Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Wrg Sigma Rules

БесплатноНе проверен

Sigma detection rule writing, validation, and pySigma-based multi-backend conversion (Splunk, Elastic, Wazuh, Kibana) via 3 MCP tools and 3 Claude Code skills,

GitHubEmbed

Описание

Sigma detection rule writing, validation, and pySigma-based multi-backend conversion (Splunk, Elastic, Wazuh, Kibana) via 3 MCP tools and 3 Claude Code skills, backed by a 61-rule production corpus across 11 MITRE ATT&CK tactic categories.

README

Status

Production — actively maintained rule corpus. Not yet submitted to a plugin marketplace — install directly from this repo (see Installation).

Production-grade sigma detection rule writing, validation, and conversion for SOC analysts, threat-intel teams, and detection engineers using Claude Code.

TL;DR

  • 3 MCP tools: draft_rule (NL → sigma YAML) + validate_rule (pySigma + best-practice linter) + convert_rule (sigma → Splunk/Elastic/Wazuh/Kibana query)
  • 3 Claude Code skills: sigma-rule-writer + sigma-rule-reviewer + threat-coverage-gap-analyzer
  • 73 production sigma rule corpus: 12 ATT&CK tactic categories (templates + observed campaign rules)
  • Multi-backend conversion: Splunk SPL, Elastic Lucene, Wazuh, Kibana verified (pySigma 1.x + 2 backend packages)
  • WRG ecosystem anchor: 6+ months threat-intel discipline + 100+ actor TTP corpus + observed_* rules (Mini Shai-Hulud npm worm, Nx campaign 4-vector cluster, SOCKS5 silent-fix, ClawHavoc Claude Skills, Lazarus, LockBit, LAPSUS, AI-fingerprint)
  • Live demo: see DEMO.md for end-to-end tool invocation on Mini Shai-Hulud rule (pySigma 1.x + Splunk + Elastic real output)

Why this plugin exists

The sigma-rule niche in the Anthropic Claude Code plugin marketplace is empty (verified 2026-05-23: 200+ plugins, 0 sigma-focused, 1 generic security plugin). SOC + threat-intel community has latent demand for fast, quality-aware rule writing tools integrated with LLM workflows.

WRG (WinstonRedGuard) has accumulated 6+ months of threat-intel infrastructure: 73 canonical sigma rules + actor catalog + pySigma integration + Pattern-driven detection-engineering discipline. This plugin packages that capability for the broader Anthropic ecosystem.

What's included

MCP tools (3)

  • mcp__plugin_wrg-sigma-rules_wrg-sigma-rules__draft_rule — NL description → sigma YAML scaffold
  • mcp__plugin_wrg-sigma-rules_wrg-sigma-rules__validate_rule — YAML schema + pySigma compat + best-practice linter
  • mcp__plugin_wrg-sigma-rules_wrg-sigma-rules__convert_rule — sigma → Splunk/Elastic/Wazuh/Kibana query

Claude Code skills (3)

  • sigma-rule-writer — guided rule writing workflow
  • sigma-rule-reviewer — paste rule for quality review + improvement suggestions
  • threat-coverage-gap-analyzer — MITRE ATT&CK coverage analysis vs your existing corpus

Sigma rule corpus (73 production rules across 12 ATT&CK tactic categories)

