A Go implementation and parser of Sigma rules. Useful for building your own detection pipelines.
Who's using sigma-go
in production?
This library is designed for you to build your own alert systems. It exposes the ability to check whether a rule matches a given event but not much else. It's up to you to use this building block in your own detection pipeline.
A basic usage of this library might look like this:
// You can load/create rules dynamically or use sigmac to load Sigma rule files
var rule, _ = sigma.ParseRule(contents)
// Rules need to be wrapped in an evaluator.
// This is also where (if needed) you provide functions implementing the count, max, etc. aggregation functions
e := sigma.Evaluator(rule, options...)
// Get a stream of events from somewhere e.g. audit logs
for event := range events {
if e.Matches(ctx, event) {
// Raise your alert here
newAlert(rule.ID, rule.Description, ...)
}
}
If your Sigma rules make use of the count, max, min, or any other aggregation function in your conditions then you'll need some extra setup.
When creating an evaluator, you can pass in implementations of each of the aggregation functions:
sigma.Evaluator(rule, sigma.CountFunc(countImplementation), sigma.MaxFunc(maxImplementation))
This repo includes some toy implementations in the aggregators
package but for production use cases you'll need to supply your own.