{"id":37010867,"url":"https://github.com/Khadinxc/Sigma2SPL","last_synced_at":"2026-01-21T02:00:57.834Z","repository":{"id":325923115,"uuid":"1102921062","full_name":"Khadinxc/Sigma2SPL","owner":"Khadinxc","description":"Sigma Queries turned into SPL for Splunk Enterprise and Enterprise Security using pysigma - Automated ","archived":false,"fork":false,"pushed_at":"2026-01-11T05:16:38.000Z","size":2129,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-11T12:41:13.808Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Khadinxc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-24T08:01:01.000Z","updated_at":"2026-01-11T05:16:42.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Khadinxc/Sigma2SPL","commit_stats":null,"previous_names":["khadinxc/sigma2spl"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Khadinxc/Sigma2SPL","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Khadinxc%2FSigma2SPL","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Khadinxc%2FSigma2SPL/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Khadinxc%2FSigma2SPL/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Khadinxc%2FSigma2SPL/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Khadinxc","download_url":"https://codeload.github.com/Khadinxc/Sigma2SPL/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Khadinxc%2FSigma2SPL/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28622472,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-20T23:49:58.628Z","status":"online","status_checked_at":"2026-01-21T02:00:08.227Z","response_time":86,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-14T01:00:32.991Z","updated_at":"2026-01-21T02:00:57.827Z","avatar_url":"https://github.com/Khadinxc.png","language":"Python","readme":"![Update Sigma Rules](https://github.com/Khadinxc/Sigma2SPL/actions/workflows/update-sigma-rules.yml/badge.svg)\n![GitHub last commit](https://img.shields.io/github/last-commit/Khadinxc/Sigma2SPL)\n# Sigma2SPL - Automated Updates\nSigma Queries turned into SPL for Splunk Enterprise and Enterprise Security using pysigma - Automated [pysigma-backend-SPL-backend](https://github.com/SigmaHQ/pySigma-backend-splunk)\n\n__Disclaimer: Not all of these rules have been validated either to ensure SPL is functional or if they are an exact replica of the Sigma rule. The script was created with the assumption that the pySigma Splunk backend does what it is meant to do.__\n\n```\n├───Splunk\n│   ├───rules\n│   ├───rules-compliance\n│   ├───rules-emerging-threats\n│   ├───rules-placeholder\n│   └───rules-threat-hunting\n```\n\n## How do I use the helper to do this locally or in a Detection as Code pipeline?\n\nI've included a pip freeze of required libraries and as per standard practice for Python development I suggest creating a virtual environment not to _break_ system wide package management. \n\n### Run the following commands to get started:\n\n**Clone the sigma rules repository:**\n\n```\ngit clone https://github.com/SigmaHQ/sigma.git\n```\n\n```\npython -m venv .venv\n```\n\n**With Windows:**\n```\n.\\.venv\\Scripts\\Activate.ps1\n```\n\n**With Linux**\n```\n./.venv/bin/activate\n```\n**Once in your Python virtual env:**\n\n```\npip install -r requirements.txt\n```\n\n**Then you can use the script like this:**\n\n```\n..\\.venv\\Scripts\\python.exe .\\helper.py --sigma-dir \"C:/Users/Kaiber/sigma\" --output-dir \"C:/Users/Kaiber/Sigma2SPL-2025/Splunk\"\n```\n\n### Sample Rule Summary:\n\n```\nrules-threat-hunting Summary:\n    Successful: 129\n    Failed: 1\n    Folders covered: 26\n\n================================================================================\nOVERALL CONVERSION COMPLETE!\n================================================================================\nTotal files processed: 3646\nTotal successful conversions: 3631\nTotal failed conversions: 15\n\nOutput base directory: D:\\Projects\\Sigma2SPL\\Splunk\n\nFolder structure created:\n    rules/\n    rules-emerging-threats/\n    rules-threat-hunting/\n```\n\n### Sample Rule:\n\n**Sigma Rule:**\n```\ntitle: 7Zip Compressing Dump Files\nid: ec570e53-4c76-45a9-804d-dc3f355ff7a7\nrelated:\n    - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc\n      type: derived\nstatus: test\ndescription: Detects execution of 7z in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.\nreferences:\n    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-27\nmodified: 2023-09-12\ntags:\n    - attack.collection\n    - attack.t1560.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Description|contains: '7-Zip'\n        - Image|endswith:\n              - '\\7z.exe'\n              - '\\7zr.exe'\n              - '\\7za.exe'\n        - OriginalFileName:\n              - '7z.exe'\n              - '7za.exe'\n    selection_extension:\n        CommandLine|contains:\n            - '.dmp'\n            - '.dump'\n            - '.hdmp'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of 7z with a command line in which \".dmp\" or \".dump\" appears accidentally\n    - Legitimate use of 7z to compress WER \".dmp\" files for troubleshooting\nlevel: medium\n```\n\n**SPL Rule:**\n```\n# Title: 7Zip Compressing Dump Files\n# Author: Nasreddine Bencherchali (Nextron Systems)\n# Date: 2022-09-27\n# Level: medium\n# Description: Detects execution of 7z in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.\n# MITRE Tactic: Collection\n# Tags: attack.collection, attack.t1560.001\n# False Positives:\n#   - Legitimate use of 7z with a command line in which \".dmp\" or \".dump\" appears accidentally\n#   - Legitimate use of 7z to compress WER \".dmp\" files for troubleshooting\n\nindex=main sourcetype=WinEventLog:ProcessCreation (\n    (CommandLine=\"*.dmp\" OR CommandLine=\"*.dump\" OR CommandLine=\"*.hdmp\") AND (\n        Description=\"7-Zip\" OR Image=\"*\\\\7z.exe\" OR Image=\"*\\\\7zr.exe\" OR Image=\"*\\\\7za.exe\" OR OriginalFileName=\"7z.exe\" OR OriginalFileName=\"7za.exe\"\n    )\n)\n```\n\n","funding_links":[],"categories":["Network"],"sub_categories":["Monitoring / Logging"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKhadinxc%2FSigma2SPL","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FKhadinxc%2FSigma2SPL","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKhadinxc%2FSigma2SPL/lists"}