Tactic Coverage
credential_access templates + observed (LAPSUS T1110 correlation, Kali365 OAuth device-code phishing T1528, Mimikatz LSASS)
command_and_control template T1071 + observed Mini Shai-Hulud npm supply-chain C2 T1071 (Nx campaign cluster)
defense_evasion templates + observed (AlphV T1027 obfuscation)
execution templates + observed (AlphV T1059.001)
persistence observed (Photo ZIP campaign, Node.js HKCU Run-key persistence T1547.001)
exfiltration templates + observed SOCKS5 hostname null-byte egress T1041 (Claude Code v2.0.24-v2.1.89 silent-fix; +backslash extension variant)
impact templates + observed (Lazarus + LockBit BTC + Nullsec Nigeria T1491 defacement)
initial_access templates + observed Nx campaign 4-vector (s1ngularity npm token exfil, nx-console VS Code extension compromise, ClawHavoc Claude Skills T1195.002) + LAPSUS T1078 + OWASP lab-validated (SQLi auth-bypass, XSS reflected, path traversal)
lateral_movement templates (RDP EventID 4624 + SMB admin shares)
resource_development templates (newly registered domain + lookalike domain + social media signup)
collection templates (archive utility staging + SharePoint access)
code_review 5 AI-fingerprint observed rules (ANSI-color class, decoy block, docstring density, hallucinated CVSS, prompt artifacts)

See resources/examples/INDEX.json for full enumeration.

Resources

  • wrg-sigma://patterns/canonical-5 — canonical detection-pattern definitions
  • wrg-sigma://coverage/mitre-attack-matrix — corpus coverage state

Installation

Direct from this repo

git clone https://github.com/WRG-11/wrg-sigma-rules.git
# Follow Claude Code plugin install path per https://code.claude.com/docs/en/plugins

Quick example

Validate + convert a corpus rule end-to-end, from the repo root (commands from DEMO.md, captured against pySigma 1.x + the Splunk and Elasticsearch backends):

pip install pysigma pysigma-backend-splunk pysigma-backend-elasticsearch
python -c "
import sys, json
sys.path.insert(0, '.')
from tools.validate_rule.validate_rule import validate_rule_body
from tools.convert_rule.convert_rule import convert_rule_body

rule = open('resources/examples/command_and_control/observed_mini_shai_hulud_npm_supply_chain_c2_t1071.yml', encoding='utf-8').read()

print(json.dumps(validate_rule_body(rule), indent=2))
print(json.dumps(convert_rule_body(rule, target='splunk'), indent=2))
print(json.dumps(convert_rule_body(rule, target='elasticsearch'), indent=2))
"

Full captured outputs (validate JSON + Splunk SPL + Elasticsearch Lucene) are in DEMO.md.

Quality discipline

  • 4-Layer self-audit per WRG audit methodology (trust-but-verify self-audit)
  • 8 Python test modules covering rule validation + tool integration smoke
  • pySigma 1.x compat + multi-backend conversion verified (pysigma-backend-splunk + pysigma-backend-elasticsearch)
  • LLM-safe output discipline: ASCII-only output + error-path structure preserve
  • claude plugin validate PASS (verified 2026-05-25)
  • Live demo evidence: DEMO.md — 3 real tool invocations on Mini Shai-Hulud rule

Tested environments

  • Windows 11 + Claude Code
  • WSL2 Ubuntu 24.04

Contributing

Sigma rule contributions welcome. Submit YAML to resources/examples/<tactic>/ with:

  • ATT&CK TTP mapping in tags: field (e.g., attack.t1071)
  • observed_* prefix for incident-specific rules
  • template_* prefix for canonical pattern templates
  • pySigma validation passing via mcp__plugin_wrg-sigma-rules_wrg-sigma-rules__validate_rule

References

License

MIT — see LICENSE file.


Part of the WRG-11 ecosystem

Full index → github.com/WRG-11

from github.com/WRG-11/wrg-sigma-rules

Установка Wrg Sigma Rules

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/WRG-11/wrg-sigma-rules

FAQ

Wrg Sigma Rules MCP бесплатный?

Да, Wrg Sigma Rules MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Wrg Sigma Rules?

Нет, Wrg Sigma Rules работает без API-ключей и переменных окружения.

Wrg Sigma Rules — hosted или self-hosted?

Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.

Как установить Wrg Sigma Rules в Claude Desktop, Claude Code или Cursor?

Открой Wrg Sigma Rules на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Wrg Sigma Rules with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development