Aiwg sigma-hunting

Apply Sigma rules against log sources for threat hunting; convert rules to Elasticsearch, Splunk, and grep queries

install

source · Clone the upstream repo

git clone https://github.com/jmagly/aiwg

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/jmagly/aiwg "$T" && mkdir -p ~/.claude/skills && cp -r "$T/.agents/skills/sigma-hunting" ~/.claude/skills/jmagly-aiwg-sigma-hunting && rm -rf "$T"

manifest: .agents/skills/sigma-hunting/SKILL.md

source content

sigma-hunting

Applies Sigma detection rules against collected log sources to identify threat activity. Supports the bundled forensics-complete Sigma rule library and custom rules. Converts Sigma rules to backend-specific queries for Elasticsearch, Splunk, and grep, enabling hunting across both real-time platforms and offline log files.

Triggers

Alternate expressions and non-obvious activations (primary phrases are matched automatically from the skill description):

"ATT&CK [technique]" / "MITRE [TID]" → technique-specific threat hunt
"T1059" / "T1053" (etc.) → ATT&CK technique ID lookups
"Sigma rules" → rule-based threat hunting

Purpose

Sigma provides a vendor-neutral rule format for expressing detection logic. Writing backend-specific queries for every log source and SIEM is time-consuming and error-prone. This skill translates Sigma rules to the appropriate query format for the available tooling, applies them against collected logs, and reports matches with ATT&CK technique context.

Behavior

When triggered, this skill:

Identify available rule sources:
- Bundled rules:
```
agentic/code/frameworks/forensics-complete/sigma/
```
- Custom rules:
```
.aiwg/forensics/sigma/custom/
```
- Check for sigma-cli or pySigma installation:
```
sigma --version 2>/dev/null
```
- If sigma-cli is unavailable, use built-in grep-based conversion for simple rules
Identify target log sources and backends:
- Detect available log sources: journald, flat files, Elasticsearch index, Splunk index
- Match Sigma
```
logsource
```
  categories to available sources:
  - ```
  category: process_creation
```
  → syslog, auditd logs, or EDR telemetry
- ```
category: network_connection
```
    → firewall logs, VPC flow logs, Zeek conn.log
  - ```
  category: webserver
```
  → nginx/Apache access logs
- ```
product: linux
```
    → auth.log, syslog, journal
  - ```
  product: windows
```
  → Windows Event Log exports (.evtx or JSON)
Select applicable rules:
- Filter rule library by
```
logsource
```
  compatibility with available sources
- If a specific MITRE technique is requested (e.g., "hunt for T1059"), filter by
```
tags: attack.t1059*
```
- Apply severity filter: default to
```
medium
```
  ,
```
high
```
  ,
```
critical
```
  rules only
- List selected rules and their ATT&CK technique mappings before execution
Convert rules to grep (offline log files):
- Parse Sigma YAML detection field
- Convert
```
selection
```
  keywords to extended grep patterns:
```
grep -Ei 'pattern1|pattern2' /var/log/auth.log
```
- Handle
```
condition: selection and not filter
```
  by piping through a second grep with
```
-v
```
- Note: grep conversion handles keyword-only rules; complex field-mapped rules require sigma-cli

Convert rules via sigma-cli (when available):

Elasticsearch backend:

sigma convert -t elasticsearch -f lucene rules/sigma/linux/ > hunt-queries.txt

Splunk backend:

sigma convert -t splunk rules/sigma/linux/ > hunt-spl.txt

Execute converted queries against the target index or log source

Execute hunts and collect matches:
- Run each rule against the target log source
- Record: rule name, ATT&CK technique, match count, first and last match timestamp, sample matching lines
- Group results by ATT&CK tactic for reporting
Triage matches:
- Flag rules with zero matches (coverage gap) vs rules with matches (hits)
- For each hit: extract relevant fields (source IP, username, process name, command line)
- Cross-reference extracted values with IOC list from
```
ioc-extraction
```
  skill
Apply custom rules:
- Load any
```
.yml
```
  files from
```
.aiwg/forensics/sigma/custom/
```
- Validate YAML structure and required Sigma fields before execution
- Report custom rule coverage alongside bundled rule results
Write hunt report:
- Save to
```
.aiwg/forensics/findings/<hostname>-sigma-hunt.md
```
- Include: rules applied, hits per rule, ATT&CK tactic coverage map, sample evidence per hit, coverage gaps

Usage Examples

Example 1 — Full hunt against local logs

sigma hunt

Example 2 — Hunt for specific technique

hunt for T1078

Example 3 — Convert rules for Elasticsearch

sigma rules --backend elasticsearch --output hunt-queries.txt

Output Locations

Hunt report:

.aiwg/forensics/findings/<hostname>-sigma-hunt.md

Converted queries:
```
.aiwg/forensics/sigma/converted/
```
Rule hit evidence:
```
.aiwg/forensics/evidence/sigma-hits.txt
```

Configuration

sigma_hunting:
  bundled_rules_path: agentic/code/frameworks/forensics-complete/sigma/
  custom_rules_path: .aiwg/forensics/sigma/custom/
  default_severity_filter:
    - medium
    - high
    - critical
  default_backend: grep
  available_backends:
    - grep
    - elasticsearch
    - splunk
  sigma_cli_path: sigma

References

@$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/research-before-decision.md — Identify available log sources and rule libraries before executing hunts; check tool availability
@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/evidence-integrity.md — Hunting must not modify log sources; run rules against read-only copies
@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/red-flag-escalation.md — Escalate to human when Sigma hits indicate active compromise or critical severity findings
@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/ioc-extraction/SKILL.md — Cross-reference Sigma rule hits against extracted IOCs for confirmation
@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/log-analysis/SKILL.md — Log analysis skill provides the correlated timeline that Sigma hunting adds detection coverage to