Introducing Sigmalite. RunReveal's open source sigma rule evaluator for detection

Today RunReveal is announcing support for sigma detections within RunReveal's product and open-sourcing our sigma evaluation engine. RunReveal's sigma engine is being released under the Apache 2.0 license and is built for stream processing. These features are a core component of our pipeline and are fully integrated in RunReveal today!

RunReveal has integrated sigmalite into our pipeline to provide our customers with the ability to use the sigma rule format for detection within the RunReveal ecosystem. We believe our customers and the security community at large will benefit from the library being open-source by being able to embed sigmalite into their own data pipelines and perform detection outside of their SIEM!

The sigma project was released with the goal of being an open format that could be used to describe detections. The motivations behind Sigma are to make detections more portable, decrease switching costs between SIEM vendors, and increase collaboration between security teams. Most SIEM vendors today are actually selling a fancy database with proprietary indexes and a bunch of pre-built rules on top, which means the detections are usually rules written in the query language of the underlying database.

Sigma was designed to be agnostic to the underlying SIEM and solved this problem by writing translators between the sigma yaml format and a bunch of different target SIEM query languages. The yaml detection rules are passed to the sigma cli and the output is a detection rule in your SIEM's query format.

Leave a Comment