WRG Sigma Rules — Anthropic Claude Code Plugin

Status: Production-ready. Pending submission to Anthropic community marketplace (target 2026-05-25).

Production-grade sigma detection rule writing, validation, and conversion for SOC analysts, threat-intel teams, and detection engineers using Claude Code.

TL;DR

• 3 MCP tools: draft_rule (NL → sigma YAML) + validate_rule (pySigma + best-practice linter) + convert_rule (sigma → Splunk/Elastic/Wazuh/Kibana query)

• 3 Claude Code skills: sigma-rule-writer + sigma-rule-reviewer + threat-coverage-gap-analyzer

• 61 production sigma rule corpus: 11 ATT&CK tactic categories (templates + observed campaign rules)

• Multi-backend conversion: Splunk SPL, Elastic Lucene, Wazuh, Kibana verified (pySigma 1.x + 2 backend packages)

• WRG ecosystem anchor: 6+ months threat-intel discipline + 100+ actor TTP corpus + observed_* rules (Mini Shai-Hulud npm worm, Nx campaign 4-vector cluster, SOCKS5 silent-fix, ClawHavoc Claude Skills, Lazarus, LockBit, LAPSUS, AI-fingerprint)

• Live demo: see DEMO.md for end-to-end tool invocation on Mini Shai-Hulud rule (Item 10 evidence; pySigma 1.x + Splunk + Elastic real output)

Why this plugin exists

The sigma-rule niche in the Anthropic Claude Code plugin marketplace is empty (verified 2026-05-23: 200+ plugins, 0 sigma-focused, 1 generic security plugin). SOC + threat-intel community has latent demand for fast, quality-aware rule writing tools integrated with LLM workflows.

WRG (WinstonRedGuard) has accumulated 6+ months of threat-intel infrastructure: 61 canonical sigma rules + actor catalog + pySigma integration + Pattern-driven detection-engineering discipline. This plugin packages that capability for the broader Anthropic ecosystem.

What's included

MCP tools (3)

• wrg__sigma__draft_rule — NL description → sigma YAML scaffold

• wrg__sigma__validate_rule — YAML schema + pySigma compat + best-practice linter

• wrg__sigma__convert_rule — sigma → Splunk/Elastic/Wazuh/Kibana query

Claude Code skills (3)

• sigma-rule-writer — guided rule writing workflow

• sigma-rule-reviewer — paste rule for quality review + improvement suggestions

• threat-coverage-gap-analyzer — MITRE ATT&CK coverage analysis vs your existing corpus

Sigma rule corpus (61 production rules across 11 ATT&CK tactic categories)

See resources/examples/INDEX.json for full enumeration.

Resources

• wrg-sigma://patterns/canonical-5 — canonical detection-pattern definitions

• wrg-sigma://coverage/mitre-attack-matrix — corpus coverage state

Installation

Via Anthropic Claude Code community marketplace (post-merge)

/plugin install wrg-sigma-rules

Direct from this repo

git clone https://github.com/WRG-11/wrg-sigma-rules.git
# Follow Claude Code plugin install path per https://code.claude.com/docs/en/plugins

Quality discipline

• 4-Layer self-audit per WRG audit methodology (Pattern 18 v1.1 trust-but-verify sister); see .claude-plugin/AUDIT-SELF.md

• 7 Python test modules covering rule validation + tool integration smoke

• pySigma 1.x compat + multi-backend conversion verified (pysigma-backend-splunk + pysigma-backend-elasticsearch)

• LLM-safe output discipline: ASCII-only output + error-path structure preserve (Pattern 34 v1.1 sister)

• claude plugin validate PASS (verified 2026-05-25 post-merge on Claude Code 2.1.149)

• Live demo evidence: DEMO.md — 3 real tool invocations on Mini Shai-Hulud rule (Item 10)

Tested environments

• Windows 11 + Claude Code 2.1.149

• WSL2 Ubuntu 24.04

Contributing

Sigma rule contributions welcome. Submit YAML to resources/examples/<tactic>/ with:

• ATT&CK TTP mapping in tags: field (e.g., attack.t1071)

• observed_* prefix for incident-specific rules

• template_* prefix for canonical pattern templates

• pySigma validation passing via wrg__sigma__validate_rule

References

• Anthropic Claude Code plugin marketplace

• WRG monorepo

• 4-Layer self-audit: .claude-plugin/AUDIT-SELF.md

• External validation: .claude-plugin/AUDIT-VERIFY.md

• Marketplace PR draft: PR-DRAFT.md

License

MIT — see LICENSE file.