Translate detection queries between different SIEM platforms
SPLUNK | SENTINEL | ELASTIC
PATTERN LIBRARY
SIDE-BY-SIDE
⚠️ REALITY CHECK: This converter handles common hunting patterns, not advanced queries.
Think of it as a translation guide + template library. Field names may need tweaking for your environment.
Always test queries before using in production!
SOURCE QUERY
CONVERTED QUERY
// Converted query will appear here...
>> COMMON FIELD MAPPINGS
>> EXAMPLE HUNT QUERIES
Suspicious Process Creation
Detect execution of PowerShell with encoded commands or suspicious parent processes
Splunk: index=windows EventCode=4688 | search CommandLine="*-enc*" OR CommandLine="*-encodedcommand*"
C2 Beaconing Detection
Identify regular network connections that might indicate command & control communication
KQL: NetworkConnectionEvents | summarize count() by RemoteIP, bin(TimeGenerated, 1h)
Failed Login Attempts
Track failed authentication attempts that might indicate brute force attacks
Splunk: index=windows EventCode=4625 | stats count by src_ip, user | where count > 10
Registry Persistence
Monitor common registry locations used for persistence mechanisms
KQL: RegistryEvents | where RegistryKey contains "Run" or RegistryKey contains "RunOnce"
Lateral Movement via RDP
Detect Remote Desktop connections that might indicate lateral movement
Elastic: event.code:4624 AND winlog.logon.type:10
Suspicious File Creation
Monitor file creation in unusual locations (temp directories, startup folders)
Splunk: index=sysmon EventCode=11 | search TargetFilename="*\\Temp\\*" OR TargetFilename="*\\Startup\\*"