Pre-compiled Sigma rules converted to Zircolite JSON format, updated daily.
This repository automatically converts the SigmaHQ detection rules into JSON rulesets compatible with Zircolite, a standalone SIGMA-based detection tool for EVTX, Auditd, and Sysmon for Linux logs.
The repository provides four ruleset types, each filtered by severity level (informational, low, medium, high, critical):
For use with Sysmon event logs:
| File | Description |
|---|---|
rules_windows_sysmon.json |
All severity levels |
rules_windows_sysmon_medium.json |
Medium, High, and Critical only |
rules_windows_sysmon_high.json |
High and Critical only |
For use with standard Windows event logs:
| File | Description |
|---|---|
rules_windows_generic.json |
All severity levels |
rules_windows_generic_medium.json |
Medium, High, and Critical only |
rules_windows_generic_high.json |
High and Critical only |
Combined Windows ruleset: Sysmon and Generic rules merged and deduplicated by rule ID. Use when you have both Sysmon and Windows audit logs.
| File | Description |
|---|---|
rules_windows_merged.json |
All severity levels |
rules_windows_merged_medium.json |
Medium, High, and Critical only |
rules_windows_merged_high.json |
High and Critical only |
For use with Linux logs (e.g. Auditd, Sysmon for Linux):
| File | Description |
|---|---|
rules_linux.json |
All severity levels |
rules_linux_medium.json |
Medium, High, and Critical only |
rules_linux_high.json |
High and Critical only |
Download the ruleset you need and use it with Zircolite:
# Using Sysmon rules
python3 zircolite.py --evtx logs/ --ruleset rules_windows_sysmon.json
# Using generic Windows rules (high severity only)
python3 zircolite.py --evtx logs/ --ruleset rules_windows_generic_high.json
# Using merged rules (Sysmon + Generic, high severity only)
python3 zircolite.py --evtx logs/ --ruleset rules_windows_merged_high.json
# Using Linux rules
python3 zircolite.py --auditd logs/ --ruleset rules_linux.jsonYou can download the latest rulesets directly:
# Sysmon rulesets
curl -O https://raw.githubusercontent.com/wagga40/Zircolite-Rules/main/rules_windows_sysmon.json
curl -O https://raw.githubusercontent.com/wagga40/Zircolite-Rules/main/rules_windows_sysmon_medium.json
curl -O https://raw.githubusercontent.com/wagga40/Zircolite-Rules/main/rules_windows_sysmon_high.json
# Generic rulesets
curl -O https://raw.githubusercontent.com/wagga40/Zircolite-Rules/main/rules_windows_generic.json
curl -O https://raw.githubusercontent.com/wagga40/Zircolite-Rules/main/rules_windows_generic_medium.json
curl -O https://raw.githubusercontent.com/wagga40/Zircolite-Rules/main/rules_windows_generic_high.json
# Merged rulesets (Sysmon + Generic)
curl -O https://raw.githubusercontent.com/wagga40/Zircolite-Rules/main/rules_windows_merged.json
curl -O https://raw.githubusercontent.com/wagga40/Zircolite-Rules/main/rules_windows_merged_medium.json
curl -O https://raw.githubusercontent.com/wagga40/Zircolite-Rules/main/rules_windows_merged_high.json
# Linux rulesets
curl -O https://raw.githubusercontent.com/wagga40/Zircolite-Rules/main/rules_linux.json
curl -O https://raw.githubusercontent.com/wagga40/Zircolite-Rules/main/rules_linux_medium.json
curl -O https://raw.githubusercontent.com/wagga40/Zircolite-Rules/main/rules_linux_high.json- Sigma Rules: The official SigmaHQ rules repository is included as a Git submodule (Windows rules from
sigma/rules/windows/, Linux fromsigma/rules/linux/). - pySigma Backend: Uses pySigma-backend-sqlite to convert Sigma YAML rules to Zircolite's JSON format.
- Pipelines: Applies appropriate field mappings via pySigma pipelines:
- Sysmon:
sysmon_pipeline+windows_logsource_pipeline - Generic:
windows_audit_pipeline+windows_logsource_pipeline - Linux: No pipeline (rules converted as-is).
- Sysmon:
- Merged ruleset: Sysmon and Generic rulesets are merged and deduplicated by rule ID (same ID + same SQL → keep generic; same ID + different SQL → keep both with "- Sysmon" / "- Generic" in the title).
- Filtering: Rules are sorted and filtered by severity level (informational, low, medium, high, critical). Windows Sysmon and Generic rules with no channel are excluded and listed in
*_no_channel.log.
A GitHub Actions workflow runs daily at 1:00 AM UTC to:
- Pull the latest Sigma rules from SigmaHQ
- Convert Windows rules (Sysmon, Generic, and Merged) and Linux rules to Zircolite format
- Commit and push updated rulesets
Each ruleset generation produces a detailed log file (*_conversion.log) containing:
- Total rules processed
- Success/failure counts and rates
- List of failed rules with error messages
- List of successfully converted rules
Rules with no channel (Windows Sysmon/Generic only) are listed in *_no_channel.log.
Ensure the sigma submodule is initialized, then run:
python gen_ruleset.pyThis generates all Sysmon, Generic, Merged, and Linux rulesets plus their level-filtered variants and conversion logs.
- Zircolite - SIGMA-based detection tool
- Sigma - Generic signature format for SIEM systems
- pySigma - Python library for Sigma rule handling
MIT License - See LICENSE for details.