DEV Community

Jude Hilgendorf
Jude Hilgendorf

Posted on

I built a portable SIEM detection toolkit that converts Sigma rules to Splunk, Elastic, and Kibana queries

#python #linux #security #opensource

The problem

If you've ever tried to manage detection content across different SIEMs, you know the pain. Sigma rules live in one folder, your Sysmon config is somewhere else, Wazuh custom rules are in yet another directory, and none of it maps cleanly back to MITRE ATT&CK. Converting rules between SIEM formats usually means installing sigmac or setting up a whole pipeline just to get a Splunk query out of a YAML file.

I'm a cybersecurity student and I got tired of this workflow in my home lab, so I built SIEMForge — a single Python CLI that keeps all your detection content in one place and converts it natively.

What it does

SIEMForge is a portable toolkit that handles:

  • Sigma rule conversion — translates detection rules to Splunk SPL, Elasticsearch Lucene, or Kibana KQL without any external dependencies (no sigmac needed)
  • 10 pre-built detection rules covering credential dumping (T1003.001), process injection (T1055.003), lateral movement via PsExec (T1021.002), suspicious PowerShell (T1059.001), SSH brute-force (T1110.001), and more
  • Tuned Sysmon configuration for Windows event monitoring
  • Wazuh custom rules with agent config snippets
  • MITRE ATT&CK mapping across all rules
  • One-command export of the complete detection package

Quick start 

git clone https://github.com/TiltedLunar123/SIEMForge.git
cd SIEMForge
pip install pyyaml
Enter fullscreen mode Exit fullscreen mode

Only dependency is PyYAML. Runs on Python 3.8+.

Example usage 

# See what's in the toolkit
python siemforge.py

# Convert all rules to Splunk SPL
python siemforge.py --convert splunk

# Convert a single rule to Kibana KQL
python siemforge.py --convert kibana --convert-rule lsass_credential_dump.yml

# View MITRE ATT&CK coverage
python siemforge.py --mitre

# Export everything as a packaged bundle
python siemforge.py --export-all
Enter fullscreen mode Exit fullscreen mode

The --export-all flag generates an organized directory with Sigma YAML rules, Sysmon XML config, and Wazuh rules ready to drop into your stack.

Why I built it

Mostly for my own learning. I wanted to understand how Sigma rules actually translate to different query languages under the hood, and I wanted a single tool I could carry between lab environments without installing a bunch of dependencies. Figured other students or home lab folks might find it useful too.

What's next

I'm planning to add more detection rules and possibly support for more output formats. If you work in blue team or run a home lab, I'd love to know: what detection rules or SIEM formats would be most useful to add?

Check it out here: github.com/TiltedLunar123/SIEMForge

MIT licensed, contributions welcome.

Top comments (0)