Wrg Sigma Rules
FreeNot checkedSigma detection rule writing, validation, and pySigma-based multi-backend conversion (Splunk, Elastic, Wazuh, Kibana) via 3 MCP tools and 3 Claude Code skills,
About
Sigma detection rule writing, validation, and pySigma-based multi-backend conversion (Splunk, Elastic, Wazuh, Kibana) via 3 MCP tools and 3 Claude Code skills, backed by a 61-rule production corpus across 11 MITRE ATT&CK tactic categories.
README
Status
Production — actively maintained rule corpus. Not yet submitted to a plugin marketplace — install directly from this repo (see Installation).
Production-grade sigma detection rule writing, validation, and conversion for SOC analysts, threat-intel teams, and detection engineers using Claude Code.
TL;DR
- 3 MCP tools:
draft_rule(NL → sigma YAML) +validate_rule(pySigma + best-practice linter) +convert_rule(sigma → Splunk/Elastic/Wazuh/Kibana query) - 3 Claude Code skills: sigma-rule-writer + sigma-rule-reviewer + threat-coverage-gap-analyzer
- 73 production sigma rule corpus: 12 ATT&CK tactic categories (templates + observed campaign rules)
- Multi-backend conversion: Splunk SPL, Elastic Lucene, Wazuh, Kibana verified (pySigma 1.x + 2 backend packages)
- WRG ecosystem anchor: 6+ months threat-intel discipline + 100+ actor TTP corpus + observed_* rules (Mini Shai-Hulud npm worm, Nx campaign 4-vector cluster, SOCKS5 silent-fix, ClawHavoc Claude Skills, Lazarus, LockBit, LAPSUS, AI-fingerprint)
- Live demo: see DEMO.md for end-to-end tool invocation on Mini Shai-Hulud rule (pySigma 1.x + Splunk + Elastic real output)
Why this plugin exists
The sigma-rule niche in the Anthropic Claude Code plugin marketplace is empty (verified 2026-05-23: 200+ plugins, 0 sigma-focused, 1 generic security plugin). SOC + threat-intel community has latent demand for fast, quality-aware rule writing tools integrated with LLM workflows.
WRG (WinstonRedGuard) has accumulated 6+ months of threat-intel infrastructure: 73 canonical sigma rules + actor catalog + pySigma integration + Pattern-driven detection-engineering discipline. This plugin packages that capability for the broader Anthropic ecosystem.
What's included
MCP tools (3)
mcp__plugin_wrg-sigma-rules_wrg-sigma-rules__draft_rule— NL description → sigma YAML scaffoldmcp__plugin_wrg-sigma-rules_wrg-sigma-rules__validate_rule— YAML schema + pySigma compat + best-practice lintermcp__plugin_wrg-sigma-rules_wrg-sigma-rules__convert_rule— sigma → Splunk/Elastic/Wazuh/Kibana query
Claude Code skills (3)
sigma-rule-writer— guided rule writing workflowsigma-rule-reviewer— paste rule for quality review + improvement suggestionsthreat-coverage-gap-analyzer— MITRE ATT&CK coverage analysis vs your existing corpus
Sigma rule corpus (73 production rules across 12 ATT&CK tactic categories)
| Tactic | Coverage |
|---|---|
credential_access |
templates + observed (LAPSUS T1110 correlation, Kali365 OAuth device-code phishing T1528, Mimikatz LSASS) |
command_and_control |
template T1071 + observed Mini Shai-Hulud npm supply-chain C2 T1071 (Nx campaign cluster) |
defense_evasion |
templates + observed (AlphV T1027 obfuscation) |
execution |
templates + observed (AlphV T1059.001) |
persistence |
observed (Photo ZIP campaign, Node.js HKCU Run-key persistence T1547.001) |
exfiltration |
templates + observed SOCKS5 hostname null-byte egress T1041 (Claude Code v2.0.24-v2.1.89 silent-fix; +backslash extension variant) |
impact |
templates + observed (Lazarus + LockBit BTC + Nullsec Nigeria T1491 defacement) |
initial_access |
templates + observed Nx campaign 4-vector (s1ngularity npm token exfil, nx-console VS Code extension compromise, ClawHavoc Claude Skills T1195.002) + LAPSUS T1078 + OWASP lab-validated (SQLi auth-bypass, XSS reflected, path traversal) |
lateral_movement |
templates (RDP EventID 4624 + SMB admin shares) |
resource_development |
templates (newly registered domain + lookalike domain + social media signup) |
collection |
templates (archive utility staging + SharePoint access) |
code_review |
5 AI-fingerprint observed rules (ANSI-color class, decoy block, docstring density, hallucinated CVSS, prompt artifacts) |
See resources/examples/INDEX.json for full enumeration.
