Sigma检测工具
Sigma检测工具 是 AI Skill Hub 本期精选MCP工具之一。综合评分 8.0 分,整体质量较高。我们强烈推荐将其纳入你的 AI 工具库,帮助提升工作效率。
📚 深度解析
通过安装 Sigma检测工具,你的 AI 助手将获得额外的工具调用能力,可以用自然语言直接操控该工具的功能,无需学习复杂的命令行语法。MCP 工具的核心价值在于"一次配置,永久增强"——配置完成后,每次与 AI 对话时都可以无缝调用这些工具。
在技术实现上,MCP 工具通过标准的 JSON-RPC 协议与 AI 客户端通信,工具的功能以"工具列表"的形式暴露给 AI 模型,AI 可以按需调用。Sigma检测工具 提供了结构化的工具调用接口,使 AI 模型能够精确地理解和使用每个功能点,显著降低 AI 在工具使用上的错误率。
与传统的 API 集成相比,MCP 工具的优势在于无需编写代码——用户只需在配置文件中添加几行 JSON,即可让 AI 获得全新能力。AI Skill Hub 将 Sigma检测工具 评为 AI 评分 8.0 分,属于同类工具中的优质选择。
📋 工具概览
Sigma检测工具 是一款遵循 MCP(Model Context Protocol)标准协议的 AI 工具扩展。通过 MCP 协议,它可以让 Claude、Cursor 等主流 AI 客户端直接访问和操作外部工具、数据源和服务,实现 AI 能力的无缝扩展。无论是文件操作、数据库查询还是 API 调用,都可以通过自然语言在 AI 对话中直接触发,极大提升生产效率。
📖 中文文档
Sigma检测工具 是一款遵循 MCP(Model Context Protocol)标准协议的 AI 工具扩展。通过 MCP 协议,它可以让 Claude、Cursor 等主流 AI 客户端直接访问和操作外部工具、数据源和服务,实现 AI 能力的无缝扩展。无论是文件操作、数据库查询还是 API 调用,都可以通过自然语言在 AI 对话中直接触发,极大提升生产效率。
- 通过标准 MCP 协议与 Claude、Cursor 等主流 AI 客户端深度集成
- 提供结构化工具调用接口,显著降低 AI 集成复杂度
- 支持 Claude Desktop 和 Claude Code 无缝接入,开箱即用
- 可与其他 MCP 工具组合叠加,构建完整 AI 工作站
- 轻量无侵入设计,不影响现有系统架构
- 在 Claude Desktop 对话中直接调用本地工具,实现 AI 与系统的深度联动
- 通过自然语言驱动复杂的多步骤自动化任务,代替繁琐手动操作
- 将多个 MCP 工具组合使用,构建个人专属 AI 工作站
# 方式一:通过 Claude Code CLI 一键安装
claude skill install https://github.com/timescale/rsigma
# 方式二:手动配置 claude_desktop_config.json
{
"mcpServers": {
"sigma----": {
"command": "npx",
"args": ["-y", "rsigma"]
}
}
}
# 配置文件位置
# macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
# Windows: %APPDATA%/Claude/claude_desktop_config.json
- 确认已安装 Node.js(v18 或以上版本)
- 打开 Claude Desktop 或 Claude Code 的 MCP 配置文件
- 按「交给 Agent 安装 → Claude Desktop」标签中的 JSON 配置填入 mcpServers 字段
- 保存配置文件并重启 Claude 客户端
- 重启后,在对话中即可使用本工具
# 安装后在 Claude 对话中直接使用 # 示例: 用户: 请帮我用 Sigma检测工具 执行以下任务... Claude: [自动调用 Sigma检测工具 MCP 工具处理请求] # 查看可用工具列表 # 在 Claude 中输入:"列出所有可用的 MCP 工具"
// claude_desktop_config.json 配置示例
{
"mcpServers": {
"sigma____": {
"command": "npx",
"args": ["-y", "rsigma"],
"env": {
// "API_KEY": "your-api-key-here"
}
}
}
}
// 保存后重启 Claude Desktop 生效
简介
<p align="center"> <a href="https://github.com/timescale/rsigma"> <img src="https://github.com/timescale/rsigma/blob/main/assets/rsigma-logotype.png" alt="RSigma logotype" width="200"/> </a> <p align="center">A complete Rust toolkit for the Sigma detection standard</p> </p>
<p align="center"> <a href="https://github.com/timescale/rsigma/actions/workflows/ci.yml"><img src="https://github.com/timescale/rsigma/actions/workflows/ci.yml/badge.svg" alt="CI" /></a> <a href="https://crates.io/crates/rsigma"><img src="https://img.shields.io/crates/v/rsigma.svg" alt="crates.io" /></a> <a href="https://github.com/timescale/rsigma/blob/main/Cargo.toml"><img src="https://img.shields.io/badge/MSRV-1.88.0-blue" alt="MSRV" /></a> <a href="https://ghcr.io/timescale/rsigma"><img src="https://img.shields.io/badge/ghcr.io-rsigma-blue?logo=docker" alt="Docker" /></a> <a href="https://github.com/timescale/rsigma/releases/latest"><img src="https://img.shields.io/github/v/release/timescale/rsigma" alt="GitHub Release" /></a> <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-green.svg" alt="License: MIT" /></a> </p>
RSigma is a complete Rust toolkit for the Sigma detection standard, including a parser, evaluation engine, rule conversion, streaming runtime, linter, CLI, MCP and LSP.
