detsema
detsema is a static analyzer for detection rules: it parses Sigma into a typed intermediate representation and checks rule sets against a declared schema of the fields your pipeline emits. Offline, no SIEM connection. Typical findings: rules that reference fields that don’t exist (and so can never match), case and type mismatches, and rules outside the analyzer’s documented subset, each with file and line.
Source, install and usage: github.com/Big-Comfy/detsema
go install github.com/Big-Comfy/detsema/cmd/detsema@latest
detsema check --rules ./rules --schema ./schema.json
Analysis reports
- Checking SigmaHQ rules against real field lists — 2,054 Sysmon-backed SigmaHQ rules against the fields Sysmon emits. 19 findings with one root cause, and three fields missing from the Sigma taxonomy.
- Cross-checking the matcher against Chainsaw — the same rules over the same Windows event logs, compared event by event. detsema reproduced all 712 of Chainsaw’s matches and found 242 it missed; the maintainer confirmed the bug and fixed it for v2.16.1.
Companion tool
detsema checks whether a rule’s logic can ever match, offline, before anything ships. Its companion deadair checks the other half at runtime: whether an enabled rule in Elastic or OpenSearch still has live telemetry behind it. How the two fit together, with a worked example, is in the detection coverage stack.
Reference
- Validation — what is proven, what is not, how to reproduce every number.
- Architecture — IR model, pass contract, safety properties, scope.
- SUBSET.md — the Sigma coverage contract: what the frontend supports and what gets an explicit unsupported verdict.