Zion Boggan
repos/Security Portfolio/detection-as-code/index.html
zionboggan.com ↗
Code Commits Tags
371 lines · html
History for this file →
1
<!doctype html>
2
<html lang="en">
3
<head>
4
<meta charset="utf-8">
5
<meta name="viewport" content="width=device-width, initial-scale=1.0">
6
<title>Detection-as-Code | Zion Boggan</title>
7
<meta name="description" content="Sigma rules mapped to MITRE ATT&amp;amp;CK, linted and tested in CI, and compiled to Splunk, Elastic, and Microsoft Sentinel KQL: one rule, every SIEM.">
8
<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">
9
<style>
10
  :root{
11
    --bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;
12
    --line:#222936; --line2:#2c3543;
13
    --ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;
14
    --accent:#6cc7b8; --accent-dim:#274b47;
15
    --maxw:1020px;
16
  }
17
  *{box-sizing:border-box;}
18
  html{scroll-behavior:smooth;}
19
  body{margin:0;background:var(--bg);color:var(--ink);
20
    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;
21
    font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}
22
  .mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}
23
  a{color:var(--accent);text-decoration:none;}
24
  a:hover{color:#8fe0d2;}
25
  .wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}
26
27
  /* nav */
28
  nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);
29
    backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}
30
  nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}
31
  nav .brand{font-weight:600;letter-spacing:.2px;}
32
  nav .brand .dot{color:var(--accent);}
33
  nav .links{display:flex;gap:26px;font-size:13.5px;}
34
  nav .links a{color:var(--muted);}
35
  nav .links a:hover{color:var(--ink);}
36
  @media(max-width:680px){nav .links{display:none;}}
37
38
  /* hero */
39
  header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);
40
    background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}
41
  .avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);
42
    display:flex;align-items:center;gap:9px;margin-bottom:20px;}
43
  .avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);
44
    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}
45
  @keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}
46
  h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}
47
  .hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}
48
  .hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}
49
  .hero .lede b{color:var(--ink);font-weight:600;}
50
  .cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}
51
  .btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;
52
    font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}
53
  .btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}
54
  .btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}
55
  .btn.primary:hover{background:#8fe0d2;color:#06231f;}
56
  .meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}
57
  .meta .mono{color:var(--faint);}
58
59
  /* sections */
60
  section{padding:64px 0;border-bottom:1px solid var(--line);}
61
  .shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}
62
  .shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}
63
  .shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}
64
  .shead .rule{flex:1;height:1px;background:var(--line);}
65
66
  /* flagship */
67
  .flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);
68
    border:1px solid var(--line2);border-radius:14px;overflow:hidden;}
69
  .flag .top{padding:30px 32px 8px;}
70
  .flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}
71
  .flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}
72
  .flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}
73
  .flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}
74
  .flag p{color:var(--soft);margin:0 0 16px;}
75
  .flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}
76
  .stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}
77
  .stat .n{font-size:21px;font-weight:680;color:var(--ink);}
78
  .stat .k{font-size:12px;color:var(--muted);margin-top:2px;}
79
  .spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}
80
  .spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}
81
  .spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}
82
  .spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}
83
  .spec li:first-child{border-top:none;}
84
  .spec li span{color:var(--muted);}
85
  .flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}
86
  @media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}
87
88
  /* lab cards */
89
  .cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}
90
  @media(max-width:680px){.cards{grid-template-columns:1fr;}}
91
  .card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);
92
    display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}
93
  .card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}
94
  .card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}