RSigma parses Sigma YAML rules into a strongly-typed AST, compiles them into optimized matchers, and evaluates them against log events in real time. It handles stateful correlation logic in-process with memory-efficient compressed event storage. Or as Zack Allen put it in DEW #149, "RSigma is essentially a SIEM."
You can send events in many formats, including JSON, syslog (RFC 3164/5424), logfmt, CEF, EVTX (Windows Event Log), plain text, and OTLP (OpenTelemetry Protocol), with auto-detection by default. pySigma-compatible processing pipelines handle field mapping and backend configuration. OTLP support lets any OpenTelemetry-compatible agent (Grafana Alloy, Vector, Fluent Bit, OTel Collector) forward logs to RSigma via HTTP or gRPC for detection.
For rule quality and editor integration, a built-in linter validates rules against 70 checks derived from the Sigma v2.1.0 specification, and an LSP server provides real-time diagnostics, completions, hover documentation, and quick-fix code actions in any editor.
Supported Features
- Sigma parsing: Parse Sigma YAML into a strongly-typed AST with support for detection, correlation, and filter rules
- Rule evaluation: Compile and evaluate rules against JSON events in real time with stateless detection and stateful correlation (sliding windows, group-by, chaining, suppression)
- Array matching (experimental): Match members of arrays in nested event data: implicit any-member matching,
[any]/[all]object-scope blocks for same-element correlation, and positional[N]indexing, opt-in viasigma-version: 3. Evaluated natively and lowered to PostgreSQL JSONB; see the Array Matching guide - Streaming daemon: Run as a streaming detection daemon with hot-reload, Prometheus metrics, and HTTP/NATS/OTLP input
- Input formats: Accept JSON, syslog (RFC 3164/5424), logfmt, CEF, EVTX (Windows Event Log), plain text, and OTLP logs with format auto-detection
- Processing pipelines: Use pySigma-compatible processing pipelines for field mapping, transformations, conditions, and finalizers
- Dynamic pipelines: Populate any pipeline value from external sources (HTTP, files, commands, NATS) with template expansion, auto-refresh, and data extraction via jq, JSONPath, or CEL
- Post-evaluation enrichment: Inject contextual data (asset info, IP reputation, identity, GeoIP, runbook URLs, ...) into detection and correlation results via four primitives (
template,lookup,http,command) with kind-aware template namespaces, response cache, scope filtering, and hot-reload - Corpus backtesting: Replay an event corpus against a ruleset with
rule backtest, diffing per-rule fire counts against declared expectations (positive/negative fixtures, bounded noise budgets), flagging uncovered fires as potential false positives, and emitting a JSON or JUnit XML report for CI - ATT&CK coverage: Map a ruleset onto MITRE ATT&CK with
rule coverage, exporting an ATT&CK Navigator layer (format 4.5, scored by rule count) and reporting coverage gaps against the Atomic Red Team library, the SigmaHQ baseline heatmap, and a target technique list, with--fail-on-gapsfor CI - Rule conversion: Convert rules into backend-native query strings via a pluggable backend trait (PostgreSQL/TimescaleDB SQL, LynxDB SPL2, Fibratus rule YAML for EDR sensors)
- Eval prefilters: Use optional prefilters for large rule sets, including a bloom filter for substring matchers (
--bloom-prefilter) and cross-rule Aho-Corasick index for whole-rule pruning (--cross-rule-ac, requiresdaachorse-indexfeature) - Field observability: Opt-in
--observe-fieldsmode on bothengine daemon(live, exposed overGET /api/v1/fields*with Prometheus counters) andengine eval(one-shot JSON report at end-of-run, ideal for CI gap analysis) surfaces which event fields no rule references (gap signal) and which rule fields have never appeared in an event (broken-coverage signal); same JSON shape across runtimes - TLS termination: Use in-process TLS termination for the daemon API listener (HTTP REST,
/metrics, OTLP/HTTP, OTLP/gRPC) with optional mutual TLS,aws-lc-rscrypto, and cross-platform certificate hot-reload - NATS JetStream: Use NATS JetStream support with authentication (credentials, mTLS), replay, consumer groups, and dead-letter queues
