TerraSigma - Modern Detection Engineering for the Cloud-Native SIEM Microsoft Sentinel - Automated Updates

Terraform-converted Sigma rules for deployment to Microsoft Sentinel.

This repository automates conversion of Sigma → KQL → Terraform and back to Sentinel YAML, making it easy to manage detection rules with infrastructure-as-code.

Key points:

The converters now preserve the original Sigma/TF source folder layout by default (source).
You can alternatively group outputs by primary MITRE tactic (tactics) using --output-structure.
Entity mappings were updated to use valid Microsoft Sentinel identifiers (Account, Host, Process, File, IP, Registry, URL, etc.).

Quick Start

Clone the Sigma2KQL rules repository:

git clone https://github.com/Khadinxc/Sigma2KQL.git

Clone this repository (TerraSigma):

git clone https://github.com/Khadinxc/TerraSigma.git
cd TerraSigma

Create and activate a Python virtual environment:

Windows (PowerShell):

python -m venv .venv
.\.venv\Scripts\Activate.ps1

Linux/macOS:

python -m venv .venv
source .venv/bin/activate

Install requirements:

pip install -r requirements.txt

kql_to_terraform (KQL/Sigma → Terraform)

Generate Terraform rules from the KQL rules you obtained from Sigma2KQL.

Default (preserve the source folder structure under ./TF):

python kql_to_terraform.py --kql-dir ./KQL --output-dir ./TF --schemas ./schemas.json

Group outputs by primary MITRE tactic instead (legacy behavior):

python kql_to_terraform.py --kql-dir ./KQL --output-dir ./TF --schemas ./schemas.json --output-structure tactics

Notes:

The script tries to map fields to valid Microsoft Sentinel identifiers. Account and Host mappings are added where the table schema provides suitable fields. IP mappings appear for tables that include IP columns (e.g., DeviceNetworkEvents).
File hashes are mapped to FileHash identifiers; File entity identifiers are Name and Directory.

terraform_to_yaml (Terraform → Sentinel YAML)

Convert Terraform rule resources to Azure Sentinel YAML ready for import.

Default (preserve TF folder layout under ./YAML):

python terraform_to_yaml.py --tf-dir ./TF --output-dir ./YAML

Group YAML files by primary MITRE tactic instead:

python terraform_to_yaml.py --tf-dir ./TF --output-dir ./YAML --output-structure tactics

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

TerraSigma - Modern Detection Engineering for the Cloud-Native SIEM Microsoft Sentinel - Automated Updates

Quick Start

kql_to_terraform (KQL/Sigma → Terraform)

terraform_to_yaml (Terraform → Sentinel YAML)

About

Uh oh!

Releases 1

Packages

Uh oh!

Contributors

Uh oh!

Languages

Name		Name	Last commit message	Last commit date
Latest commit History 74 Commits
.github/workflows		.github/workflows
KQL		KQL
Sigma2KQL		Sigma2KQL
TF		TF
YAML		YAML
.gitignore		.gitignore
README.md		README.md
kql_to_terraform.py		kql_to_terraform.py
requirements.txt		requirements.txt
schemas.json		schemas.json
terraform_to_yaml.py		terraform_to_yaml.py

Folders and files

Latest commit

History

Repository files navigation

TerraSigma - Modern Detection Engineering for the Cloud-Native SIEM Microsoft Sentinel - Automated Updates

Quick Start

kql_to_terraform (KQL/Sigma → Terraform)

terraform_to_yaml (Terraform → Sentinel YAML)

About

Topics

Resources

Uh oh!

Stars

Watchers

Forks

Releases 1

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages