SigmaSync is a powerful tool designed to act as a bridge between Sigma rules and your security infrastructure. It automatically downloads, parses, and synchronizes Sigma rules into various SIEM formats (Splunk, ElasticSearch, IBM QRadar, etc.) and stores them in a MongoDB database for easy access and management.
The script will:
- Download the latest Sigma rules. From https://github.com/SigmaHQ
- Unzip and validate plugins.
- Convert rules to supported formats.
- Insert the processed rules into your MongoDB database.
- Automated Synchronization: Keeps your rule database in sync by fetching the latest Sigma rules directly from the official repository.
- Rule Conversion: Supports conversion to 20+ formats including:
- IBM QRadar AQL
- Splunk
- ElasticSearch
- Cortex XDR
- SentinelOne
- CrowdStrike
- And many more...
- Database Storage: Parses and stores converted rules and metadata into MongoDB for easy querying and management.
-
Clone the repository:
-
Install dependencies:
pip install -r requirements.txt
-
Configuration: Copy the example environment file and update it with your MongoDB credentials.
cp .env.example .env
Edit
.env:MONGODB_URI=mongodb://user:password@host:port MONGODB_DB=vulnrule MONGODB_COLLECTION=rules
Run the main script to start the process:
python main.pyYou can easily run SigmaSync using Docker Compose, which handles the application and the MongoDB database automatically.
-
Build and Run:
docker-compose up --build -d
-
View Logs:
docker-compose logs -f sigmasync
-
Stop:
docker-compose down
The script will:
- Download the latest Sigma rules.
- Unzip and validate plugins.
- Convert rules to supported formats.
- Insert the processed rules into your MongoDB database.