`rsigma engine eval`🔗

One-shot evaluation of Sigma rules against events from a file, stdin, or an inline argument.

Synopsis🔗

rsigma engine eval [OPTIONS] --rules <RULES>

Description🔗

Loads rules from a file or directory, optionally applies one or more processing pipelines, reads events from --event (or stdin), and writes matched MatchResult JSON to stdout. Exits when the event source is exhausted.

This is the right tool for CI fixtures, ad-hoc threat hunting, forensic replay over .evtx and NDJSON files, and any "run rules against this data, then exit" workflow. For a long-running daemon with hot-reload and metrics, use engine daemon.

For a narrative tutorial see Evaluating Rules.

Flags🔗

Required🔗

Flag	Description
`-r, --rules <RULES>`	Path to a Sigma rule file or directory of rules (recursive).

Input selection🔗

Flag	Default	Description
`-e, --event <EVENT>`	stdin	Single event as a JSON string, or `@path` to read NDJSON or `.evtx`. Without this flag, reads NDJSON from stdin.
`--jq <JQ>`	unset	`jq` filter to extract the event payload from each input object. Example: `--jq '.event'`, `--jq '.records[]'`. Mutually exclusive with `--jsonpath`.
`--jsonpath <JSONPATH>`	unset	JSONPath (RFC 9535) query to extract the event payload. Example: `--jsonpath '$.event'`, `--jsonpath '$.records[*]'`.
`--input-format <FORMAT>`	`auto`	Input log format: `auto`, `json`, `syslog`, `plain`. With the `logfmt` and `cef` features: also `logfmt`, `cef`.
`--syslog-tz <OFFSET>`	`+00:00`	Timezone offset for RFC 3164 syslog parsing. Format: `+HH:MM` or `-HH:MM`.

Pipeline🔗

Flag	Description
`-p, --pipeline <PIPELINES>`	Processing pipeline(s) to apply. Accepts the builtin names (`ecs_windows`, `sysmon`) or YAML file paths. Repeatable; applied in priority order.

Output🔗

Flag	Default	Description
`--pretty`	off	Pretty-print JSON output.
`--no-detections`	off	Suppress detection output for rules that exist only to feed correlations (`generate: false`).
`--include-event`	off	Embed the full event JSON in every `MatchResult`. Equivalent to setting `rsigma.include_event: "true"` per-rule.

Correlation behavior🔗

Flag	Default	Description
`--suppress <DURATION>`	unset	Suppress duplicate correlation alerts within the window (`5m`, `1h`, `30s`).
`--action <ACTION>`	`alert`	Post-fire action for correlations: `alert` (keep state, re-alert on next match) or `reset` (clear window state).
`--correlation-event-mode <MODE>`	`none`	Whether to embed contributing events in correlation output: `none`, `full` (deflate-compressed full bodies), `refs` (timestamp + ID only).
`--max-correlation-events <N>`	`10`	Cap on stored events per correlation window when `--correlation-event-mode` is not `none`. Oldest evicted.
`--timestamp-field <FIELD>`	unset	Field name to prepend to the timestamp extraction priority list. Default list: `@timestamp`, `timestamp`, `EventTime`, `TimeCreated`, `eventTime`. Repeatable.

Performance (advanced)🔗

Flag	Default	Description
`--bloom-prefilter`	off	Enable per-field bloom filter over positive substring needles. Useful for IOC-heavy rule sets against mostly-non-matching telemetry. See Performance Tuning.
`--bloom-max-bytes <BYTES>`	`1048576`	Memory budget for the bloom index (1 MiB default). No effect without `--bloom-prefilter`.
`--cross-rule-ac`	off	Enable the cross-rule Aho-Corasick pre-filter. Available when compiled with the `daachorse-index` Cargo feature. See Performance Tuning.

CI gating🔗

Flag	Description
`--fail-on-detection`	Exit with code `1` when any detection or correlation fires.

Examples🔗

Single inline event🔗

rsigma engine eval -r rules/ -e '{"CommandLine":"cmd /c whoami"}'

NDJSON file with pretty output🔗

rsigma engine eval -r rules/ --pretty -e @events.ndjson

EVTX file with the bundled Windows-mapping pipeline🔗

rsigma engine eval -r rules/ -e @Security.evtx

EVTX records are nested under Event.System.* and Event.EventData.*; rules must reference fields by their full dotted path. See Input Formats.

Tail a JSON log file into the engine🔗

tail -F /var/log/app.json | rsigma engine eval -r rules/

Extract events from a wrapper envelope🔗

rsigma engine eval -r rules/ --jq '.records[]' < otlp-batch.ndjson

CI fixture: assert nothing matches🔗

rsigma engine eval -r rules/ --fail-on-detection -e @ci/negative.ndjson

Exits 1 if any rule fires. Exits 0 if the fixture stays quiet.

Apply a builtin pipeline🔗

rsigma engine eval -r rules/ -p ecs_windows -e '{"process.command_line": "whoami"}'

Correlation with suppression🔗

rsigma engine eval -r rules/ --suppress 5m --action reset \
    --correlation-event-mode refs --max-correlation-events 50 \
    < security-events.ndjson

Exit codes🔗

Code	Meaning
`0`	Events processed cleanly. With `--fail-on-detection`, no rule fired. Per-rule parse errors are logged as warnings but do not change the exit code.
`1`	With `--fail-on-detection`, at least one detection or correlation fired.
`2`	The rules path itself could not be read. Use `rule validate` for a strict per-rule gate that fails on parse or compile errors.
`3`	Configuration error: bad `-p`, malformed `--suppress`, invalid `--jq` filter, etc.

rsigma engine eval🔗