- OTLP ingestion: Use OTLP support for any OpenTelemetry-compatible agent (Grafana Alloy, Vector, Fluent Bit, OTel Collector) via HTTP or gRPC
- Webhook alerts: Deliver detections to Slack, Teams, Discord, PagerDuty, or any HTTP endpoint with a generic template-driven webhook sink (per-webhook retry, rate limiting, and DLQ)
- Built-in linter: Validate rules with 70 checks, four severity levels, a full suppression system, configurable custom tag namespaces (
--tag-namespace), and auto-fix (--fix) for 13 safe rules - MCP server: Expose the toolchain to AI agents (Cursor, Claude Code, ...) via
rsigma mcp serve: parse, lint, validate, evaluate, convert, fields, and pipeline tools over the Model Context Protocol, with structured JSON results - LSP server: Use real-time diagnostics, completions, hover documentation, document symbols, and quick-fix code actions
- Docker images: Use multi-arch Docker images (linux/amd64, linux/arm64) with cosign signatures, SBOM, and SLSA Build L3 provenance
- Release binaries: Use cross-platform binaries for Linux, macOS, and Windows on amd64 and arm64
NATS JetStream (requires daemon-nats feature)
rsigma engine daemon -r rules/ --input nats://localhost:4222/events.> --output nats://localhost:4222/detections
OTLP (requires daemon-otlp feature): always active alongside any --input mode
logfmt (requires logfmt feature)
rsigma engine eval -r rules/ --input-format logfmt < app.log
CEF / ArcSight (requires cef feature)
rsigma engine eval -r rules/ --input-format cef < arcsight.log
EVTX / Windows Event Log (requires evtx feature)
rsigma engine eval -r rules/ -e @security.evtx ```
Installation
```bash
Build all crates
cargo build --release --all-features --workspace
Install the CLI
cargo install --locked rsigma
Install the LSP server
cargo install --locked --path crates/rsigma-lsp ```
Docker
Multi-arch images (linux/amd64, linux/arm64) are published to GHCR on every release.
docker pull ghcr.io/timescale/rsigma:latest
docker run --rm ghcr.io/timescale/rsigma:latest --helpRun with full runtime hardening:
docker run --rm \
--read-only \
--cap-drop=ALL \
--security-opt=no-new-privileges:true \
-v /path/to/rules:/rules:ro \
ghcr.io/timescale/rsigma:latest rule validate /rules/Verify the image signature:
cosign verify \
--certificate-identity-regexp 'github.com/timescale/rsigma' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/timescale/rsigma:latestAny non-native target delegates to sigma-cli when it is installed (pipx install sigma-cli)
rsigma backend convert rules/ -t splunk
Quick Start
```bash
Library Usage
Or use the library directly:
use rsigma_parser::parse_sigma_yaml;
use rsigma_eval::Engine;
use rsigma_eval::event::JsonEvent;
use serde_json::json;
let yaml = r#"
title: Detect Whoami
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains: 'whoami'
condition: selection
level: medium
"#;
let collection = parse_sigma_yaml(yaml).unwrap();
let mut engine = Engine::new();
engine.add_collection(&collection).unwrap();
let event = JsonEvent::borrow(&json!({"CommandLine": "cmd /c whoami"}));
let matches = engine.evaluate(&event);
assert_eq!(matches[0].rule_title, "Detect Whoami");Configuration
engine daemon and engine eval accept their settings via a layered YAML config in addition to CLI flags. Precedence is CLI flag > env > project file > user file > system file > default, with the project layer being either ./rsigma.yaml or the nearest .rsigmarc. Manage it with the rsigma config group:
rsigma config init # scaffold ./rsigma.yaml with comments
rsigma config validate # discover files, warn on unknown keys
rsigma config show --for daemon # show the effective config per-leaf
rsigma config schema # emit the JSON Schema for editors/CI
rsigma config reload # POST /api/v1/reload (cross-platform)Both commands also accept --config <PATH> (load only that file) and --dry-run (print the effective section, exit 0). Secrets (NATS creds, TLS key password) deliberately stay env/flag-only and never appear in the schema. Full details in the Configuration Reference.
