Sigma MCP Server

Sigma MCP Server

An MCP server that provides Sigma rule validation and configuration capabilities for AI assistants. It enables users to validate Sigma detection rules against various validators and manage validator configurations through MCP tools and resources.

Category
Visit Server

README

Sigma MCP Server

An MCP server that exposes pySigma functionality to AI assistants and other MCP clients.

Features

Capability Details
Tool validate_rule Validate a Sigma rule (YAML) against all configured validators
Tool configure_validators Persist a custom validator allow-list / exclusion-list for the current MCP session
Resource sigma://validators JSON dict of available validator identifiers → descriptions
Resource sigma://modifiers JSON list of available Sigma value modifier names

Requirements

  • Python ≥ 3.10
  • Poetry (for development / installation)

Installation

git clone <repo-url>
cd sigma-mcp-server
poetry install

Usage

Running the server

poetry run sigma-mcp-server
# or, after installation:
sigma-mcp-server

The server listens on stdio by default (standard MCP transport).

Configuring in VS Code / Claude Desktop

Add the following entry to your MCP client configuration (e.g. ~/.config/claude/claude_desktop_config.json):

{
  "mcpServers": {
    "sigma": {
      "command": "sigma-mcp-server"
    }
  }
}

Adjust the command path to the installed binary if it is not on PATH.

Tool Reference

validate_rule

Validate a single Sigma rule.

Arguments

Name Type Description
rule_yaml string Complete Sigma rule in YAML format

Returns

A JSON array of validation issue objects. Each object contains:

Key Type Description
validator string Validator identifier that produced the issue
type string Issue class name (e.g. IdentifierExistenceIssue)
severity string low, medium, or high
description string Human-readable description of the issue class
rules array[string] Rule IDs / titles affected by the issue

Additional subclass-specific fields (e.g. identifier) may also be present.

An empty array means the rule passed all active validators.

configure_validators

Persist a custom validator configuration for the current MCP session. All subsequent validate_rule calls within the same session will use this configuration.

Arguments

Name Type Default Description
validator_names array[string] | null null Explicit allow-list of validator identifiers. null = use all.
exclusions array[string] | null null (= []) Validator identifiers to exclude after the allow-list is applied.

Returns

On success: {"validator_names": ..., "exclusions": [...]} confirming the stored config.
On error: {"error": "<description>"} when an unknown identifier is supplied.

Example – exclude a single validator:

{"exclusions": ["identifier_existence"]}

Example – use only two validators:

{"validator_names": ["identifier_existence", "identifier_uniqueness"]}

Resource Reference

sigma://validators

Returns a JSON object mapping validator identifier strings to their human-readable descriptions. Validator identifiers are used with configure_validators.

Example response (truncated):

{
  "identifier_existence": "Checks if rule has identifier.",
  "identifier_uniqueness": "Check rule UUID uniqueness.",
  ...
}

sigma://modifiers

Returns a sorted JSON array of Sigma value modifier names that can be used in detection conditions (e.g. contains, startswith, re, base64).

Development

# Install dev dependencies
poetry install

# Run tests
poetry run pytest

# Run tests with coverage report
poetry run pytest --cov=sigma/mcp --cov-report=term-missing

# Type checking
poetry run mypy sigma/mcp/ tests/

# Code formatting
poetry run black sigma/ tests/ conftest.py

Test coverage must remain ≥ 95 %. All code must pass mypy --strict and be formatted with black in its default configuration.

License

MIT

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured
E2B

E2B

Using MCP to run code via e2b.

Official
Featured