Tools

Tools: I built a portable SIEM detection toolkit that converts Sigma rules to Splunk, Elastic, and Kibana queries (2026)

2026-04-01 0 views admin
Tools: I built a portable SIEM detection toolkit that converts Sigma rules to Splunk, Elastic, and Kibana queries (2026)

The problem

What it does

Quick start

Example usage

Why I built it

What's next If you've ever tried to manage detection content across different SIEMs, you know the pain. Sigma rules live in one folder, your Sysmon config is somewhere else, Wazuh custom rules are in yet another directory, and none of it maps cleanly back to MITRE ATT&CK. Converting rules between SIEM formats usually means installing sigmac or setting up a whole pipeline just to get a Splunk query out of a YAML file. I'm a cybersecurity student and I got tired of this workflow in my home lab, so I built SIEMForge — a single Python CLI that keeps all your detection content in one place and converts it natively. SIEMForge is a portable toolkit that handles: Only dependency is PyYAML. Runs on Python 3.8+. The --export-all flag generates an organized directory with Sigma YAML rules, Sysmon XML config, and Wazuh rules ready to drop into your stack. Mostly for my own learning. I wanted to understand how Sigma rules actually translate to different query languages under the hood, and I wanted a single tool I could carry between lab environments without installing a bunch of dependencies. Figured other students or home lab folks might find it useful too. I'm planning to add more detection rules and possibly support for more output formats. If you work in blue team or run a home lab, I'd love to know: what detection rules or SIEM formats would be most useful to add? Check it out here: github.com/TiltedLunar123/SIEMForge MIT licensed, contributions welcome. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

$ -weight: 500;">git clone https://github.com/TiltedLunar123/SIEMForge.-weight: 500;">git cd SIEMForge -weight: 500;">pip -weight: 500;">install pyyaml -weight: 500;">git clone https://github.com/TiltedLunar123/SIEMForge.-weight: 500;">git cd SIEMForge -weight: 500;">pip -weight: 500;">install pyyaml -weight: 500;">git clone https://github.com/TiltedLunar123/SIEMForge.-weight: 500;">git cd SIEMForge -weight: 500;">pip -weight: 500;">install pyyaml # See what's in the toolkit python siemforge.py # Convert all rules to Splunk SPL python siemforge.py --convert splunk # Convert a single rule to Kibana KQL python siemforge.py --convert kibana --convert-rule lsass_credential_dump.yml # View MITRE ATT&CK coverage python siemforge.py --mitre # Export everything as a packaged bundle python siemforge.py --export-all # See what's in the toolkit python siemforge.py # Convert all rules to Splunk SPL python siemforge.py --convert splunk # Convert a single rule to Kibana KQL python siemforge.py --convert kibana --convert-rule lsass_credential_dump.yml # View MITRE ATT&CK coverage python siemforge.py --mitre # Export everything as a packaged bundle python siemforge.py --export-all # See what's in the toolkit python siemforge.py # Convert all rules to Splunk SPL python siemforge.py --convert splunk # Convert a single rule to Kibana KQL python siemforge.py --convert kibana --convert-rule lsass_credential_dump.yml # View MITRE ATT&CK coverage python siemforge.py --mitre # Export everything as a packaged bundle python siemforge.py --export-all --export-all - Sigma rule conversion — translates detection rules to Splunk SPL, Elasticsearch Lucene, or Kibana KQL without any external dependencies (no sigmac needed) - 10 pre-built detection rules covering credential dumping (T1003.001), process injection (T1055.003), lateral movement via PsExec (T1021.002), suspicious PowerShell (T1059.001), SSH brute-force (T1110.001), and more - Tuned Sysmon configuration for Windows event monitoring - Wazuh custom rules with agent config snippets - MITRE ATT&CK mapping across all rules - One-command export of the complete detection package

🏷️ Tags

toolsutilitiessecurity toolsbuiltportabledetectiontoolkitconvertssigmarules

More from Tools

Tools: I ran incident response on my own homelab. Here's the postmortem. - 2025 Update

Tools: I ran incident response on my own homelab. Here's the postmortem. - 2025 Update

2026-04-01 0
Tools: How I Added SIEM to My Homelab With Wazuh — and What It Found on Day One - Expert Insights

Tools: How I Added SIEM to My Homelab With Wazuh — and What It Found on Day One - Expert Insights

2026-04-01 0
Tools: Docker Containers with Unraid NFS: Fix Stale File Handle Errors - 2025 Update

Tools: Docker Containers with Unraid NFS: Fix Stale File Handle Errors - 2025 Update

2026-04-01 0
Tools: Ultimate Guide: Claude Code Hidden Features You Probably Missed

Tools: Ultimate Guide: Claude Code Hidden Features You Probably Missed

2026-04-01 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views