Welcome to RSigma’s documentation!
RSigma is a complete Sigma detection engineering toolkit: parser, linter, evaluator, correlation engine, conversion framework, streaming daemon, MCP and LSP servers. Or, as Zack Allen put it in Detection Engineering Weekly #149, “RSigma is essentially a SIEM.”
Install RSigma with Cargo, Docker, or a signed binary archive.
Write a rule, evaluate it, run the daemon, and convert to SQL in five minutes.
Sigma rules, processing pipelines, the eval/daemon split, and the noun-led CLI groups.
Author, test, deploy, detect, alert, measure, and hunt: one map of the full lifecycle.
Per-subcommand reference for engine, rule, backend, and pipeline.
Generate PostgreSQL or LynxDB queries from Sigma rules for historical hunting.
Run the daemon with NATS, HTTP, or OTLP input. Hot-reload, metrics, state.
Why RSigma
| RSigma | pySigma | sigma_engine | sigma-rust | |
|---|---|---|---|---|
| Language | Rust | Python | Rust | Rust |
| Runtime evaluation | Yes (streaming + stateful) | No (converter only) | Yes (stateless) | Yes (stateless) |
| Correlation rules | All 8 types | Partial | No | No |
| Filter rules | Yes | Yes | No | No |
| Conversion backends | PostgreSQL, LynxDB, … | 20+ | No | No |
| Streaming daemon | Yes (NATS, HTTP, OTLP) | No | No | No |
| Dynamic pipelines | Yes (HTTP, file, command, NATS) | Yes (HTTP, file, command) | No | No |
| Built-in linter | 85 rules, auto-fix | Limited | No | No |
| LSP server | Yes | No | No | No |
| Single binary | Yes (multi-arch, signed) | No (requires Python) | Library only | Library only |
| License | MIT | LGPL-3.0 | AGPL-3.0 | MIT |
RSigma is the only Sigma toolkit that combines pySigma-style conversion with a real streaming evaluator, all in a single self-contained binary.
Featured in
“RSigma is essentially a SIEM. Building a tool like RSigma is challenging because the Sigma specification has evolved into a robust domain-specific language over the years.”
“Accurately evaluating the full spectrum of what Sigma rules can express is quite complex. It’s pretty neat to read about how RSigma handles all of these conditional expressions, correlating across rules, etc.”
“Defensive teams can pipe logs through CLI commands, apply field-mapping pipelines, and chain correlations for multi-stage attack detection.”
“RSigma is not a SIEM, but it’s an impressive feat to build a self-contained Rust binary that operates much like one. For teams doing pre-SIEM rule validation or forensics, it’s a solid plug-and-play option.”
“Instead of hardcoding IOC values in rule YAML, you declare external sources in the pipeline config, and RSigma fetches and injects them at evaluation time. This works very similarly to how I’ve seen SIEMs implement threat intelligence pipelines, but since it’s RSigma, it’s self-contained within its ecosystem.”
Built with RSigma
A browser-based Sigma rule playground. Added real-time rule evaluation powered by RSigma compiled to WebAssembly, so every rule edit runs against sample events in the browser without a backend.
An open-source, cross-platform endpoint detection engine. Ships RSigma as an opt-in Sigma backend next to its built-in matcher, evaluating normalized endpoint telemetry in real time on Windows, Linux, and macOS, with a throughput edge on large rulesets.
Read the deep dives
An article series on building RSigma and using it in production:
| # | Article | Topic |
|---|---|---|
| 1 | Pattern Detection and Correlation in JSON Logs | Forensic investigation of a Trivy supply-chain compromise. |
| 2 | Streaming Logs to RSigma for Real-Time Detection | Okta cross-tenant impersonation via the daemon and NATS JetStream. |
| 3 | Building a Detection Layer on PostgreSQL with Sigma Rules | Five PostgreSQL output formats and TimescaleDB continuous aggregates. |
| 4 | Security Observability with RSigma and the LGTM Stack | Pairing RSigma with Loki, Mimir, and Grafana. |
| 5 | Wiring Live Threat Intel into Sigma Detection with Dynamic Pipelines | Dynamic pipelines: HTTP, file, command, and NATS sources. |
| 6 | Cloud Detection at Scale on a Laptop | Running cloud-scale detection locally with RSigma. |
| 7 | The State of RSigma | A tour of everything RSigma does today and where it is headed. |
| 8 | Detection-as-Code in One GitHub Action with RSigma | Gating a Sigma rule repository in CI with lint, validate, fields-drift, backtest, and ATT&CK coverage. |
| 9 | The State of RSigma, Part Two: The Loop | One detection through the full lifecycle: author, test, deploy, detect, alert and triage, measure, and hunt. |
At a glance
- Latest release:
v0.18.0(MIT licensed; seven crates in the workspace). - MSRV: Rust
1.88.0, edition2024. - Cross-platform binaries: Linux, macOS, Windows on amd64 and arm64.
- Container image:
ghcr.io/timescale/rsigma:latest(multi-arch, cosign-signed, SBOM, SLSA Build L3 provenance). - Throughput: ~1.06M events/sec detection, ~569K events/sec correlation on an Apple M4 Pro. See benchmarks.