A production-quality Python tool that analyzes malware samples and automatically generates industry-standard Sigma detection rules deployable to multiple SIEM platforms including Splunk, Elasticsearch, Azure Sentinel, and QRadar.
- Automated Sigma Rule Generation - Convert malware behaviors to detection rules in seconds
- Multi-SIEM Support - Deploy to Splunk (SPL), Elasticsearch (Lucene), Azure Sentinel (KQL), and QRadar (AQL)
- MITRE ATT&CK Mapping - Automatically classify behaviors against 45+ MITRE techniques
- Static Analysis - PE file parsing, string extraction, entropy calculation, suspicious import detection
- Behavioral Detection - Identify code injection, persistence, execution, network, and evasion techniques
- Professional Reports - Generate comprehensive HTML and JSON reports with visualizations
- Rule Validation - Built-in Sigma rule validation and compliance checking
- Organized Exports - Sigma rules automatically organized by technique, category, severity, and platform
Detection Engineering Pipeline
├── Sample Loading & Validation
├── Static Analysis
│ ├── PE Analysis (imports, entropy, sections)
│ ├── String Extraction (patterns, IOCs)
│ └── Metadata Extraction
├── Behavior Detection
│ └── Map suspicious indicators to behaviors
├── Sigma Rule Generation ⭐
│ └── Create YAML rules with MITRE techniques
├── SIEM Conversion
│ └── Generate platform-specific queries
└── Reporting
├── JSON Report
├── HTML Report
└── Organized Sigma Rules
detection-engineering/
├── config/ # Configuration and mappings
│ ├── settings.py
│ ├── mitre_mappings.json
│ └── sigma_config.yml
├── src/
│ ├── core/ # Core analysis
│ │ ├── analyzer.py # Main orchestrator
│ │ └── sample_handler.py # File loading
│ ├── static_analysis/ # Binary analysis
│ │ ├── pe_analyzer.py
│ │ ├── elf_analyzer.py
│ │ ├── string_extractor.py
│ │ └── metadata_extractor.py
│ ├── detection/ # Detection logic
│ │ ├── behavior_detector.py
│ │ ├── sigma_generator.py # ⭐ Core rule generation
│ │ ├── sigma_converter.py # ⭐ SIEM conversion
│ │ ├── mitre_mapper.py
│ │ └── rules/
│ ├── reporting/ # Report generation
│ │ ├── report_generator.py
│ │ ├── json_reporter.py
│ │ ├── html_reporter.py
│ │ └── sigma_exporter.py
│ └── utils/ # Utilities
│ ├── logger.py # ✅ Phase 1
│ ├── hash_calculator.py # ✅ Phase 1
│ └── sigma_validator.py
├── sigma_rules/ # Output: Sigma rules
│ └── generated/
├── siem_queries/ # Output: SIEM queries
│ ├── splunk/
│ ├── elastic/
│ ├── sentinel/
│ └── qradar/
├── tests/ # Unit and integration tests
├── scripts/ # CLI scripts
│ ├── analyze.py # Main analysis script
│ ├── generate_sigma.py # Standalone Sigma generator
│ └── demo.py # Demo script
├── samples/ # Test samples
└── output/ # Analysis results
# Clone the repository
git clone https://github.com/yourusername/detection-engineering.git
cd detection-engineering
# Create virtual environment
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install dependencies
pip install -r requirements.txt# Analyze a sample and generate Sigma rules
python scripts/analyze.py sample.exe
# Custom output directory
python scripts/analyze.py sample.exe --output-dir results/
# Verbose output
python scripts/analyze.py sample.exe --verbose
# Skip Sigma generation
python scripts/analyze.py sample.exe --no-sigmaThe tool generates professional Sigma rules like this:
title: Registry Run Key Persistence
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects modification of registry Run keys for persistence
references:
- https://attack.mitre.org/techniques/T1547/001/
author: Malware Behavior Analyzer
date: 2025/11/16
tags:
- attack.persistence
- attack.t1547.001
logsource:
