Python utilities I use to operate detection content as code: convert Sigma rules between SIEM backends, score MITRE ATT&CK coverage, validate rule metadata, generate test telemetry, and normalize logs.
These are intended as small, focused tools — each one does a single job well, reads its inputs from stdin or --file, and writes structured output suitable for piping into the next tool.
| Script | One-liner | Reads | Writes |
|---|---|---|---|
sigma_to_sentinel |
Convert a Sigma rule to a Sentinel analytic rule (KQL + ARM template) | Sigma YAML | ARM JSON |
attack_coverage |
Build an ATT&CK Navigator layer from a folder of Sigma rules | Sigma YAML | Navigator JSON |
rule_validator |
Lint Sigma rules — schema, UUIDs, naming, required tags | Sigma YAML | Pass/fail report |
telemetry_generator |
Emit synthetic Sysmon-style events to test detections | Template YAML | JSONL events |
log_normalizer |
Map raw Windows/Linux/JSON logs to ECS-style fields | Raw logs | ECS JSON |
git clone https://github.com/liliyke/detection-tooling
cd detection-tooling
uv syncIf you're on plain pip:
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"Each tool exposes a CLI named after the module:
uv run sigma-to-sentinel --rule path/to/rule.yml --out converted/
uv run attack-coverage --rules-dir ../detection-rules/rules > navigator_layer.json
uv run rule-validator --rules-dir ../detection-rules/rules
uv run telemetry-generator --template templates/lsass_access.yml --count 10 > events.jsonl
uv run log-normalizer --input /var/log/auth.log --source linux_auth > normalized.jsonl--help on any one lists every flag.
uv run pytest -qCI runs the same. Tests cover happy-path conversion, schema validation, and one round-trip per backend.
MIT.