The pySigma PowerShell backend uses pySigma to convert Sigma rules into PowerShell queries. It was designed to be used in conjunction with the Soap PowerShell module (i.e., the Read-WinEvent function).

The pySigma PowerShell backend includes two Python packages:

• sigma.pipelines.powershell: normalizes Sigma rules for PowerShell.
• sigma.backends.powershell: declares the PowerShellBackend class and multiple output methods.

It currently supports the following output formats:

• default: plain PowerShell queries
• script: a PowerShell script
• xml: XML documents
• xpath: XML strings
• subscription: Windows event subscriptions

python -m pip install --user pytest
python -m pytest                                                                  # test all functions
python -m pytest tests/test_backend_powershell.py::test_powershell_and_expression # test a specific function

python -m poetry add pysigma@latest

• Understanding XML and XPath by the Microsoft Scripting Guy, Ed Wilson