{"id":24585,"library":"sigmatools","title":"sigma","description":"Tools for the Generic Signature Format for SIEM Systems (sigma). Current version: 0.23.1. Quarterly releases with rule updates.","status":"active","version":"0.23.1","language":"python","source_language":"en","source_url":"https://github.com/SigmaHQ/sigma","tags":["sigma","siem","detection","rules","security"],"install":[{"cmd":"pip install sigmatools","lang":"bash","label":"Install sigmatools"}],"dependencies":[],"imports":[{"note":"The package is 'sigmatools' but the import module is 'sigma'.","wrong":"import sigmatools","symbol":"sigma","correct":"import sigma"}],"quickstart":{"code":"import sigma\nfrom sigma.backends.splunk import SplunkBackend\nfrom sigma.collection import SigmaCollection\n\nrule_source = '''\ntitle: Test Rule\nid: abcdef01-1234-5678-9abc-def012345678\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains: 'test'\n  condition: selection\n'''\nrule = SigmaCollection.from_yaml(rule_source)\nbackend = SplunkBackend()\nresult = backend.convert(rule)\nprint(result)","lang":"python","description":"Convert a Sigma rule to Splunk SPL query."},"warnings":[{"fix":"Update imports to use new module paths: `from sigma.backends.<backend> import <BackendClass>`.","message":"v0.20+ refactored the API: sigma.backends replaced sigma.backends.elasticsearch, sigma.backends.splunk, etc. Old imports like `from sigma.backends import splunk` no longer work; use `from sigma.backends.splunk import SplunkBackend`.","severity":"breaking","affected_versions":"<0.20"},{"fix":"Use `sigmac` command for CLI operations.","message":"In v0.22, the CLI command changed from `sigma` to `sigmac`. The old `sigma` subcommands are deprecated.","severity":"breaking","affected_versions":"<0.22"},{"fix":"Use `with open('rule.yml') as f: SigmaCollection.from_yaml(f.read())`.","message":"SigmaCollection.from_yaml expects a YAML string, not a file path. To load from a file, you need to read it first.","severity":"gotcha","affected_versions":"all"}],"env_vars":null,"last_verified":"2026-05-01T00:00:00.000Z","next_check":"2026-07-30T00:00:00.000Z","problems":[{"fix":"Use `import sigma` (the module name is 'sigma', not 'sigmatools').","cause":"Installed 'sigmatools' but tried to import 'sigmatools' instead of 'sigma'.","error":"ModuleNotFoundError: No module named 'sigma'"},{"fix":"Use `from sigma.backends.splunk import SplunkBackend` instead of `sigma.backend.SplunkBackend`.","cause":"After v0.20, the backend classes are under `sigma.backends.*`, not `sigma.backend`.","error":"AttributeError: module 'sigma' has no attribute 'backend'"},{"fix":"Ensure you have a proper logsource configuration or use `--output-config` with sigmac, or specify `backend.processing_pipeline`.","cause":"When converting rules, the backend expects logsource mappings (e.g., for custom log sources).","error":"sigma.exceptions.SigmaError: Logsource mapping not found: ..."}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}