Welcome to RSigma's documentation!🔗
Hello, and welcome to RSigma's documentation.
RSigma is a complete Rust toolkit for the Sigma detection standard, including a parser, evaluation engine, rule conversion, streaming runtime, linter, CLI, and LSP server. Or, as Zack Allen put it in Detection Engineering Weekly #149, "RSigma is essentially a SIEM."
-
Install RSigma
Install RSigma with Cargo, Docker, or a signed binary archive.
-
Quickstart
Write a rule, evaluate it, run the daemon, and convert to SQL in five minutes.
-
Core concepts
Sigma rules, processing pipelines, the eval/daemon split, and the noun-led CLI groups.
-
CLI Reference
Per-subcommand reference for
engine,rule,backend, andpipeline. -
Rule conversion
Generate PostgreSQL or LynxDB queries from Sigma rules for historical hunting.
-
Streaming detection
Run the daemon with NATS, HTTP, or OTLP input. Hot-reload, metrics, state.
Why RSigma🔗
| RSigma | pySigma | sigma_engine | sigma-rust | |
|---|---|---|---|---|
| Language | Rust | Python | Rust | Rust |
| Runtime evaluation | Yes (streaming + stateful) | No (converter only) | Yes (stateless) | Yes (stateless) |
| Correlation rules | All 8 types | Partial | No | No |
| Filter rules | Yes | Yes | No | No |
| Conversion backends | PostgreSQL, LynxDB, ... | 20+ | No | No |
| Streaming daemon | Yes (NATS, HTTP, OTLP) | No | No | No |
| Dynamic pipelines | Yes (HTTP, file, command, NATS) | No | No | No |
| Built-in linter | 66 rules, auto-fix | Limited | No | No |
| LSP server | Yes | No | No | No |
| Single binary | Yes (multi-arch, signed) | No (requires Python) | Library only | Library only |
| License | MIT | LGPL-3.0 | AGPL-3.0 | MIT |
RSigma is the only Sigma toolkit that combines pySigma-style conversion with a real streaming evaluator, all in a single self-contained binary.
Featured in🔗
Detection Engineering Weekly #149 (March 2026)
"RSigma is essentially a SIEM. Building a tool like RSigma is challenging because the Sigma specification has evolved into a robust domain-specific language over the years."
Zack Allen, DEW #149
tl;dr sec #320 (March 2026)
"Accurately evaluating the full spectrum of what Sigma rules can express is quite complex. It's pretty neat to read about how RSigma handles all of these conditional expressions, correlating across rules, etc."
BlackNoise: The Deep Purple Sec, March 2026
"Defensive teams can pipe logs through CLI commands, apply field-mapping pipelines, and chain correlations for multi-stage attack detection."
Detection Engineering Weekly #154 (April 2026)
"RSigma is not a SIEM, but it's an impressive feat to build a self-contained Rust binary that operates much like one. For teams doing pre-SIEM rule validation or forensics, it's a solid plug-and-play option."
Detection Engineering Weekly #157 (May 2026)
"Instead of hardcoding IOC values in rule YAML, you declare external sources in the pipeline config, and RSigma fetches and injects them at evaluation time. This works very similarly to how I've seen SIEMs implement threat intelligence pipelines, but since it's RSigma, it's self-contained within its ecosystem."
Built with RSigma🔗
-
A browser-based Sigma rule playground. Added real-time rule evaluation powered by RSigma compiled to WebAssembly, so every rule edit runs against sample events in the browser without a backend.
Read the deep dives🔗
A five-part article series on building RSigma and using it in production:
| # | Article | Topic |
|---|---|---|
| 1 | Pattern Detection and Correlation in JSON Logs | Forensic investigation of a Trivy supply-chain compromise. |
| 2 | Streaming Logs to RSigma for Real-Time Detection | Okta cross-tenant impersonation via the daemon and NATS JetStream. |
| 3 | Building a Detection Layer on PostgreSQL with Sigma Rules | Five PostgreSQL output formats and TimescaleDB continuous aggregates. |
| 4 | Security Observability with RSigma and the LGTM Stack | Pairing RSigma with Loki, Mimir, and Grafana. |
| 5 | Wiring Live Threat Intel into Sigma Detection with Dynamic Pipelines | Dynamic pipelines: HTTP, file, command, and NATS sources. |
At a glance🔗
- Latest release:
v0.12.0(MIT licensed; six crates in the workspace). - MSRV: Rust
1.88.0, edition2024. - Cross-platform binaries: Linux, macOS, Windows on amd64 and arm64.
- Container image:
ghcr.io/timescale/rsigma:latest(multi-arch, cosign-signed, SBOM, SLSA Build L3 provenance). - Throughput: ~1.06M events/sec detection, ~569K events/sec correlation on an Apple M4 Pro. See benchmarks.