CRIMSON
7
Tuesday, April 8, 2025

Conversion from Sigma Community to KQL that works

Defensive Security

Threat hunting—actively looking for signs of trouble before they turn into major problems—is a big part of SecOps. Sigma rules are basic TH rules mapped to MITRE. These are like universal templates for spotting suspicious activity, and they work across different security platforms like SIEMs (Security Information and Event Management) and EDRs (Endpoint Detection and Response).

Sigma rules are great, but they’re not plug-and-play. To use them, you need to translate them into the specific query language of your security tool—for example, KQL (Kusto Query Language) if you’re using Microsoft Defender XDR or Sentinel. There are tools out there, like the Python-based sigma-py library, that historically helped with this translation. But here’s the catch: things move fast in cybersecurity. Both Sigma and platforms like MDXDR keep evolving, which means these tools can get outdated. The examples or the available repos are providing code and examples that do not work anymore on latest version of sigma-py (the one you can install with a simple pip install).

To fix this, we’ve created two Python scripts that make converting Sigma rules into KQL way easier and faster, and for the 2025.

try it now, here is the repository: https://github.com/Crimson7research/C7SigmaTools

Here’s what they do:

The Scripts

  1. trySigmaConversion.py
    This script takes Sigma rules from the sigma/rules/ folder, converts them into KQL using a Microsoft-specific pipeline, and organizes the resulting .kql files into folders based on MITRE ATT&CK tactics and techniques (basically a fancy way of grouping them by how attackers operate). It’s perfect if you want individual query files you can manage or put in version control systems.
  2. How to run it:

python

python trySigmaConversion.py

  1. trySigmaConvertloadDB.py
    Instead of creating separate files, this script loads all the converted rules into a SQLite database (rules.db). This makes it easy to search through them, analyze them in bulk, or connect them to other security tools.
  2. How to run it:

python

python trySigmaConvertloadDB.py

Both scripts use the sigma-py library but with a special pipeline (microsoft_xdr_pipeline) that ensures the KQL output works perfectly with Microsoft Defender XDR’s data setup.

Why This Matters

These scripts are all about making threat hunting smoother and creating a community base of hunting rules that are compatible with Microsoft. By giving security teams tools that are up-to-date and easy to use, we’re helping them spot threats faster and respond quickly. Whether you’re digging through logs or setting up automated alerts, these scripts make it easier to turn community knowledge (like Sigma rules) into actionable insights.

If you want to dive deeper into Sigma rules or learn more about KQL, check out resources like the Sigma GitHub repository or Microsoft’s KQL documentation.

Back to blog

Related Posts

Bybit hack considerations

The recent Bybit breach is one of the largest crypto heists ever, exposing critical flaws in supply chain security, browser-based attacks, and human-targeted exploits. With Lazarus Group likely behind it, the implications extend far beyond Bybit itself. The article analyses some high-level aspects.

Learn more

Managing Threat Hunting Content via APIs in Sentinel

So there you have it—a tool that turns content management for Threat Hunting in Sentinel into something manageable (dare I say enjoyable? not yet.. but wait the next drop :) ). Whether you’re an IT admin looking to streamline operations or a security analyst diving into threat hunting, these APIs have got your back.

Learn more

CRIMSON. Newsletter

* By clicking “Subscribe” button, you agree to our Terms and that you have read our Data Use Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form