https://github.com/Khadinxc/Sigma2SPL

Sigma Queries turned into SPL for Splunk Enterprise and Enterprise Security using pysigma - Automated
https://github.com/Khadinxc/Sigma2SPL

Last synced: 3 months ago
JSON representation

Sigma Queries turned into SPL for Splunk Enterprise and Enterprise Security using pysigma - Automated

• Host: GitHub
• URL: https://github.com/Khadinxc/Sigma2SPL
• Owner: Khadinxc
• Created: 2025-11-24T08:01:01.000Z (5 months ago)
• Default Branch: main
• Last Pushed: 2026-01-11T05:16:38.000Z (3 months ago)
• Last Synced: 2026-01-11T12:41:13.808Z (3 months ago)
• Language: Python
• Size: 2.03 MB
• Stars: 1
• Watchers: 0
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-security - Sigma2SPL - A repository of all SIGMA rules converted to SPL that runs on a weekly schedule to update the repository and align with the up to date version of the SIGMA rules repository. (Network / Monitoring / Logging)

README

          
![Update Sigma Rules](https://github.com/Khadinxc/Sigma2SPL/actions/workflows/update-sigma-rules.yml/badge.svg)

![GitHub last commit](https://img.shields.io/github/last-commit/Khadinxc/Sigma2SPL)

# Sigma2SPL - Automated Updates

Sigma Queries turned into SPL for Splunk Enterprise and Enterprise Security using pysigma - Automated [pysigma-backend-SPL-backend](https://github.com/SigmaHQ/pySigma-backend-splunk)

__Disclaimer: Not all of these rules have been validated either to ensure SPL is functional or if they are an exact replica of the Sigma rule. The script was created with the assumption that the pySigma Splunk backend does what it is meant to do.__

```

├───Splunk

│   ├───rules

│   ├───rules-compliance

│   ├───rules-emerging-threats

│   ├───rules-placeholder

│   └───rules-threat-hunting

```

## How do I use the helper to do this locally or in a Detection as Code pipeline?

I've included a pip freeze of required libraries and as per standard practice for Python development I suggest creating a virtual environment not to _break_ system wide package management. 

### Run the following commands to get started:

**Clone the sigma rules repository:**

```

git clone https://github.com/SigmaHQ/sigma.git

```

```

python -m venv .venv

```

**With Windows:**

```

.\.venv\Scripts\Activate.ps1

```

**With Linux**

```

./.venv/bin/activate

```

**Once in your Python virtual env:**

```

pip install -r requirements.txt

```

**Then you can use the script like this:**

```

..\.venv\Scripts\python.exe .\helper.py --sigma-dir "C:/Users/Kaiber/sigma" --output-dir "C:/Users/Kaiber/Sigma2SPL-2025/Splunk"

```

### Sample Rule Summary:

```

rules-threat-hunting Summary:

    Successful: 129

    Failed: 1

    Folders covered: 26

================================================================================

OVERALL CONVERSION COMPLETE!

================================================================================

Total files processed: 3646

Total successful conversions: 3631

Total failed conversions: 15

Output base directory: D:\Projects\Sigma2SPL\Splunk

Folder structure created:

    rules/

    rules-emerging-threats/

    rules-threat-hunting/

```

### Sample Rule:

**Sigma Rule:**

```

title: 7Zip Compressing Dump Files

id: ec570e53-4c76-45a9-804d-dc3f355ff7a7

related:

    - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc

      type: derived

status: test

description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

references:

    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/

author: Nasreddine Bencherchali (Nextron Systems)

date: 2022-09-27

modified: 2023-09-12

tags:

    - attack.collection

    - attack.t1560.001

logsource:

    category: process_creation

    product: windows

detection:

    selection_img:

        - Description|contains: '7-Zip'

        - Image|endswith:

              - '\7z.exe'

              - '\7zr.exe'

              - '\7za.exe'

        - OriginalFileName:

              - '7z.exe'

              - '7za.exe'

    selection_extension:

        CommandLine|contains:

            - '.dmp'

            - '.dump'

            - '.hdmp'

    condition: all of selection_*

falsepositives:

    - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally

    - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting

level: medium

```

**SPL Rule:**

```

# Title: 7Zip Compressing Dump Files

# Author: Nasreddine Bencherchali (Nextron Systems)

# Date: 2022-09-27

# Level: medium

# Description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

# MITRE Tactic: Collection

# Tags: attack.collection, attack.t1560.001

# False Positives:

#   - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally

#   - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting

index=main sourcetype=WinEventLog:ProcessCreation (

    (CommandLine="*.dmp" OR CommandLine="*.dump" OR CommandLine="*.hdmp") AND (

        Description="7-Zip" OR Image="*\\7z.exe" OR Image="*\\7zr.exe" OR Image="*\\7za.exe" OR OriginalFileName="7z.exe" OR OriginalFileName="7za.exe"

    )

)

```