npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@modular-intelligence/sigma-converter

v1.0.2

Published

MCP server wrapping sigma-cli for Sigma rule conversion and management

Downloads

200

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

modularintelligencemodularintelligence

Keywords

Readme

Sigma Converter MCP Server

MCP server wrapping sigma-cli for Sigma rule conversion and management. Convert Sigma detection rules to SIEM-specific query languages, manage processing pipelines, and analyze rule collections.

Features

  • Multi-Backend Conversion: Convert Sigma rules to 13+ SIEM/security platforms
  • Pipeline Management: List and manage Sigma processing pipelines
  • Field Mapping: View field name mappings between Sigma and target backends
  • Rule Testing: Test-convert rules and validate output
  • Rule Analytics: Analyze rule collections by severity, status, and logsource
  • Configuration Export: Export backend configurations with field mappings

Prerequisites

1. Install sigma-cli

pip install sigma-cli

2. Install pySigma Backends

Install backends for your target SIEM platforms:

# Splunk
pip install pysigma-backend-splunk

# Elasticsearch/OpenSearch
pip install pysigma-backend-elasticsearch
pip install pysigma-backend-opensearch

# QRadar
pip install pysigma-backend-qradar

# Microsoft 365 Defender
pip install pysigma-backend-microsoft365defender

# SentinelOne
pip install pysigma-backend-sentinelone

# CrowdStrike
pip install pysigma-backend-crowdstrike

# Carbon Black
pip install pysigma-backend-carbonblack

# Logpoint
pip install pysigma-backend-logpoint

# InsightIDR
pip install pysigma-backend-insightidr

# Loki
pip install pysigma-backend-loki

# Datadog
pip install pysigma-backend-datadog

3. Verify Installation

sigma --version
sigma list backends

Installation

cd sigma-converter
bun install
bun run build

Usage

Start the Server

bun run start

MCP Configuration

Add to your MCP client configuration:

{
  "mcpServers": {
    "sigma-converter": {
      "command": "bun",
      "args": ["run", "/path/to/sigma-converter/src/index.ts"]
    }
  }
}

Available Tools

1. sigma_batch_convert

Convert Sigma rules to SIEM-specific queries.

Parameters:

  • rule_path (string, required): Path to Sigma rule file or directory
  • backend (enum, required): Target SIEM backend
    • splunk, elasticsearch, opensearch, qradar, microsoft365defender, sentinelone, crowdstrike, carbon_black, logpoint, sigma, insightidr, loki, datadog
  • pipeline (string, optional): Processing pipeline name
  • output_format (enum, optional): Output format - default, json, yaml (default: default)
  • timeout (number, optional): Max duration in seconds (10-120, default: 30)

Example:

{
  "rule_path": "/path/to/rules/",
  "backend": "splunk",
  "pipeline": "sysmon",
  "output_format": "default",
  "timeout": 60
}

Returns:

{
  "backend": "splunk",
  "pipeline": "sysmon",
  "converted_rules": [
    {
      "source_file": "rule1.yml",
      "converted_query": "index=windows EventCode=4688 ...",
      "errors": []
    }
  ],
  "total": 1,
  "success_count": 1,
  "error_count": 0
}

2. sigma_pipeline_list

List available Sigma processing pipelines.

Parameters: None

Example:

{}

Returns:

{
  "pipelines": [
    {
      "name": "sysmon",
      "description": "Sysmon pipeline for Windows event logs",
      "backends": ["splunk", "elasticsearch"]
    }
  ],
  "total_count": 1
}

3. sigma_pipeline_detail

Get detailed information about a specific pipeline.

Parameters:

  • pipeline (string, required): Pipeline name to get details for

Example:

{
  "pipeline": "sysmon"
}

Returns:

{
  "name": "sysmon",
  "description": "Sysmon pipeline for Windows event logs",
  "compatible_backends": ["splunk", "elasticsearch", "qradar"],
  "field_mappings": []
}

4. sigma_field_mapping

View field name mappings between Sigma and target backend.

Parameters:

  • backend (enum, required): Target SIEM backend
  • pipeline (string, optional): Processing pipeline name

Example:

{
  "backend": "splunk",
  "pipeline": "sysmon"
}

Returns:

{
  "backend": "splunk",
  "pipeline": "sysmon",
  "mappings": [
    {
      "sigma_field": "EventID",
      "backend_field": "EventCode"
    },
    {
      "sigma_field": "ProcessName",
      "backend_field": "Image"
    }
  ],
  "total_mappings": 2
}

5. sigma_rule_test

Test-convert a Sigma rule and validate the output.

Parameters:

  • rule_content (string, required): Sigma rule YAML content (max 100KB)
  • backend (enum, required): Target SIEM backend
  • pipeline (string, optional): Processing pipeline name
  • timeout (number, optional): Max duration in seconds (10-120, default: 30)

Example:

{
  "rule_content": "title: Test Rule\nlogsource:\n  product: windows\ndetection:\n  selection:\n    EventID: 4688\n  condition: selection",
  "backend": "splunk",
  "pipeline": "sysmon",
  "timeout": 30
}

Returns:

{
  "valid": true,
  "converted_query": "index=windows EventCode=4688",
  "errors": [],
  "warnings": ["Field mapping applied"],
  "backend": "splunk",
  "pipeline": "sysmon"
}

6. sigma_rule_stats

Analyze Sigma rule collection statistics.

