Skip to content

0xPersist/sigma-check

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
samples
samples
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
sigma_check.py
sigma_check.py
 
 

Repository files navigation

sigma-check

CLI tool for validating, linting, and testing Sigma detection rules. Point it at a single rule file or a folder and get instant feedback on syntax errors, missing fields, bad practices, and whether a rule fires on a sample log event.

Features

  • Validates all required Sigma fields and structure
  • Lints for missing recommended fields
  • Catches common mistakes: invalid status/level values, bare wildcards, unknown field modifiers, undefined condition references, malformed UUIDs, bad date formats
  • Tests rules against a JSON log event with per-selection hit/miss output
  • Bulk folder mode with recursive rule discovery and summary table
  • Color-coded output: errors in red, warnings in yellow, info in cyan
  • Progress bar in bulk summary showing overall pass rate
  • JSON output for CI/CD pipeline integration
  • Exit code 1 on errors for use in pre-commit hooks and automation

Install

git clone https://github.com/0xPersist/sigma-check.git
cd sigma-check
pip install -r requirements.txt

Usage

usage: sigma-check [-h] [--log LOG] [--strict] [--errors-only]
                   [--json] [--out OUT] [--no-banner] [--version]
                   path

positional arguments:
  path           Sigma rule file or directory of rules

options:
  --log LOG      JSON log event file to test rule against (single rule only)
  --strict       Treat warnings as errors
  --errors-only  Show errors only, suppress warnings and info
  --json         Output results as JSON
  --out OUT      Write JSON output to file
  --no-banner    Suppress banner

Examples

Validate a single rule:

sigma-check rule.yml

Validate all rules in a folder:

sigma-check rules/

Test a rule against a sample log event:

sigma-check rule.yml --log event.json

Strict mode for CI pipelines:

sigma-check rules/ --strict

Errors only, no warnings:

sigma-check rules/ --errors-only

JSON output:

sigma-check rules/ --json --out results.json

Test with included samples:

sigma-check samples/rules/valid_rule.yml
sigma-check samples/rules/bad_rule.yml
sigma-check samples/rules/valid_rule.yml --log samples/logs/powershell_event.json
sigma-check samples/rules/

Check Codes

Errors (E): rule will not function correctly

Code Description
E001 Missing required field (title, status, logsource, detection)
E002 Invalid status value
E003 Invalid level value
E004 Logsource is not a mapping
E005 Detection is not a mapping
E006 Detection missing condition
E007 Selection is empty/null

Warnings (W): rule may behave unexpectedly

Code Description
W001 Missing recommended field
W002 Title exceeds 100 characters
W003 Rule ID is not a valid UUID
W004 Date format is not YYYY/MM/DD or YYYY-MM-DD
W005 Unexpected logsource key
W006 Logsource missing category, product, or service
W007 Condition references undefined selection
W008 Selection contains bare wildcard
W009 Field uses bare wildcard matching any value
W010 Unknown field modifier
W011 Tag value is not a string

Info (I): style and convention hints

Code Description
I001 Title is all lowercase
I002 Tag does not follow namespace.value format
I003 Reference does not look like a URL

Log Testing

The --log flag accepts a JSON file containing a single log event object. sigma-check runs the detection logic against it and reports which selections matched and whether the full condition fired.

This is a lightweight field-matching implementation supporting exact match, contains, startswith, endswith, regex, all-of, 1-of, and and/or/not conditions. Use it for quick sanity checks, not as a replacement for a full Sigma pipeline or backend compiler.

Sample log format:

{
  "Image": "C:\\Windows\\System32\\cmd.exe",
  "CommandLine": "cmd.exe /c whoami",
  "User": "DOMAIN\\user",
  "EventID": "4688"
}

CI/CD Integration

sigma-check exits with code 1 if any errors are found. Use --strict to also exit 1 on warnings.

Pre-commit hook:

#!/bin/bash
sigma-check rules/ --strict

GitHub Actions:

- name: Validate Sigma rules
  run: python3 sigma_check.py rules/ --strict --errors-only

Sample Files

The samples/ directory includes:

  • samples/rules/valid_rule.yml: a well-formed rule that passes all checks
  • samples/rules/bad_rule.yml: a rule with intentional errors and warnings for testing
  • samples/logs/powershell_event.json: a sample Windows process creation event

Requirements

  • Python 3.8+
  • pyyaml
  • colorama (optional, for colored output)

License

MIT. See LICENSE.

by 0xPersist

About

Sigma rule validator, linter, and tester — validate syntax, lint for issues, and test rules against sample log events.

Topics

threat-hunting siem sigma security-automation blue-team detection-engineering

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages