Skip to main content
Version: v4.24

Execute Sigma rules

Tenzir supports executing Sigma rules using the sigma operator. This allows you to run your Sigma rules in the pipeline. The operator transpiles the provided rules into an expression, and wraps matching events into a sighting record along with the matched rule.

Semantically, you can think of executing Sigma rules as applying the where operator to the input. At a high level, the translation process looks as follows:

pySigma Support

Unlike the legacy sigmac compiler that tailors a rule to specific backend, like Elastic or Splunk, the sigma operator only transpiles the structural YAML rules to produce an expression that is then used to filter a dataflow. In the future, we would like to write a native Tenzir backend for pySigma. Please reach out on our Discord if you would like to help us with that!

Run a Sigma rule on an EVTX file

You can run a Sigma rule on any pipeline input. For example, to apply a Sigma rule to an EVTX file, we can use the utility evtx_dump to convert the binary EVTX format into JSON and then pipe it to sigma on the command line:

evtx_dump -o jsonl file.evtx | tenzir 'read_json | sigma "rule.yaml"'