Sigma MCP Server

An MCP server that exposes pySigma functionality to AI assistants and other MCP clients.

Features

| Capability | Details | |---|---| | Tool validate_rule | Validate a Sigma rule (YAML) against all configured validators | | Tool configure_validators | Persist a custom validator allow-list / exclusion-list for the current MCP session | | Resource sigma://validators | JSON dict of available validator identifiers → descriptions | | Resource sigma://modifiers | JSON list of available Sigma value modifier names |

Requirements

Python ≥ 3.10
Poetry (for development / installation)

Installation

git clone <repo-url>
cd sigma-mcp-server
poetry install

Usage

Running the server

poetry run sigma-mcp-server
# or, after installation:
sigma-mcp-server

The server listens on stdio by default (standard MCP transport).

Configuring in VS Code / Claude Desktop

Add the following entry to your MCP client configuration (e.g. ~/.config/claude/claude_desktop_config.json):

{
  "mcpServers": {
    "sigma": {
      "command": "sigma-mcp-server"
    }
  }
}

Adjust the command path to the installed binary if it is not on PATH.

Tool Reference

`validate_rule`

Validate a single Sigma rule.

Arguments

| Name | Type | Description | |---|---|---| | rule_yaml | string | Complete Sigma rule in YAML format |

Returns

A JSON array of validation issue objects. Each object contains:

| Key | Type | Description | |---|---|---| | validator | string | Validator identifier that produced the issue | | type | string | Issue class name (e.g. IdentifierExistenceIssue) | | severity | string | low, medium, or high | | description | string | Human-readable description of the issue class | | rules | array[string] | Rule IDs / titles affected by the issue |

Additional subclass-specific fields (e.g. identifier) may also be present.

An empty array means the rule passed all active validators.

`configure_validators`

Persist a custom validator configuration for the current MCP session. All subsequent validate_rule calls within the same session will use this configuration.

Arguments

| Name | Type | Default | Description | |---|---|---|---| | validator_names | array[string] \| null | null | Explicit allow-list of validator identifiers. null = use all. | | exclusions | array[string] \| null | null (= []) | Validator identifiers to exclude after the allow-list is applied. |

Returns

On success: {"validator_names": ..., "exclusions": [...]} confirming the stored config.
On error: {"error": "<description>"} when an unknown identifier is supplied.

Example – exclude a single validator:

{"exclusions": ["identifier_existence"]}

Example – use only two validators:

{"validator_names": ["identifier_existence", "identifier_uniqueness"]}

Resource Reference

`sigma://validators`

Returns a JSON object mapping validator identifier strings to their human-readable descriptions. Validator identifiers are used with configure_validators.

Example response (truncated):

{
  "identifier_existence": "Checks if rule has identifier.",
  "identifier_uniqueness": "Check rule UUID uniqueness.",
  ...
}

`sigma://modifiers`

Returns a sorted JSON array of Sigma value modifier names that can be used in detection conditions (e.g. contains, startswith, re, base64).

Development

# Install dev dependencies
poetry install

# Run tests
poetry run pytest

# Run tests with coverage report
poetry run pytest --cov=sigma/mcp --cov-report=term-missing

# Type checking
poetry run mypy sigma/mcp/ tests/

# Code formatting
poetry run black sigma/ tests/ conftest.py

Test coverage must remain ≥ 95 %. All code must pass mypy --strict and be formatted with black in its default configuration.

License

MIT

MCP Servers