category: registry_event
product: windows
detection:
selection:
EventID: [4657, 13]
TargetObject|contains: '\CurrentVersion\Run'
condition: selection
falsepositives:
- Legitimate administrative tools
- Security software
level: high- ✅ PE file imports (detect suspicious APIs)
- ✅ Section entropy (identify packers)
- ✅ Entry point and compile time
- ✅ String extraction and pattern matching
- ✅ File metadata and hashes
- ✅ Process injection indicators (VirtualAlloc, CreateRemoteThread)
- ✅ Registry persistence (Run keys, Services)
- ✅ Execution techniques (PowerShell, WMI)
- ✅ Network communication patterns
- ✅ File operations and suspicious paths
- ✅ Automatic MITRE ATT&CK classification
- ✅ Professional YAML formatting
- ✅ Multi-SIEM support
- ✅ Syntax validation
- ✅ False positive notes
- Directory structure
- Logger module
- Hash calculator
- Sample handler
- Basic tests
- PE analyzer
- ELF analyzer
- String extractor
- Metadata extractor
- Behavior detector
- Sigma generator (core)
- MITRE mapper
- Example rules
- Sigma converter
- Splunk conversion
- Elasticsearch conversion
- Sentinel conversion
- JSON reporter
- HTML reporter
- Report orchestration
- Main analyzer
- CLI scripts
- Demo script
- Comprehensive tests
- Documentation
- Code quality
Core:
- Python 3.9+
- pysigma - Sigma rule framework
- pefile - PE file analysis
SIEM Backends:
- pysigma-backend-splunk
- pysigma-backend-elasticsearch
- pysigma-backend-microsoft365defender
- pysigma-backend-sentinel
Analysis:
- python-magic - File type detection
- pyelftools - ELF file analysis
Reporting:
- Jinja2 - Template rendering
- Plotly - Visualizations
- pandas - Data analysis
- ARCHITECTURE.md - System design and data flow
- SIGMA_INTEGRATION.md - Sigma rule details
- USAGE_GUIDE.md - Complete usage guide
- API_REFERENCE.md - API documentation
# Run all tests
pytest
# With coverage
pytest --cov=src --cov-report=html
# Specific test file
pytest tests/test_hash_calculator.py -vFor each analyzed sample, the tool produces:
-
Sigma Rules (YAML format)
- Organized by MITRE technique
- Ready for SIEM deployment
-
SIEM Queries
- Splunk SPL queries
- Elasticsearch Lucene queries
- Azure Sentinel KQL queries
- QRadar AQL queries
-
Reports
- JSON with complete analysis data
- HTML with visualizations and summaries
-
Indicators of Compromise
- Hashes
- API imports
- Network indicators
- File paths
The tool maps behaviors to techniques including:
- T1547.001 - Registry Run Keys / Startup Folder
- T1055 - Process Injection
- T1059.001 - PowerShell
- T1059.003 - Windows Command Shell
- T1071 - Application Layer Protocol
- T1105 - Ingress Tool Transfer
- T1543.003 - Windows Service
- T1082 - System Information Discovery
- T1083 - File and Directory Discovery
- Threat Research - Quickly analyze malware and document detection rules
- Detection Engineering - Auto-generate rules from analysis for faster deployment
- SIEM Deployment - Generate ready-to-deploy rules for multiple platforms
- Security Training - Learn how malware analysis connects to detection
- Compliance - Document detections with MITRE mapping
This tool is designed for:
- ✅ Authorized security research
- ✅ Defensive security analysis
- ✅ Enterprise detection engineering
- ✅ CTF challenges and educational use
Always ensure proper authorization before analyzing samples.
This project is provided for educational and authorized security testing purposes.
Contributions are welcome! Areas for enhancement:
- Additional static analysis techniques
- More SIEM backend support
- Improved heuristics
- Additional test coverage
For detailed information, see the docs/ directory or check the inline code documentation.