Skip to content

RSigma - Rust Sigma Detection Toolkit Cheatsheet

RSigma - Rust Sigma Detection Toolkit Cheatsheet

RSigma is a complete, high-performance Rust toolkit for the Sigma detection-engineering standard. It parses Sigma YAML rules into a strongly-typed AST, compiles them into optimized matchers, and evaluates them against log events in real time. Beyond conversion (the classic Sigma job), RSigma bundles a parser, linter, evaluation and correlation engine, a streaming runtime daemon, and MCP and LSP servers — making it a one-stop foundation for detection-as-code pipelines.

Installation

MethodCommand
Cargocargo install rsigma
From sourcegit clone https://github.com/timescale/rsigma && cd rsigma && cargo build --release
Binarydownload from the GitHub Releases page
Verifyrsigma --version

Core Subcommands

CommandDescription
rsigma lint rules/Validate and quality-score Sigma rules
rsigma convert -t splunk rule.ymlConvert a rule to a target query language
rsigma eval -r rule.yml events.jsonlEvaluate rules against log events
rsigma correlate rules/ events.jsonlRun correlation rules across events
rsigma serveStart the streaming evaluation daemon
rsigma lspRun the Language Server for editor integration
rsigma mcpRun the MCP server for AI-agent access
rsigma --helpFull command reference

Linting

# Lint a rule directory, fail on errors (CI-friendly)
rsigma lint rules/ --fail-on error

# Show quality scores across dimensions
rsigma lint rules/windows/ --format json
DimensionChecks
SyntaxValid Sigma schema/AST
Metadatatitle, id, status, level present
LogicDetection/condition consistency
Field usageKnown fields, taxonomy compliance
Best practicesNaming, false-positive notes
PortabilityBackend-compatible constructs

Conversion (Detection-as-Code)

RSigma compiles one Sigma rule to many SIEM query languages.

rsigma convert -t splunk rule.yml            # Splunk SPL
rsigma convert -t elasticsearch rule.yml     # Elastic DSL / EQL
rsigma convert -t sentinel rule.yml          # Microsoft Sentinel KQL
rsigma convert -t qradar rule.yml            # QRadar AQL
FlagPurpose
-t, --targetBackend/query language
-p, --pipelineApply a processing pipeline (field mappings)
-o, --outputWrite to a file
--formatOutput format for batch conversions

Evaluation & Correlation

# Match rules directly against a JSONL event stream
rsigma eval -r rules/ events.jsonl --format json

# Multi-event correlation (e.g. N failures then success)
rsigma correlate -r correlation_rules/ events.jsonl
CapabilityUse
Direct evalTest rules on real telemetry without a SIEM
CorrelationTemporal/aggregation rules across events
Streaming daemonrsigma serve evaluates live event streams
AST cachingCompiled matchers reused for speed

Editor & Agent Integration

ServerPurpose
rsigma lspAutocomplete, diagnostics, hover in editors
rsigma mcpExpose Sigma tooling to AI agents via MCP

CI/CD Pattern

# In a detection-as-code pipeline:
rsigma lint rules/ --fail-on error          # gate on quality
rsigma eval -r rules/ test-telemetry.jsonl  # verify rules fire
rsigma convert -t sentinel -o out/ rules/   # compile for deployment

RSigma vs Classic Sigma Tooling

AspectRSigmasigma-cli (pySigma)
LanguageRustPython
ScopeConvert + lint + eval + correlate + serveConvert (+ plugins)
Live evaluationBuilt-in streaming daemonExternal
Editor/agentLSP + MCP serversNone
Best forEnd-to-end detection-as-codeConversion-focused workflows

Resources