A Python tool that converts Sigma rules to ElastAlert 2 format for use in security monitoring systems.
This tool allows security teams to leverage the extensive library of Sigma detection rules within ElastAlert alerting systems. It converts the Sigma YAML format into ElastAlert rule configurations, preserving metadata and translating detection logic into Elasticsearch queries.
This converter is still in development and has not been tested against all Sigma rules. Some complex detection patterns may not convert correctly. Use with caution and verify rule conversions before deploying to production environments.
- Converts Sigma detection logic to Elasticsearch query DSL
- Preserves rule metadata (title, description, tags, etc.)
- Handles field mappings between Sigma fields and Elastic Common Schema
- Supports both individual file and batch directory conversion
- Interactive and command-line modes
python sigma_to_elastalert.py -f path/to/sigma_rule.yml -o output_rule.yamlpython sigma_to_elastalert.py -d path/to/sigma_rules_dir -o path/to/output_dir|~/elastalert_rules/