Resources
wrg-sigma://patterns/canonical-5— canonical detection-pattern definitionswrg-sigma://coverage/mitre-attack-matrix— corpus coverage state
Installation
Direct from this repo
git clone https://github.com/WRG-11/wrg-sigma-rules.git
# Follow Claude Code plugin install path per https://code.claude.com/docs/en/plugins
Quick example
Validate + convert a corpus rule end-to-end, from the repo root (commands from DEMO.md, captured against pySigma 1.x + the Splunk and Elasticsearch backends):
pip install pysigma pysigma-backend-splunk pysigma-backend-elasticsearch
python -c "
import sys, json
sys.path.insert(0, '.')
from tools.validate_rule.validate_rule import validate_rule_body
from tools.convert_rule.convert_rule import convert_rule_body
rule = open('resources/examples/command_and_control/observed_mini_shai_hulud_npm_supply_chain_c2_t1071.yml', encoding='utf-8').read()
print(json.dumps(validate_rule_body(rule), indent=2))
print(json.dumps(convert_rule_body(rule, target='splunk'), indent=2))
print(json.dumps(convert_rule_body(rule, target='elasticsearch'), indent=2))
"
Full captured outputs (validate JSON + Splunk SPL + Elasticsearch Lucene) are in DEMO.md.
Quality discipline
- 4-Layer self-audit per WRG audit methodology (trust-but-verify self-audit)
- 8 Python test modules covering rule validation + tool integration smoke
- pySigma 1.x compat + multi-backend conversion verified (
pysigma-backend-splunk+pysigma-backend-elasticsearch) - LLM-safe output discipline: ASCII-only output + error-path structure preserve
claude plugin validatePASS (verified 2026-05-25)- Live demo evidence: DEMO.md — 3 real tool invocations on Mini Shai-Hulud rule
Tested environments
- Windows 11 + Claude Code
- WSL2 Ubuntu 24.04
Contributing
Sigma rule contributions welcome. Submit YAML to resources/examples/<tactic>/ with:
- ATT&CK TTP mapping in
tags:field (e.g.,attack.t1071) observed_*prefix for incident-specific rulestemplate_*prefix for canonical pattern templates- pySigma validation passing via
mcp__plugin_wrg-sigma-rules_wrg-sigma-rules__validate_rule
References
License
MIT — see LICENSE file.
Part of the WRG-11 ecosystem
- mcp-objauthz-lab — vulnerable-by-design MCP server for learning BOLA/IDOR
- osint-trust-envelope — honest trust envelopes for OSINT results
Full index → github.com/WRG-11
Installing Wrg Sigma Rules
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/WRG-11/wrg-sigma-rulesFAQ
Is Wrg Sigma Rules MCP free?
Yes, Wrg Sigma Rules MCP is free — one-click install via Unyly at no cost.
Does Wrg Sigma Rules need an API key?
No, Wrg Sigma Rules runs without API keys or environment variables.
Is Wrg Sigma Rules hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Wrg Sigma Rules in Claude Desktop, Claude Code or Cursor?
Open Wrg Sigma Rules on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare Wrg Sigma Rules with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
