Thanks to visit codestin.com
Credit goes to github.com

Skip to content

wayne-csrs/pySigma-backend-signals

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.github/workflows
.github/workflows
 
 
sigma
sigma
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
poetry.lock
poetry.lock
 
 
print-coverage.py
print-coverage.py
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

Tests Coverage Badge Status

pySigma Signals Backend

A pySigma backend for converting Sigma rules into Tanium Signals query syntax.

Contents

Overview

This package provides:

  • Backend: sigma.backends.signals with SignalsBackend
  • Pipeline: sigma.pipelines.signals with signals_pipeline
  • Output formats:
    • default (plain Signals query output)
    • json (query plus Sigma metadata in JSON, including mitreAttack.technique_ids)

The backend is designed for Sigma rule conversion with field normalisation that maps common Windows/Sysmon-style fields to Signals fields.

Key Features

  • Supports common Sigma condition patterns (AND, OR, list values, regex, CIDR expansion)
  • Includes correlation query templates (event count, value count, temporal, temporal ordered)
  • Provides category-specific field mappings through a dedicated processing pipeline
  • Works in Python workflows and can be used with sigma-cli where backend discovery is configured

Quick Start

Install dependencies (example with pip):

pip install pysigma

Then install this backend from source:

git clone https://github.com/wayne-csrs/pySigma-backend-signals.git
cd pySigma-backend-signals
pip install .

Usage

Python Example

from sigma.collection import SigmaCollection
from sigma.backends.signals import SignalsBackend

rule = SigmaCollection.from_yaml(
    """
    title: Suspicious CommandLine
    status: test
    logsource:
      category: process_creation
      product: windows
    detection:
      sel:
        CommandLine|contains: mimikatz
      condition: sel
    """
)

backend = SignalsBackend()
queries = backend.convert(rule)
print(queries[0])

sigma-cli Example

If your sigma-cli environment is set up to discover installed backends, you can run:

sigma convert -t signals -p signals path/to/rule.yml

For JSON output:

sigma convert -t signals -p signals -f json path/to/rule.yml

Processing Pipeline

The built-in signals_pipeline applies:

  • Generic mappings for user/logon-related fields
  • Category-aware mappings for:
    • Windows: process_creation, image_load, file_event, network_connection, registry_event, registry_set
    • Linux: process_creation, network_connection, file_create
    • macOS: process_creation, file_create

Examples of normalised fields include:

  • Image -> process.path
  • CommandLine -> process.command_line
  • TargetFilename -> file.path
  • SourceIp -> network.source.ip
  • RegistryValueData -> registry.value.data

Maintainer

Contributing

Contributions are welcome, especially for:

  • Additional field mappings
  • More rule category coverage
  • Backend behavior tests and correlation test coverage

Please open an issue or submit a pull request.

License

Licensed under LGPL-3.0-only. See LICENSE.

About

PySigma Backend for Tanium Signals

Resources

Readme

License

LGPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

First Signal Latest
May 14, 2026

Packages

 
 
 

Contributors

Languages