detection engineering toolkit: parser, linter, evaluator, correlation engine, conversion framework, streaming daemon, MCP and LSP servers 🦀

Topics

Resources

License

Contributing

Security policy

Stars

84 stars

Watchers

1 watching

Forks

Packages

 
 
 

Contributors