RSigma is a complete, high-performance Rust toolkit for the Sigma detection-engineering standard. It parses Sigma YAML rules into a strongly-typed AST, compiles them into optimized matchers, and evaluates them against log events in real time. Beyond conversion (the classic Sigma job), RSigma bundles a parser, linter, evaluation and correlation engine, a streaming runtime daemon, and MCP and LSP servers — making it a one-stop foundation for detection-as-code pipelines.
Installation
| Method | Command |
|---|
| Cargo | cargo install rsigma |
| From source | git clone https://github.com/timescale/rsigma && cd rsigma && cargo build --release |
| Binary | download from the GitHub Releases page |
| Verify | rsigma --version |
Core Subcommands
| Command | Description |
|---|
rsigma lint rules/ | Validate and quality-score Sigma rules |
rsigma convert -t splunk rule.yml | Convert a rule to a target query language |
rsigma eval -r rule.yml events.jsonl | Evaluate rules against log events |
rsigma correlate rules/ events.jsonl | Run correlation rules across events |
rsigma serve | Start the streaming evaluation daemon |
rsigma lsp | Run the Language Server for editor integration |
rsigma mcp | Run the MCP server for AI-agent access |
rsigma --help | Full command reference |
Linting
# Lint a rule directory, fail on errors (CI-friendly)
rsigma lint rules/ --fail-on error
# Show quality scores across dimensions
rsigma lint rules/windows/ --format json
| Dimension | Checks |
|---|
| Syntax | Valid Sigma schema/AST |
| Metadata | title, id, status, level present |
| Logic | Detection/condition consistency |
| Field usage | Known fields, taxonomy compliance |
| Best practices | Naming, false-positive notes |
| Portability | Backend-compatible constructs |
Conversion (Detection-as-Code)
RSigma compiles one Sigma rule to many SIEM query languages.
rsigma convert -t splunk rule.yml # Splunk SPL
rsigma convert -t elasticsearch rule.yml # Elastic DSL / EQL
rsigma convert -t sentinel rule.yml # Microsoft Sentinel KQL
rsigma convert -t qradar rule.yml # QRadar AQL
| Flag | Purpose |
|---|
-t, --target | Backend/query language |
-p, --pipeline | Apply a processing pipeline (field mappings) |
-o, --output | Write to a file |
--format | Output format for batch conversions |
Evaluation & Correlation
# Match rules directly against a JSONL event stream
rsigma eval -r rules/ events.jsonl --format json
# Multi-event correlation (e.g. N failures then success)
rsigma correlate -r correlation_rules/ events.jsonl
| Capability | Use |
|---|
| Direct eval | Test rules on real telemetry without a SIEM |
| Correlation | Temporal/aggregation rules across events |
| Streaming daemon | rsigma serve evaluates live event streams |
| AST caching | Compiled matchers reused for speed |
Editor & Agent Integration
| Server | Purpose |
|---|
rsigma lsp | Autocomplete, diagnostics, hover in editors |
rsigma mcp | Expose Sigma tooling to AI agents via MCP |
CI/CD Pattern
# In a detection-as-code pipeline:
rsigma lint rules/ --fail-on error # gate on quality
rsigma eval -r rules/ test-telemetry.jsonl # verify rules fire
rsigma convert -t sentinel -o out/ rules/ # compile for deployment
| Aspect | RSigma | sigma-cli (pySigma) |
|---|
| Language | Rust | Python |
| Scope | Convert + lint + eval + correlate + serve | Convert (+ plugins) |
| Live evaluation | Built-in streaming daemon | External |
| Editor/agent | LSP + MCP servers | None |
| Best for | End-to-end detection-as-code | Conversion-focused workflows |
Resources