95
  .card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}
96
  .card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}
97
  .card h3{margin:0 0 9px;font-size:17px;}
98
  .card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}
99
  .tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}
100
  .tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);
101
    border-radius:5px;padding:3px 8px;}
102
  .card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}
103
  .card .lnk::after{content:" โ†’";}
104
105
  /* research */
106
  .rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}
107
  .research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
108
  .ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;
109
    padding:18px 22px;border-top:1px solid var(--line);}
110
  .ritem:first-child{border-top:none;}
111
  .ritem:hover{background:var(--panel);}
112
  .ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}
113
  .ritem h3{margin:0 0 3px;font-size:16px;}
114
  .ritem p{margin:0;font-size:13.5px;color:var(--muted);}
115
  .ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}
116
  @media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}
117
  .progs{margin-top:22px;}
118
  .progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}
119
  .progs .row{display:flex;flex-wrap:wrap;gap:7px;}
120
  .progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);
121
    border-radius:6px;padding:4px 10px;}
122
123
  /* credentials */
124
  .cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}
125
  @media(max-width:680px){.cred{grid-template-columns:1fr;}}
126
  .cred p{color:var(--soft);margin:0 0 14px;}
127
  .cred .role{font-size:14px;color:var(--muted);}
128
  .cred .role b{color:var(--ink);font-weight:600;}
129
  .certs{list-style:none;margin:0;padding:0;}
130
  .certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);
131
    display:flex;gap:10px;align-items:baseline;}
132
  .certs li:first-child{border-top:none;}
133
  .certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}
134
135
  footer{padding:46px 0 64px;}
136
  footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}
137
  footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}
138
  footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}
139
140
  /* detail pages */
141
  .detail-hero{padding:40px 0 28px;}
142
  .back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:22px;font-family:ui-monospace,Menlo,monospace;}
143
  .back:hover{color:var(--ink);}
144
  .kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}
145
  .detail-hero h1{font-size:clamp(28px,5vw,42px);margin:0 0 12px;letter-spacing:-.6px;}
146
  .detail-hero .tagline{font-size:clamp(16px,2.2vw,19px);color:var(--soft);max-width:780px;margin:0 0 18px;}
147
  .facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(148px,1fr));gap:12px;margin-top:24px;}
148
  figure{margin:0;}
149
  .shot{border:1px solid var(--line2);border-radius:12px;overflow:hidden;background:#fff;margin:30px 0 6px;}
150
  .shot img,.shot video{display:block;width:100%;height:auto;}
151
  figcaption{font-size:13px;color:var(--muted);margin:11px 2px 0;}
152
  .content{padding:6px 0 0;}
153
  .content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:44px 0 16px;font-weight:600;border-top:1px solid var(--line);padding-top:30px;}
154
  .content h2.first{border-top:none;padding-top:6px;margin-top:18px;}
155
  .content p{color:var(--soft);margin:0 0 16px;}
156
  .content ul,.content ol{color:var(--soft);margin:0 0 16px;padding-left:22px;}
157
  .content li{margin:6px 0;}
158
  .content strong{color:var(--ink);font-weight:600;}
159
  .content code{font-family:ui-monospace,Menlo,monospace;font-size:13px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}
160
  .content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}
161
  .content pre code{background:none;border:none;padding:0;font-size:12.5px;color:var(--soft);line-height:1.62;}
162
  .content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.5px;}
163
  .content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}
164
  .content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}
165
  .content td code{font-size:12px;}
166
  .gallery{margin-top:8px;}
167
  .repo-line{margin:42px 0 0;color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace;}
168
</style>
169
<link rel="canonical" href="https://zionboggan.com/detection-as-code/">
170
<meta name="author" content="Zion Boggan">
171
<meta name="robots" content="index, follow, max-image-preview:large">
172
<meta property="og:type" content="article">
173
<meta property="og:site_name" content="Zion Boggan">
174
<meta property="og:title" content="Detection-as-Code | Zion Boggan">
175
<meta property="og:description" content="Sigma rules mapped to MITRE ATT&amp;amp;CK, linted and tested in CI, and compiled to Splunk, Elastic, and Microsoft Sentinel KQL: one rule, every SIEM.">
176
<meta property="og:url" content="https://zionboggan.com/detection-as-code/">
177
<meta property="og:image" content="https://zionboggan.com/assets/detection-as-code/01-multi-siem-conversion.png">
178
<meta name="twitter:card" content="summary_large_image">
179
<meta name="twitter:title" content="Detection-as-Code | Zion Boggan">
180
<meta name="twitter:description" content="Sigma rules mapped to MITRE ATT&amp;amp;CK, linted and tested in CI, and compiled to Splunk, Elastic, and Microsoft Sentinel KQL: one rule, every SIEM.">
181
<meta name="twitter:image" content="https://zionboggan.com/assets/detection-as-code/01-multi-siem-conversion.png">
182
<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"Detection-as-Code","description":"Sigma rules mapped to MITRE ATT&amp;amp;CK, linted and tested in CI, and compiled to Splunk, Elastic, and Microsoft Sentinel KQL: one rule, every SIEM.","url":"https://zionboggan.com/detection-as-code/","image":"https://zionboggan.com/assets/detection-as-code/01-multi-siem-conversion.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>
183
</head>
184
<body>
185
<nav><div class="wrap">
186
  <a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>
187
  <span class="links">
188
    <a href="/#oversight">Oversight</a>
189
    <a href="/#labs">Labs</a>
190
    <a href="/#research">Research</a>
191
    <a href="/#background">Background</a>
192
    <a href="/">Home</a>
193
  </span>
194
</div></nav>
195
<header class="hero detail-hero"><div class="wrap">
196
  <a class="back" href="/#labs">&larr; All work</a>
197
  <div class="kicker">DETECTION ENGINEERING</div>
198
  <h1>Detection-as-Code</h1>
199
  <p class="tagline">Sigma rules mapped to MITRE ATT&amp;CK, linted and tested in CI, and compiled to Splunk, Elastic, and Microsoft Sentinel KQL: one rule, every SIEM.</p>
200
  <div class="tags"><span>Sigma</span><span>Splunk SPL</span><span>Sentinel KQL</span><span>Elastic ES|QL</span><span>MITRE ATT&amp;CK</span><span>Sysmon</span><span>GitHub Actions</span><span>pytest</span></div>
201
  <div class="facts"><div class="stat"><div class="n">10</div><div class="k">Sigma rules</div></div><div class="stat"><div class="n">3</div><div class="k">SIEM targets</div></div><div class="stat"><div class="n">9</div><div class="k">ATT&amp;CK techniques</div></div><div class="stat"><div class="n">5</div><div class="k">ATT&amp;CK tactics</div></div><div class="stat"><div class="n">27</div><div class="k">compiled queries</div></div></div>
202
  <div class="cta" style="margin-top:24px"></div>
203
</div></header>
204
<section><div class="wrap">
205
  <figure class="shot"><img loading="lazy" src="/assets/detection-as-code/01-multi-siem-conversion.png" alt="One Sigma rule compiled to Splunk SPL, Elastic ES|QL, and Microsoft Sentinel KQL side by side."></figure><figcaption>One Sigma rule compiled to Splunk SPL, Elastic ES|QL, and Microsoft Sentinel KQL side by side.</figcaption>
206
  <div class="content">
207
  <h2>Repository layout</h2>
208
<p>Rules live as Sigma YAML under <code>rules/</code>, split by platform and ATT&CK tactic. One compiler walks the tree and emits a query per backend into <code>dist/{splunk,esql,kusto}/</code>, mirroring the source layout. Tests, the CI workflow, and a Makefile of one-liners sit alongside.</p><pre><code>rules/
209
  windows/   credential-access, execution, persistence, defense-evasion, initial-access
210
  linux/     credential-access, execution, persistence
211
tools/convert.py        compile every rule to Splunk / Elastic / Sentinel
212
tests/test_rules.py     schema, ATT&CK tagging, unique IDs, correlation references
213
.github/workflows/      lint -> test -> convert on every push
214
dist/                   generated queries (CI artifact; gitignored)</code></pre><p>The pinned toolchain is small and exact: <code>sigma-cli==3.0.2</code> with the Splunk, Elasticsearch, and Kusto backends, plus the Sysmon and Windows processing pipelines. Both the linter and the converter run from that single requirements set.</p><pre><code>sigma-cli==3.0.2
215
pysigma-backend-splunk==2.1.0
216
pysigma-backend-elasticsearch==2.0.3
217
pysigma-backend-kusto==1.0.1
218
pysigma-pipeline-sysmon==2.0.0
219
pysigma-pipeline-windows==2.0.0
220
pytest==8.3.3
221
PyYAML==6.0.3</code></pre>
222
<h2>A rule in full</h2>
223
<p>Rules are not naive. The LSASS detection filters on the granted-access masks that Mimikatz, comsvcs MiniDump, and similar tooling actually request rather than the broad <code>0x1010</code> alone, and excludes known legitimate readers. Source, verbatim:</p><pre><code>title: Suspicious LSASS Process Access
224
id: dcfda42d-c1a7-4106-aa96-7912201d9221
225
status: experimental
226
description: &gt;
227
  Detects process access to lsass.exe with access rights commonly used to read
228
  process memory (credential dumping). Tuned to the granted-access masks seen with
229
  Mimikatz, comsvcs MiniDump, and similar tooling rather than the broad 0x1010 alone.
