sigma

0.23.1 verified Fri May 01 auth: no python

Tools for the Generic Signature Format for SIEM Systems (sigma). Current version: 0.23.1. Quarterly releases with rule updates.

pip install sigmatools

Common errors

error ModuleNotFoundError: No module named 'sigma' ↓

cause Installed 'sigmatools' but tried to import 'sigmatools' instead of 'sigma'.

fix

Use import sigma (the module name is 'sigma', not 'sigmatools').

error AttributeError: module 'sigma' has no attribute 'backend' ↓

cause After v0.20, the backend classes are under `sigma.backends.*`, not `sigma.backend`.

fix

Use from sigma.backends.splunk import SplunkBackend instead of sigma.backend.SplunkBackend.

error sigma.exceptions.SigmaError: Logsource mapping not found: ... ↓

cause When converting rules, the backend expects logsource mappings (e.g., for custom log sources).

fix

Ensure you have a proper logsource configuration or use --output-config with sigmac, or specify backend.processing_pipeline.

Warnings

breaking v0.20+ refactored the API: sigma.backends replaced sigma.backends.elasticsearch, sigma.backends.splunk, etc. Old imports like `from sigma.backends import splunk` no longer work; use `from sigma.backends.splunk import SplunkBackend`. ↓

fix Update imports to use new module paths: `from sigma.backends.<backend> import <BackendClass>`.

breaking In v0.22, the CLI command changed from `sigma` to `sigmac`. The old `sigma` subcommands are deprecated. ↓

fix Use `sigmac` command for CLI operations.

gotcha SigmaCollection.from_yaml expects a YAML string, not a file path. To load from a file, you need to read it first. ↓

fix Use `with open('rule.yml') as f: SigmaCollection.from_yaml(f.read())`.

Imports

sigma
wrong
```
import sigmatools
```
correct
```
import sigma
```
The package is 'sigmatools' but the import module is 'sigma'.

Quickstart

Convert a Sigma rule to Splunk SPL query.

import sigma
from sigma.backends.splunk import SplunkBackend
from sigma.collection import SigmaCollection

rule_source = '''
title: Test Rule
id: abcdef01-1234-5678-9abc-def012345678
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains: 'test'
  condition: selection
'''
rule = SigmaCollection.from_yaml(rule_source)
backend = SplunkBackend()
result = backend.convert(rule)
print(result)