Parameters:

  • rule_path (string, required): Path to Sigma rule file or directory

Example:

{
  "rule_path": "/path/to/sigma/rules/"
}

Returns:

{
  "total_rules": 150,
  "by_level": {
    "critical": 10,
    "high": 45,
    "medium": 60,
    "low": 25,
    "informational": 10
  },
  "by_status": {
    "stable": 80,
    "test": 50,
    "experimental": 20
  },
  "by_logsource": {
    "product:windows": 100,
    "product:linux": 30,
    "category:process_creation": 80
  },
  "tags_distribution": {
    "attack.t1059": 25,
    "attack.execution": 30,
    "attack.defense_evasion": 20
  }
}

7. sigma_export_config

Export Sigma backend configuration.

Parameters:

  • backend (enum, required): Target SIEM backend
  • pipeline (string, optional): Processing pipeline name
  • include_field_mappings (boolean, optional): Include field mapping details (default: true)

Example:

{
  "backend": "splunk",
  "pipeline": "sysmon",
  "include_field_mappings": true
}

Returns:

{
  "backend": "splunk",
  "pipeline": "sysmon",
  "config": {
    "field_mappings": [
      {
        "sigma_field": "EventID",
        "backend_field": "EventCode"
      }
    ],
    "transforms": [],
    "conditions": []
  },
  "export_format_example": "index=* | search [converted query]",
  "description": "Configuration export for splunk with sysmon pipeline"
}

Supported Backends

| Backend | Description | Example Use Case | |---------|-------------|------------------| | splunk | Splunk SIEM | Enterprise security monitoring | | elasticsearch | Elasticsearch | Log analytics, SIEM | | opensearch | OpenSearch | Open-source log analytics | | qradar | IBM QRadar | Enterprise SIEM | | microsoft365defender | Microsoft 365 Defender | Cloud security | | sentinelone | SentinelOne | Endpoint detection | | crowdstrike | CrowdStrike Falcon | EDR platform | | carbon_black | VMware Carbon Black | Endpoint security | | logpoint | Logpoint SIEM | Security operations | | sigma | Native Sigma format | Rule development | | insightidr | Rapid7 InsightIDR | Cloud SIEM | | loki | Grafana Loki | Log aggregation | | datadog | Datadog Security | Cloud monitoring |

Security Features

  • Input Validation: All inputs validated against strict schemas
  • Backend Whitelisting: Only known backends allowed
  • Path Security: Absolute paths required, traversal blocked
  • Content Limits: Rule content max 100KB
  • Name Restrictions: Alphanumeric + underscore/hyphen only
  • Timeout Protection: Configurable timeouts prevent hung processes

Error Handling

All tools return structured errors:

{
  "content": [
    {
      "type": "text",
      "text": "Error: Invalid backend name: only alphanumeric characters, underscores, and hyphens are allowed"
    }
  ],
  "isError": true
}

Common Use Cases

1. Convert Single Rule

{
  "tool": "sigma_batch_convert",
  "params": {
    "rule_path": "/path/to/rule.yml",
    "backend": "splunk"
  }
}

2. Batch Convert Directory

{
  "tool": "sigma_batch_convert",
  "params": {
    "rule_path": "/path/to/rules/",
    "backend": "elasticsearch",
    "pipeline": "ecs",
    "timeout": 120
  }
}

3. Test Rule Before Deployment

{
  "tool": "sigma_rule_test",
  "params": {
    "rule_content": "...",
    "backend": "qradar"
  }
}

4. Analyze Rule Repository

{
  "tool": "sigma_rule_stats",
  "params": {
    "rule_path": "/path/to/sigma-rules/"
  }
}

5. Export Backend Configuration

{
  "tool": "sigma_export_config",
  "params": {
    "backend": "splunk",
    "pipeline": "windows",
    "include_field_mappings": true
  }
}

Development

Build

bun run build

Run

bun run start

Project Structure

sigma-converter/
├── package.json
├── tsconfig.json
├── README.md
├── src/
│   ├── index.ts                    # Main MCP server
│   ├── schemas.ts                  # Zod schemas
│   ├── security.ts                 # Validation functions
│   ├── cli-executor.ts             # sigma-cli wrapper
│   └── tools/
│       ├── sigma-batch-convert.ts  # Batch rule conversion
│       ├── sigma-pipeline-list.ts  # List pipelines
│       ├── sigma-pipeline-detail.ts # Pipeline details
│       ├── sigma-field-mapping.ts  # Field mappings
│       ├── sigma-rule-test.ts      # Test conversion
│       ├── sigma-rule-stats.ts     # Rule analytics
│       └── sigma-export-config.ts  # Export configuration
└── dist/                           # Compiled output

Troubleshooting

sigma-cli not found

which sigma
pip install sigma-cli

Backend not available

sigma list backends
pip install pysigma-backend-[backend-name]

Conversion errors

  • Check rule syntax with sigma_rule_test
  • Verify backend/pipeline compatibility
  • Review field mappings with sigma_field_mapping

Timeout issues

  • Increase timeout parameter for large rule sets
  • Process rules in smaller batches
  • Check sigma-cli performance

License

MIT

Resources