A complete Rust toolkit for the Sigma detection standard. Parser, evaluator, rule conversion, streaming daemon, linter, and LSP.https://timescale.github.io/rsigma/ Mostafa Moradianhttps://github.com/timescale/rsigmaen Fri, 22 May 2026 18:09:16 -0000 Fri, 22 May 2026 18:09:16 -0000 1440 MkDocs RSS plugin - v1.17.4 None https://timescale.github.io/rsigma/ <h1>Enrichers</h1> <p>Post-evaluation enrichers run after <code>engine.evaluate()</code> produces a <code>ProcessResult</code> and before each result is serialized to a sink. They inject c...</p> https://timescale.github.io/rsigma/guide/enrichers/ Wed, 20 May 2026 23:22:23 +0000 RSigmahttps://timescale.github.io/rsigma/guide/enrichers/ <h1>Changelog</h1> <p>All notable changes to RSigma are documented in this file. Each entry corresponds to a [GitHub Release](https://github.com/timescale/rsigma/rele...</p> https://timescale.github.io/rsigma/release-notes/ Mon, 18 May 2026 20:30:39 +0000 RSigmahttps://timescale.github.io/rsigma/release-notes/ <h1>Observability</h1> <p>RSigma is built on <code>tracing</code> plus the <code>prometheus</code> crate. Every meaningful event in the daemon and CLI lands on one of:</p> <ul> <li>A <code>tracing</code> event...</li> </ul> https://timescale.github.io/rsigma/guide/observability/ Mon, 18 May 2026 18:14:42 +0000 RSigmahttps://timescale.github.io/rsigma/guide/observability/ <h1>Performance Tuning</h1> <p>RSigma's evaluator is fast by default. A 100-rule corpus evaluates one event in roughly 2 microseconds, and a 5000-rule corpus stays un...</p> https://timescale.github.io/rsigma/guide/performance-tuning/ Mon, 18 May 2026 17:57:38 +0000 RSigmahttps://timescale.github.io/rsigma/guide/performance-tuning/ <h1>CI/CD</h1> <p>RSigma is designed to drop into a detection-as-code workflow. The four CLI surfaces that matter for CI are <code>rule lint</code>, <code>rule validate</code>, `engine eva...</p> https://timescale.github.io/rsigma/guide/ci-cd/ Mon, 18 May 2026 17:00:48 +0000 RSigmahttps://timescale.github.io/rsigma/guide/ci-cd/ <h1>NATS Streaming</h1> <p>RSigma can read events from and write detections to <a href="https://docs.nats.io/nats-concepts/jetstream">NATS JetStream</a>. This page covers the da...</p> https://timescale.github.io/rsigma/guide/nats-streaming/ Mon, 18 May 2026 14:13:29 +0000 RSigmahttps://timescale.github.io/rsigma/guide/nats-streaming/ <h1>OTLP Integration</h1> <p>The daemon can ingest logs over <a href="https://opentelemetry.io/docs/specs/otlp/">OpenTelemetry Protocol</a> (OTLP). This is the recommended way t...</p> https://timescale.github.io/rsigma/guide/otlp-integration/ Mon, 18 May 2026 14:13:29 +0000 RSigmahttps://timescale.github.io/rsigma/guide/otlp-integration/ <h1>Input Formats</h1> <p>RSigma can read events in seven formats, with auto-detection as the default. This page covers when to choose each format, the parser specifi...</p> https://timescale.github.io/rsigma/guide/input-formats/ Mon, 18 May 2026 14:13:06 +0000 RSigmahttps://timescale.github.io/rsigma/guide/input-formats/ <h1>Processing Pipelines</h1> <p>Processing pipelines are RSigma's mechanism for transforming Sigma rules before they reach the engine or a backend. They handle the i...</p> https://timescale.github.io/rsigma/guide/processing-pipelines/ Mon, 18 May 2026 14:13:06 +0000 RSigmahttps://timescale.github.io/rsigma/guide/processing-pipelines/ <h1>Linting Rules</h1> <p><code>rsigma rule lint</code> runs 66 built-in lint rules derived from the Sigma v2.1.0 specification against your rule files. The linter reads each YA...</p> https://timescale.github.io/rsigma/guide/linting-rules/ Mon, 18 May 2026 14:12:46 +0000 RSigmahttps://timescale.github.io/rsigma/guide/linting-rules/ <h1>Rule Conversion</h1> <p><code>rsigma backend convert</code> translates Sigma rules into queries for a specific log analytics backend. Instead of evaluating rules against liv...</p> https://timescale.github.io/rsigma/guide/rule-conversion/ Mon, 18 May 2026 14:12:46 +0000 RSigmahttps://timescale.github.io/rsigma/guide/rule-conversion/ <h1>Evaluating Rules</h1> <p><code>rsigma engine eval</code> runs Sigma rules against events that you provide as a one-shot command. It is the right tool for ad-hoc hunting, for...</p> https://timescale.github.io/rsigma/guide/evaluating-rules/ Mon, 18 May 2026 14:12:25 +0000 RSigmahttps://timescale.github.io/rsigma/guide/evaluating-rules/ <h1>Streaming Detection</h1> <p><code>rsigma engine daemon</code> runs RSigma as a long-running service: it keeps a compiled engine in memory, reads events from a continuous sou...</p> https://timescale.github.io/rsigma/guide/streaming-detection/ Mon, 18 May 2026 14:12:25 +0000 RSigmahttps://timescale.github.io/rsigma/guide/streaming-detection/ <h1>Core Concepts</h1> <p>A short, opinionated tour of the ideas you will run into when working with RSigma. If you already know Sigma, skim this for RSigma-specific ...</p> https://timescale.github.io/rsigma/getting-started/concepts/ Mon, 18 May 2026 14:12:03 +0000 RSigmahttps://timescale.github.io/rsigma/getting-started/concepts/ <h1>Installation</h1> <p>RSigma ships as a single self-contained binary on every supported platform. Pick the install method that matches your environment.</p> <h2>Requir...</h2> https://timescale.github.io/rsigma/getting-started/installation/ Mon, 18 May 2026 14:12:03 +0000 RSigmahttps://timescale.github.io/rsigma/getting-started/installation/ <h1>Quick Start</h1> <p>This page gets you from a fresh install to a fired detection in five minutes. We will write one Sigma rule, evaluate it against a JSON event, ...</p> https://timescale.github.io/rsigma/getting-started/quick-start/ Mon, 18 May 2026 14:12:03 +0000 RSigmahttps://timescale.github.io/rsigma/getting-started/quick-start/