jmagly/sigma-hunting
agentic/code/frameworks/forensics-complete/skills/sigma-hunting/SKILL.md
Apply Sigma rules against log sources for threat hunting; convert rules to Elasticsearch, Splunk, and grep queries
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg sigma-huntingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 28, 2026, 12:21 PM204.6s1 file scanned
SKILL.md
- namespace:
- aiwg
- name:
- sigma-hunting
- description:
- Apply Sigma rules against log sources for threat hunting; convert rules to Elasticsearch, Splunk, and grep queries
- tools:
- Bash, Read, Write, Glob, Grep
- platforms:
- [all]
sigma-hunting
Applies Sigma detection rules against collected log sources to identify threat activity. Supports the bundled forensics-complete Sigma rule library and custom rules. Converts Sigma rules to backend-specific queries for Elasticsearch, Splunk, and grep, enabling hunting across both real-time platforms and offline log files.
Triggers
Alternate expressions and non-obvious activations (primary phrases are matched automatically from the skill description):
- "ATT&CK [technique]" / "MITRE [TID]" → technique-specific threat hunt
- "T1059" / "T1053" (etc.) → ATT&CK technique ID lookups
- "Sigma rules" → rule-based threat hunting
Purpose
Sigma provides a vendor-neutral rule format for expressing detection logic. Writing backend-specific queries for every log source and SIEM is time-consuming and error-prone. This skill translates Sigma rules to the appropriate query format for the available tooling, applies them against collected logs, and reports matches with ATT&CK technique context.
Behavior
When triggered, this skill:
-
Identify available rule sources:
- Bundled rules:
agentic/code/frameworks/forensics-complete/sigma/ - Custom rules:
.aiwg/forensics/sigma/custom/ - Check for sigma-cli or pySigma installation:
sigma --version 2>/dev/null - If sigma-cli is unavailable, use built-in grep-based conversion for simple rules
- Bundled rules:
-
Identify target log sources and backends:
- Detect available log sources: journald, flat files, Elasticsearch index, Splunk index
- Match Sigma
logsourcecategories to available sources:category: process_creation→ syslog, auditd logs, or EDR telemetrycategory: network_connection→ firewall logs, VPC flow logs, Zeek conn.logcategory: webserver→ nginx/Apache access logsproduct: linux→ auth.log, syslog, journalproduct: windows→ Windows Event Log exports (.evtx or JSON)
-
Select applicable rules:
- Filter rule library by
logsourcecompatibility with available sources - If a specific MITRE technique is requested (e.g., "hunt for T1059"), filter by
tags: attack.t1059* - Apply severity filter: default to
medium,high,criticalrules only - List selected rules and their ATT&CK technique mappings before execution
- Filter rule library by
-
Convert rules to grep (offline log files):
- Parse Sigma YAML detection field
- Convert
selectionkeywords to extended grep patterns:grep -Ei 'pattern1|pattern2' /var/log/auth.log - Handle
condition: selection and not filterby piping through a second grep with-v - Note: grep conversion handles keyword-only rules; complex field-mapped rules require sigma-cli
-
Convert rules via sigma-cli (when available):
- Elasticsearch backend:
sigma convert -t elasticsearch -f lucene rules/sigma/linux/ > hunt-queries.txt - Splunk backend:
sigma convert -t splunk rules/sigma/linux/ > hunt-spl.txt - Execute converted queries against the target index or log source
- Elasticsearch backend:
-
Execute hunts and collect matches:
- Run each rule against the target log source
- Record: rule name, ATT&CK technique, match count, first and last match timestamp, sample matching lines
- Group results by ATT&CK tactic for reporting
-
Triage matches:
- Flag rules with zero matches (coverage gap) vs rules with matches (hits)
- For each hit: extract relevant fields (source IP, username, process name, command line)
- Cross-reference extracted values with IOC list from
ioc-extractionskill
-
Apply custom rules:
- Load any
.ymlfiles from.aiwg/forensics/sigma/custom/ - Validate YAML structure and required Sigma fields before execution
- Report custom rule coverage alongside bundled rule results
- Load any
-
Write hunt report:
- Save to
.aiwg/forensics/findings/<hostname>-sigma-hunt.md - Include: rules applied, hits per rule, ATT&CK tactic coverage map, sample evidence per hit, coverage gaps
- Save to
Usage Examples
Example 1 — Full hunt against local logs
sigma hunt
Example 2 — Hunt for specific technique
hunt for T1078
Example 3 — Convert rules for Elasticsearch
sigma rules --backend elasticsearch --output hunt-queries.txt
Output Locations
- Hunt report:
.aiwg/forensics/findings/<hostname>-sigma-hunt.md - Converted queries:
.aiwg/forensics/sigma/converted/ - Rule hit evidence:
.aiwg/forensics/evidence/sigma-hits.txt
Configuration
sigma_hunting:
bundled_rules_path: agentic/code/frameworks/forensics-complete/sigma/
custom_rules_path: .aiwg/forensics/sigma/custom/
default_severity_filter:
- medium
- high
- critical
default_backend: grep
available_backends:
- grep
- elasticsearch
- splunk
sigma_cli_path: sigma
References
- @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/research-before-decision.md — Identify available log sources and rule libraries before executing hunts; check tool availability
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/evidence-integrity.md — Hunting must not modify log sources; run rules against read-only copies
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/red-flag-escalation.md — Escalate to human when Sigma hits indicate active compromise or critical severity findings
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/ioc-extraction/SKILL.md — Cross-reference Sigma rule hits against extracted IOCs for confirmation
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/log-analysis/SKILL.md — Log analysis skill provides the correlated timeline that Sigma hunting adds detection coverage to
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026