WRG-11/wrg-sigma-rules
FreeNot checkedSigma detection rule writing, validation, and conversion (Splunk/Elastic/Kibana/Wazuh) via 3 MCP tools (draftrule, validaterule, convertrule) backed by a 61-rul
About
Sigma detection rule writing, validation, and conversion (Splunk/Elastic/Kibana/Wazuh) via 3 MCP tools (draftrule, validaterule, convertrule) backed by a 61-rule production corpus across 11 MITRE ATT&CK tactic categories. Standalone server + Claude Code plugin distribution.
README
Status
Production — actively maintained rule corpus. Not yet submitted to a plugin marketplace — install directly from this repo (see Installation).
Production-grade sigma detection rule writing, validation, and conversion for SOC analysts, threat-intel teams, and detection engineers using Claude Code.
TL;DR
- 3 MCP tools:
draft_rule(NL → sigma YAML) +validate_rule(pySigma + best-practice linter) +convert_rule(sigma → Splunk/Elastic/Wazuh/Kibana query) - 3 Claude Code skills: sigma-rule-writer + sigma-rule-reviewer + threat-coverage-gap-analyzer
- 73 production sigma rule corpus: 12 ATT&CK tactic categories (templates + observed campaign rules)
- Multi-backend conversion: Splunk SPL, Elastic Lucene, Wazuh, Kibana verified (pySigma 1.x + 2 backend packages)
- WRG ecosystem anchor: 6+ months threat-intel discipline + 100+ actor TTP corpus + observed_* rules (Mini Shai-Hulud npm worm, Nx campaign 4-vector cluster, SOCKS5 silent-fix, ClawHavoc Claude Skills, Lazarus, LockBit, LAPSUS, AI-fingerprint)
- Live demo: see DEMO.md for end-to-end tool invocation on Mini Shai-Hulud rule (pySigma 1.x + Splunk + Elastic real output)
Why this plugin exists
The sigma-rule niche in the Anthropic Claude Code plugin marketplace is empty (verified 2026-05-23: 200+ plugins, 0 sigma-focused, 1 generic security plugin). SOC + threat-intel community has latent demand for fast, quality-aware rule writing tools integrated with LLM workflows.
WRG (WinstonRedGuard) has accumulated 6+ months of threat-intel infrastructure: 73 canonical sigma rules + actor catalog + pySigma integration + Pattern-driven detection-engineering discipline. This plugin packages that capability for the broader Anthropic ecosystem.
What's included
MCP tools (3)
mcp__plugin_wrg-sigma-rules_wrg-sigma-rules__draft_rule— NL description → sigma YAML scaffoldmcp__plugin_wrg-sigma-rules_wrg-sigma-rules__validate_rule— YAML schema + pySigma compat + best-practice lintermcp__plugin_wrg-sigma-rules_wrg-sigma-rules__convert_rule— sigma → Splunk/Elastic/Wazuh/Kibana query
Claude Code skills (3)
sigma-rule-writer— guided rule writing workflowsigma-rule-reviewer— paste rule for quality review + improvement suggestionsthreat-coverage-gap-analyzer— MITRE ATT&CK coverage analysis vs your existing corpus
Sigma rule corpus (73 production rules across 12 ATT&CK tactic categories)
| Tactic | Coverage |
|---|---|
credential_access |
templates + observed (LAPSUS T1110 correlation, Kali365 OAuth device-code phishing T1528, Mimikatz LSASS) |
command_and_control |
template T1071 + observed Mini Shai-Hulud npm supply-chain C2 T1071 (Nx campaign cluster) |
defense_evasion |
templates + observed (AlphV T1027 obfuscation) |
execution |
templates + observed (AlphV T1059.001) |
persistence |
observed (Photo ZIP campaign, Node.js HKCU Run-key persistence T1547.001) |
exfiltration |
templates + observed SOCKS5 hostname null-byte egress T1041 (Claude Code v2.0.24-v2.1.89 silent-fix; +backslash extension variant) |
impact |
templates + observed (Lazarus + LockBit BTC + Nullsec Nigeria T1491 defacement) |
initial_access |
templates + observed Nx campaign 4-vector (s1ngularity npm token exfil, nx-console VS Code extension compromise, ClawHavoc Claude Skills T1195.002) + LAPSUS T1078 + OWASP lab-validated (SQLi auth-bypass, XSS reflected, path traversal) |
lateral_movement |
templates (RDP EventID 4624 + SMB admin shares) |
resource_development |
templates (newly registered domain + lookalike domain + social media signup) |
collection |
templates (archive utility staging + SharePoint access) |
code_review |
5 AI-fingerprint observed rules (ANSI-color class, decoy block, docstring density, hallucinated CVSS, prompt artifacts) |
See resources/examples/INDEX.json for full enumeration.
