← Tools

Detection Query Translator

Translate between KQL (Sentinel/Defender), SPL (Splunk), Elastic ES|QL, and Sigma. Heuristic field + operator mapping. Always review the output before running it.

Translation

KQL: LSASS access KQL: PowerShell suspicious SPL: brute force Sigma: failed logon
Heuristic translation. Field names, operators, and syntax are mapped using a built-in cheat sheet (see below). Edge cases — joins, lookups, complex aggregations, vendor-specific functions — require manual review. Output is a starting point, not a finished detection rule.

Field Mapping Cheat Sheet (built-in)

The translator uses the following canonical → dialect mapping. If your source uses non-standard table/field names, edit before translating.

ConceptKQL (Sentinel)SPL (Splunk)ES|QL (Elastic)Sigma
Process exec tableDeviceProcessEventssourcetype=sysmon EventCode=1event.code:1logsource.category: process_creation
Process nameFileNameImageprocess.nameImage
Command lineProcessCommandLineCommandLineprocess.command_lineCommandLine
Parent imageInitiatingProcessFileNameParentImageprocess.parent.nameParentImage
UserAccountNameUseruser.nameUser
HostnameDeviceNamehosthost.nameComputerName
Time fieldTimeGenerated_time@timestamp(implicit)
Time bound (1h)where TimeGenerated >= ago(1h)earliest=-1hwhere @timestamp >= NOW() - 1 HOUR(SIEM-side)
String containscontains"*str*"likecontains
String equals=~ (case-insensitive)===(default)
Field in listin~ (...)IN (...)in (...)list under field
Aggregate countsummarize count() by ...stats count by ...stats count = count(*) by ...(SIEM-side)
Project / tableproject ...table ... or fields ...keep ...(SIEM-side)
Failed logon tableSecurityEvent EventID == 4625sourcetype=wineventlog EventCode=4625event.code:4625EventID: 4625 (logsource.service: security)
Network conn tableDeviceNetworkEventssourcetype=sysmon EventCode=3event.code:3logsource.category: network_connection
Remote IP/portRemoteUrl / RemotePortdest_ip / dest_portdestination.ip / destination.portDestinationIp / DestinationPort