HTTP: POST NDJSON events to /api/v1/events
rsigma engine daemon -r rules/ --input http curl -X POST http://localhost:9090/api/v1/events -d '{"CommandLine":"whoami"}'
HTTPS for every protocol on --api-addr
rsigma engine daemon -r rules/ --input http --api-addr 0.0.0.0:9090 \ --tls-cert /etc/rsigma/tls/server.crt \ --tls-key /etc/rsigma/tls/server.key
List all fields referenced by a ruleset
rsigma rule fields -r rules/
Reference
- pySigma: reference Python implementation
- Sigma Specification V2.1.0: formal specification
- sigma-rust: Pratt parsing approach
- sigmars: correlation support patterns
- sigma_engine: official SigmaHQ Rust library for parsing and matching Sigma rules against events
- pySigma-backend-sqlite: SQLite backend for pySigma (inspiration for the PostgreSQL backend)
- pySigma-backend-athena: AWS Athena backend for pySigma (SELECT fields, CTE-based correlation, sliding window patterns)
Input Formats and Pipelines
Events are parsed with auto-detection by default (JSON, syslog, plain text). Feature-gated formats: logfmt, cef, evtx. Processing pipelines handle field mapping between source schemas and Sigma field names.
```bash
With a processing pipeline for field mapping
rsigma engine eval -r rules/ -p pipelines/ecs.yml -e '{"process.command_line": "whoami"}'
Dynamic Pipelines
Standard Sigma pipelines are static: every value is hardcoded in YAML. RSigma extends this with dynamic pipelines where external data sources feed into any part of a pipeline via ${source.*} template references. This means field mappings, condition values, and even entire transformation blocks can be populated from live APIs, configuration files, commands, or NATS subjects.
Dynamic sources are declared in a standalone YAML file and loaded into the daemon with the repeatable --source flag. The pipeline file references them by id:
```yaml
pipeline.yml -- loaded with `-p pipeline.yml`
name: dynamic_example transformations: - id: map_fields type: field_name_mapping mapping: ${source.field_map}
- id: block_known_bad type: add_condition conditions: - field: DestinationIp value: ${source.threat_intel}
Show fields after pipeline mapping
rsigma rule fields -r rules/ -p ecs.yml --json
高质量的Sigma检测工具,功能齐全
- 需要让 Claude / Cursor 操作本地工具的 AI 工程师
- 配置 MCP 服务器时建议使用 stdio 传输 + JSON-RPC,避免暴露公网
- API key 直接提交到 git 仓库(请用 .env 并加入 .gitignore)
- MCP 配置路径拼错或权限不足,重启 Claude Desktop 才生效
- 云端托管:可放在 Vercel / Railway / Fly.io 等 PaaS 平台
⚡ 核心功能
- 通过标准 MCP 协议与 Claude、Cursor 等主流 AI 客户端深度集成
- 提供结构化工具调用接口,显著降低 AI 集成复杂度
- 支持 Claude Desktop 和 Claude Code 无缝接入,开箱即用
- 可与其他 MCP 工具组合叠加,构建完整 AI 工作站
- 轻量无侵入设计,不影响现有系统架构
- 需要让 Claude / Cursor 操作本地工具的 AI 工程师
- 配置 MCP 服务器时建议使用 stdio 传输 + JSON-RPC,避免暴露公网
- API key 直接提交到 git 仓库(请用 .env 并加入 .gitignore)
- MCP 配置路径拼错或权限不足,重启 Claude Desktop 才生效
👥 适合人群
🎯 使用场景
- 在 Claude Desktop 对话中直接调用本地工具,实现 AI 与系统的深度联动
- 通过自然语言驱动复杂的多步骤自动化任务,代替繁琐手动操作
- 将多个 MCP 工具组合使用,构建个人专属 AI 工作站
⚖️ 优点与不足
- +MIT 协议,可免费商用
- +标准化 MCP 协议,生态互联性强
- +与 Claude 官方生态无缝对接
- +即插即用,配置简单快捷
- −依赖 Claude 客户端,非 Claude 用户无法使用
- −MCP 协议仍在持续演进,接口可能变更
- −需要一定的配置步骤
AI Skill Hub 为第三方内容聚合平台,本页面信息基于公开数据整理,不对工具功能和质量作任何法律背书。
建议在沙箱或测试环境中充分验证后,再部署至生产环境,并做好必要的安全评估。
✅ MIT 协议 — 最宽松的开源协议之一,可自由商用、修改、分发,仅需保留版权声明。
❓ 常见问题 FAQ
经综合评估,Sigma检测工具 在MCP工具赛道中表现稳健,质量优秀。如果你已有明确的使用需求,可以直接上手体验;如果还在评估阶段,建议对比同类工具后再做决策。
| 原始名称 | rsigma |
| 原始描述 | 开源MCP工具:A complete Sigma detection toolkit: parser, linter, evaluator, correlation engin。⭐77 · Rust |
| Topics | mcpbackendconvertercorrelationdetection |
| GitHub | https://github.com/timescale/rsigma |
| License | MIT |
| 语言 | Rust |
收录时间:2026-06-21 · 更新时间:2026-06-21 · License:MIT · AI Skill Hub 不对第三方内容的准确性作法律背书。