Resources
wrg-sigma://patterns/canonical-5— canonical detection-pattern definitionswrg-sigma://coverage/mitre-attack-matrix— corpus coverage state
Installation
Direct from this repo
git clone https://github.com/WRG-11/wrg-sigma-rules.git
# Follow Claude Code plugin install path per https://code.claude.com/docs/en/plugins
Quick example
Validate + convert a corpus rule end-to-end, from the repo root (commands from DEMO.md, captured against pySigma 1.x + the Splunk and Elasticsearch backends):
pip install pysigma pysigma-backend-splunk pysigma-backend-elasticsearch
python -c "
import sys, json
sys.path.insert(0, '.')
from tools.validate_rule.validate_rule import validate_rule_body
from tools.convert_rule.convert_rule import convert_rule_body
rule = open('resources/examples/command_and_control/observed_mini_shai_hulud_npm_supply_chain_c2_t1071.yml', encoding='utf-8').read()
print(json.dumps(validate_rule_body(rule), indent=2))
print(json.dumps(convert_rule_body(rule, target='splunk'), indent=2))
print(json.dumps(convert_rule_body(rule, target='elasticsearch'), indent=2))
"
Full captured outputs (validate JSON + Splunk SPL + Elasticsearch Lucene) are in DEMO.md.
Quality discipline
- 4-Layer self-audit per WRG audit methodology (trust-but-verify self-audit)
- 8 Python test modules covering rule validation + tool integration smoke
- pySigma 1.x compat + multi-backend conversion verified (
pysigma-backend-splunk+pysigma-backend-elasticsearch) - LLM-safe output discipline: ASCII-only output + error-path structure preserve
claude plugin validatePASS (verified 2026-05-25)- Live demo evidence: DEMO.md — 3 real tool invocations on Mini Shai-Hulud rule
Tested environments
- Windows 11 + Claude Code
- WSL2 Ubuntu 24.04
Contributing
Sigma rule contributions welcome. Submit YAML to resources/examples/<tactic>/ with:
- ATT&CK TTP mapping in
tags:field (e.g.,attack.t1071) observed_*prefix for incident-specific rulestemplate_*prefix for canonical pattern templates- pySigma validation passing via
mcp__plugin_wrg-sigma-rules_wrg-sigma-rules__validate_rule
References
License
MIT — see LICENSE file.
Part of the WRG-11 ecosystem
- mcp-objauthz-lab — vulnerable-by-design MCP server for learning BOLA/IDOR
- osint-trust-envelope — honest trust envelopes for OSINT results
Full index → github.com/WRG-11
Installing WRG-11/wrg-sigma-rules
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/WRG-11/wrg-sigma-rulesFAQ
Is WRG-11/wrg-sigma-rules MCP free?
Yes, WRG-11/wrg-sigma-rules MCP is free — one-click install via Unyly at no cost.
Does WRG-11/wrg-sigma-rules need an API key?
No, WRG-11/wrg-sigma-rules runs without API keys or environment variables.
Is WRG-11/wrg-sigma-rules hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install WRG-11/wrg-sigma-rules in Claude Desktop, Claude Code or Cursor?
Open WRG-11/wrg-sigma-rules on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare WRG-11/wrg-sigma-rules with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
