Welcome to the pySigma Community Pipelines repository, the central hub for community-shared processing pipelines.
Processing pipelines provide granular control over how Sigma rules are converted into SIEM-specific formats. They enable among other things:
- Field Mappings - Convert generic field names to platform-specific equivalents (e.g.,
CommandLineβprocess.command_linefor ECS, orprocessfor Splunk) - Log Source Mappings - Map Sigma log sources to data source identifiers (e.g.,
category: process_creationβwinlog.channel: Microsoft-Windows-Sysmon/Operational) - Value Transformations - Adjust field values for platform requirements (e.g., converting boolean values, handling data types)
- Conditional Logic - Add platform-specific search conditions (e.g., index names, source types)
The repository is organized by platform type:
- elastic_pipelines/ - Pipelines for Elastic Stack / ECS (Elasticsearch, Kibana, ElastAlert).
- splunk_pipelines/ - Pipelines for Splunk SIEM and Splunk Enterprise Security.
- pipeline_examples/ - Comprehensive examples demonstrating all transformation types currently supported by pySigma.
Convert Sigma rules using pipelines with sigma-cli:
sigma convert -t splunk -p splunk_pipelines/splunk_sysmon.yml rules/windows/process_creation/We welcome contributions of new pipelines and improvements to existing ones!
This repository thrives on community involvement to expand the collection of processing pipelines for various security platforms.
- Fork the repository and create a feature branch
- Create or modify pipelines in the appropriate directory
- Test your pipeline with example Sigma rules
- Document your changes
- Submit a pull request with a clear description
- Sigma Rules - Main Sigma detection rule repository
- pySigma - Core Python library for Sigma rule processing
- sigma-cli - Command-line tool for Sigma rule conversion