{"library":"pysigma","title":"pySigma","description":"pySigma is a Python library for processing and converting Sigma rules, a generic and open signature format that allows security analysts to describe relevant log events in a structured way. It serves as the core engine for Sigma rule management and transformation into various SIEM or EDR query languages. The current version is 1.3.2, with minor releases and bug fixes occurring frequently.","language":"python","status":"active","last_verified":"Mon May 18","install":{"commands":["pip install pysigma","pip install pysigma[splunk,elasticsearch]"],"cli":null},"imports":["from pysigma import PySigmaCollection","from pysigma.backends.sigma import SigmaDetectionsBackend","from pysigma.parser.rule import SigmaRule"],"auth":{"required":false,"env_vars":[]},"quickstart":{"code":"import os\nfrom pysigma import PySigmaCollection\nfrom pysigma.backends.sigma import SigmaDetectionsBackend\n\n# Create a dummy Sigma rule file for demonstration\nrule_content = \"\"\"\ntitle: Detect PowerShell Encoded Command\nid: 03f57279-7928-4e89-a5e2-6320573e6a4b\nstatus: stable\ndescription: Detects PowerShell usage with encoded commands, often used in malicious activity.\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \n      - '\\\\powershell.exe'\n      - '\\\\pwsh.exe'\n    CommandLine|contains: \n      - '-EncodedCommand'\n      - '-eNcoDedCOmmaNd'\n  condition: selection\nfields:\n  - CommandLine\n  - ParentCommandLine\n  - Image\ntags:\n  - attack.execution\n  - attack.t1059.001\n\"\"\"\n\n# Save the rule to a temporary directory\nif not os.path.exists('sigma_rules'):\n    os.makedirs('sigma_rules')\nwith open('sigma_rules/powershell_encoded_command.yml', 'w') as f:\n    f.write(rule_content)\n\n# 1. Load Sigma rules from a directory\ncollection = PySigmaCollection.from_directory('sigma_rules')\nprint(f\"Loaded {len(collection.rules)} Sigma rule(s).\")\n\n# 2. Instantiate a backend (e.g., generic Sigma detection backend)\n# For Splunk, use: from pysigma.backends.splunk import SplunkBackend; backend = SplunkBackend()\nbackend = SigmaDetectionsBackend()\n\n# 3. Process the collection using the backend\n# This generates a list of Backend_Rule objects\ndetection_rules = backend.convert(collection)\n\n# 4. Print the converted query for each rule\nfor rule in detection_rules:\n    print(f\"\\nRule ID: {rule.id}\")\n    print(f\"Query: {rule.text}\")\n\n# Clean up the dummy rule file and directory\nos.remove('sigma_rules/powershell_encoded_command.yml')\nos.rmdir('sigma_rules')\n","lang":"python","description":"This quickstart demonstrates how to load Sigma rules from a local directory, initialize a generic Sigma detection backend, and convert the rules into a textual representation suitable for a SIEM/EDR system. To convert to specific SIEM formats (e.g., Splunk, Elasticsearch), you need to install the corresponding `pysigma-plugin-<backend>` package and import the specific backend class.","tag":null,"tag_description":null,"last_tested":null,"results":[]},"compatibility":{"tag":null,"tag_description":null,"last_tested":"2026-05-18","installed_version":"0.11.23","pypi_latest":"1.3.3","is_stale":true,"summary":{"python_range":"3.10–3.9","success_rate":100,"avg_install_s":3.1,"avg_import_s":null,"wheel_type":"wheel"},"results":[{"runtime":"python:3.10-alpine","python_version":"3.10","os_libc":"alpine (musl)","variant":"pysigma","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":"28.5M"},{"runtime":"python:3.10-alpine","python_version":"3.10","os_libc":"alpine (musl)","variant":"splunk,elasticsearch","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":"28.5M"},{"runtime":"python:3.10-slim","python_version":"3.10","os_libc":"slim (glibc)","variant":"pysigma","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":3.5,"import_time_s":null,"mem_mb":null,"disk_size":"30M"},{"runtime":"python:3.10-slim","python_version":"3.10","os_libc":"slim (glibc)","variant":"splunk,elasticsearch","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":3.1,"import_time_s":null,"mem_mb":null,"disk_size":"30M"},{"runtime":"python:3.11-alpine","python_version":"3.11","os_libc":"alpine (musl)","variant":"pysigma","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":"31.9M"},{"runtime":"python:3.11-alpine","python_version":"3.11","os_libc":"alpine (musl)","variant":"splunk,elasticsearch","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":"31.9M"},{"runtime":"python:3.11-slim","python_version":"3.11","os_libc":"slim (glibc)","variant":"pysigma","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":3.2,"import_time_s":null,"mem_mb":null,"disk_size":"33M"},{"runtime":"python:3.11-slim","python_version":"3.11","os_libc":"slim (glibc)","variant":"splunk,elasticsearch","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":3.2,"import_time_s":null,"mem_mb":null,"disk_size":"33M"},{"runtime":"python:3.12-alpine","python_version":"3.12","os_libc":"alpine (musl)","variant":"pysigma","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":"23.4M"},{"runtime":"python:3.12-alpine","python_version":"3.12","os_libc":"alpine (musl)","variant":"splunk,elasticsearch","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":"23.4M"},{"runtime":"python:3.12-slim","python_version":"3.12","os_libc":"slim (glibc)","variant":"pysigma","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":2.9,"import_time_s":null,"mem_mb":null,"disk_size":"25M"},{"runtime":"python:3.12-slim","python_version":"3.12","os_libc":"slim (glibc)","variant":"splunk,elasticsearch","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":2.8,"import_time_s":null,"mem_mb":null,"disk_size":"25M"},{"runtime":"python:3.13-alpine","python_version":"3.13","os_libc":"alpine (musl)","variant":"pysigma","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":"23.2M"},{"runtime":"python:3.13-alpine","python_version":"3.13","os_libc":"alpine (musl)","variant":"splunk,elasticsearch","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":"23.2M"},{"runtime":"python:3.13-slim","python_version":"3.13","os_libc":"slim (glibc)","variant":"pysigma","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":3,"import_time_s":null,"mem_mb":null,"disk_size":"24M"},{"runtime":"python:3.13-slim","python_version":"3.13","os_libc":"slim (glibc)","variant":"splunk,elasticsearch","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":2.7,"import_time_s":null,"mem_mb":null,"disk_size":"24M"},{"runtime":"python:3.9-alpine","python_version":"3.9","os_libc":"alpine (musl)","variant":"pysigma","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":"26.4M"},{"runtime":"python:3.9-alpine","python_version":"3.9","os_libc":"alpine (musl)","variant":"splunk,elasticsearch","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":"26.4M"},{"runtime":"python:3.9-slim","python_version":"3.9","os_libc":"slim (glibc)","variant":"pysigma","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":3.5,"import_time_s":null,"mem_mb":null,"disk_size":"28M"},{"runtime":"python:3.9-slim","python_version":"3.9","os_libc":"slim (glibc)","variant":"splunk,elasticsearch","exit_code":0,"wheel_type":"wheel","failure_reason":null,"import_side_effects":"broken","install_time_s":3.2,"import_time_s":null,"mem_mb":null,"disk_size":"28M"}]}}