sigma-lookup is a Python command-line tool that allows security analysts and threat hunters to search Sigma detection rules based on MITRE ATT&CK Techniques and Tactics or free-text queries. The script parses the Sigma rules from the repository sigma enabling quick and deep searches.
- Search Sigma rules by MITRE ATT&CK Technique/Tactic ID
- Perform free-text searches in rule titles and descriptions (regex are supported)
- Filter rules by Status and/or platform
- Clone this repository and update the submodule (sigma repository)
git clone https://github.com/vincenzocaputo/sigma-lookup
cd sigma-lookup
git submodule update --init
- Create a virtual environment and install the required libraries
python3 -m venv venv
source venv/bin/activate
pip install -r requirements
On the first run, the tool will parse the Sigma rules (from sigma/rules folder) and create a cache file. The cache will be stored as a JSON file at cache/cache.json.
You can force the cache to regenerate using the -F option.
python3 sigma-lookup.py -F
usage: sigma-lookup.py [-h] [-i ID] [-t TECHNIQUE] [-T] [-p] [-S [...]] [-s SEARCH] [-F]
options:
-h, --help show this help message and exit
-i ID, --id ID Get Sigma Rule by Rule ID. The Rule ID is an internal reference used only by this tool.
-t TECHNIQUE, --technique TECHNIQUE
Search by MITRE ATT&CK Technique.
-T , --tactic Search by MITRE ATT&CK Tactic. Allowed values are: collection, command-and-control, credential-access, defense-evasion, discovery, execution, exfiltration, impact, initial-access,
lateral-movement, persistence, privilege-escalation, reconnaissance, resource-development
-p , --product Search by Product. Allowed values are: huawei, cisco, m365, github, paloalto, zeek, spring, fortios, nodejs, jvm, aws, bitbucket, onelogin, windows, django, linux, velocity, gcp, macos,
sql, okta, python, ruby_on_rails, opencanary, juniper, kubernetes, rpc_firewall, qualys, azure
-S [ ...], --status [ ...]
Filter by status. Allowed values are: stable, test, experimental, deprecated, unsupported
-s SEARCH, --search SEARCH
Search for free text in rule titles and descriptions (RegEx are supported).
-F, --force-caching Force the regeneration of the detection rule cache
- Search for the technique OS Credential Dumping, filtering only rules that reference LSASS process. Consider only rules with status "stable"
python3 sigma-lookup.py -t T1003 -s LSASS -S stable
- Search for all detection rules related to Defense Evasion tactics involving the use of Base64 encoding in PowerShell.
python3 sigma-lookup.py -T defense-evasion -s "(?=.*Powershell)(?=.*Base64)"
- Display the Sigma Rule "Suspicious Obfuscated PowerShell Code"
python3 sigma-lookup.py -i 2119
Note: The Rule ID field is generated during the cache file creation and serves as an internal reference to facilitate detection rule lookups. Triggering the cache operation may generate new Rule IDs. Therefore, you should rely solely on the Rule IDs provided in the tool's outputs.