Sigma Queries turned into KQL for Defender and Microsoft Sentinel using pysigma-backend-KQL-backend
Disclaimer: Not all of these rules have been validated either to ensure KQL is functional or if they are an exact replica of the Sigma rule. The script was created with the assumption that the pySigma Kusto backend does what it is meant to do.
├───KQL
│ ├───rules
│ ├───rules-compliance
│ ├───rules-emerging-threats
│ ├───rules-placeholder
│ └───rules-threat-hunting
I've included a pip freeze of required libraries and as per standard practice for Python development I suggest creating a virtual environment not to break system wide package management.
Clone the sigma rules repository:
git clone https://github.com/SigmaHQ/sigma.git
python -m venv .venv
With Windows:
.\.venv\Scripts\Activate.ps1
With Linux
./.venv/bin/activate
Once in your Python virtual env:
pip install -r requirements.txt
Then you can use the script like this:
..\.venv\Scripts\python.exe .\helper.py --sigma-dir "C:/Users/Kaiber/sigma" --output-dir "C:/Users/Kaiber/Sigma2KQL-2025/KQL"
rules-threat-hunting Summary:
Successful: 96
Failed: 33
Tactics covered: 13
================================================================================
OVERALL CONVERSION COMPLETE!
================================================================================
Total files processed: 3637
Total successful conversions: 2225
Total failed conversions: 1412
Output base directory: D:\Projects\SigmaTerraform\Sigma2KQL-2025\KQL
Folder structure created:
rules/
rules-emerging-threats/
rules-threat-hunting/
Sigma Rule:
title: 7Zip Compressing Dump Files
id: ec570e53-4c76-45a9-804d-dc3f355ff7a7
related:
- id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc
type: derived
status: test
description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
references:
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-27
modified: 2023-09-12
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Description|contains: '7-Zip'
- Image|endswith:
- '\7z.exe'
- '\7zr.exe'
- '\7za.exe'
- OriginalFileName:
- '7z.exe'
- '7za.exe'
selection_extension:
CommandLine|contains:
- '.dmp'
- '.dump'
- '.hdmp'
condition: all of selection_*
falsepositives:
- Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally
- Legitimate use of 7z to compress WER ".dmp" files for troubleshooting
level: medium
KQL Rule:
// Title: 7Zip Compressing Dump Files
// Author: Nasreddine Bencherchali (Nextron Systems)
// Date: 2022-09-27
// Level: medium
// Description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
// MITRE Tactic: Collection
// Tags: attack.collection, attack.t1560.001
// False Positives:
// - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally
// - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting
DeviceProcessEvents
| where (ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe")))