Sigma MCP Server
OfficialClick on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Sigma MCP Servervalidate this Sigma rule for any issues"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Sigma MCP Server
An MCP server that exposes pySigma functionality to AI assistants and other MCP clients.
Features
Capability | Details |
Tool | Validate a Sigma rule (YAML) against all configured validators |
Tool | Persist a custom validator allow-list / exclusion-list for the current MCP session |
Resource | JSON dict of available validator identifiers → descriptions |
Resource | JSON list of available Sigma value modifier names |
Requirements
Python ≥ 3.10
Poetry (for development / installation)
Installation
git clone <repo-url>
cd sigma-mcp-server
poetry installUsage
Running the server
poetry run sigma-mcp-server
# or, after installation:
sigma-mcp-serverThe server listens on stdio by default (standard MCP transport).
Configuring in VS Code / Claude Desktop
Add the following entry to your MCP client configuration (e.g.
~/.config/claude/claude_desktop_config.json):
{
"mcpServers": {
"sigma": {
"command": "sigma-mcp-server"
}
}
}Adjust the command path to the installed binary if it is not on PATH.
Tool Reference
validate_rule
Validate a single Sigma rule.
Arguments
Name | Type | Description |
|
| Complete Sigma rule in YAML format |
Returns
A JSON array of validation issue objects. Each object contains:
Key | Type | Description |
|
| Validator identifier that produced the issue |
|
| Issue class name (e.g. |
|
|
|
|
| Human-readable description of the issue class |
|
| Rule IDs / titles affected by the issue |
Additional subclass-specific fields (e.g. identifier) may also be present.
An empty array means the rule passed all active validators.
configure_validators
Persist a custom validator configuration for the current MCP session.
All subsequent validate_rule calls within the same session will use this
configuration.
Arguments
Name | Type | Default | Description |
|
|
| Explicit allow-list of validator identifiers. |
|
|
| Validator identifiers to exclude after the allow-list is applied. |
Returns
On success: {"validator_names": ..., "exclusions": [...]} confirming the stored config.
On error: {"error": "<description>"} when an unknown identifier is supplied.
Example – exclude a single validator:
{"exclusions": ["identifier_existence"]}Example – use only two validators:
{"validator_names": ["identifier_existence", "identifier_uniqueness"]}Resource Reference
sigma://validators
Returns a JSON object mapping validator identifier strings to their
human-readable descriptions. Validator identifiers are used with
configure_validators.
Example response (truncated):
{
"identifier_existence": "Checks if rule has identifier.",
"identifier_uniqueness": "Check rule UUID uniqueness.",
...
}sigma://modifiers
Returns a sorted JSON array of Sigma value modifier names that can be used in
detection conditions (e.g. contains, startswith, re, base64).
Development
# Install dev dependencies
poetry install
# Run tests
poetry run pytest
# Run tests with coverage report
poetry run pytest --cov=sigma/mcp --cov-report=term-missing
# Type checking
poetry run mypy sigma/mcp/ tests/
# Code formatting
poetry run black sigma/ tests/ conftest.pyTest coverage must remain ≥ 95 %. All code must pass mypy --strict and be
formatted with black in its default configuration.
License
MIT
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/SigmaHQ/sigma-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server