Expand description
Main YAML โ AST parser for Sigma rules, correlations, filters, and collections.
Handles:
- Single-document YAML (one rule)
- Multi-document YAML (โ separator, action: global/reset/repeat)
- Detection section parsing (named detections, field modifiers, values)
- Correlation rule parsing
- Filter rule parsing
- Directory-based rule collection loading
Reference: pySigma collection.py, rule.py, rule/detection.py, correlations.py
Functionsยง
- parse_
field_ spec - Parse a field specification string like
"TargetObject|endswith". - parse_
sigma_ directory - Parse all Sigma YAML files from a directory (recursively).
- parse_
sigma_ file - Parse a single Sigma YAML file from a path.
- parse_
sigma_ yaml - Parse a YAML string containing one or more Sigma documents.