Converting Sigma rules to KQL in your DevOps workflow with GitHub Actions

Recently, Sigma started releasing massive batches of rules in dedicated releases. This is great, but often there’s an overwhelming number of new rules to go through and adapt to your SIEM of choice. Why not automate it a little bit?

I wrote a script and GitHub Actions workflow to achieve this purpose, with the simple intention of quickly getting a basic KQL query in my hands ready to be modified and made SOC-ready. I also wanted to encapsulate the original sigma rule with this translated KQL query for context. Note that this only applies to process events at this time!

An example output.

Introducing ConvertSigmaRepo2KQL. A mega-basic script and an even more basic GitHub Actions workflow, designed to run unattended in a CI/CD pipeline.

The script needs to be mildly modified to account for your own environment, but it’s just a matter of changing the names of directories to suit your setup.

If you’d like to make changes to the script, please feel free to submit a pull request! I don’t really have time to maintain this 24/7 but happy to merge in cool changes if anyone makes any. I am not great at any of this, so feedback is appreciated!

Credit to the PySigma project and AttackIq for maintaining the Defender pipeline used!