230
references:
231
  - https://attack.mitre.org/techniques/T1003/001/
232
  - https://github.com/SwiftOnSecurity/sysmon-config
233
author: Zion Boggan
234
date: 2026-05-12
235
tags:
236
  - attack.credential_access
237
  - attack.t1003.001
238
logsource:
239
  product: windows
240
  category: process_access
241
detection:
242
  selection:
243
    TargetImage|endswith: '\lsass.exe'
244
    GrantedAccess:
245
      - '0x1010'
246
      - '0x1410'
247
      - '0x143a'
248
      - '0x1438'
249
      - '0x1fffff'
250
  filter_known:
251
    SourceImage|endswith:
252
      - '\wininit.exe'
253
      - '\csrss.exe'
254
      - '\MsMpEng.exe'
255
      - '\wmiprvse.exe'
256
  condition: selection and not filter_known
257
falsepositives:
258
  - EDR and AV products legitimately reading LSASS; baseline and add to filter_known.
259
level: high</code></pre>
260
<h2>The compiler and pipeline selection</h2>
261
<p><code>tools/convert.py</code> walks every <code>.yml</code> under <code>rules/</code> and shells out to <code>sigma convert</code> once per backend. The right processing pipeline is chosen from each rule's <code>logsource</code>: Sysmon for process, file, image-load, and network categories; Windows-audit for the Security and System channels (service installs, scheduled tasks). Rules with no matching pipeline are converted with <code>--without-pipeline</code> so generic logic still compiles.</p><pre><code>CATEGORY_PIPELINE = {
262
    "process_creation": "sysmon",
263
    "process_access": "sysmon",
264
    "image_load": "sysmon",
265
    "file_event": "sysmon",
266
    "network_connection": "sysmon",
267
    "dns_query": "sysmon",
268
}
269
SERVICE_PIPELINE = {
270
    "security": "windows-audit",
271
    "system": "windows-audit",
272
}
273
274
275
def pipeline_for(rule: dict) -> str | None:
276
    ls = rule.get("logsource", {})
277
    if ls.get("product") == "windows":
278
        if ls.get("category") in CATEGORY_PIPELINE:
279
            return CATEGORY_PIPELINE[ls["category"]]
280
        if ls.get("service") in SERVICE_PIPELINE:
281
            return SERVICE_PIPELINE[ls["service"]]
282
    return None</code></pre><p>Each rule then runs through <code>sigma convert -t &lt;backend&gt; -s</code>, with <code>-p &lt;pipeline&gt;</code> appended when one matched. A non-zero exit surfaces the last stderr line as the skip reason, so a broken rule is loud rather than silent.</p>
283
<h2>All three backends</h2>
284
<p>The LSASS source above compiles to each target without the logic being re-derived. The same selection plus the same exclusion list, expressed in three dialects. Splunk SPL:</p><pre><code>EventID=10 TargetImage="*\\lsass.exe" GrantedAccess IN ("0x1010", "0x1410", "0x143a", "0x1438", "0x1fffff") NOT (SourceImage IN ("*\\wininit.exe", "*\\csrss.exe", "*\\MsMpEng.exe", "*\\wmiprvse.exe"))</code></pre><p>Elastic ES|QL:</p><pre><code>from * metadata _id, _index, _version | where EventID==10 and ends_with(TargetImage, "\\lsass.exe") and (GrantedAccess in ("0x1010", "0x1410", "0x143a", "0x1438", "0x1fffff")) and not (ends_with(SourceImage, "\\wininit.exe") or ends_with(SourceImage, "\\csrss.exe") or ends_with(SourceImage, "\\MsMpEng.exe") or ends_with(SourceImage, "\\wmiprvse.exe"))</code></pre><p>Microsoft Sentinel / Defender KQL:</p><pre><code>EventID == 10 and ((TargetImage endswith "\\lsass.exe" and (GrantedAccess in~ ("0x1010", "0x1410", "0x143a", "0x1438", "0x1fffff"))) and (not((SourceImage endswith "\\wininit.exe" or SourceImage endswith "\\csrss.exe" or SourceImage endswith "\\MsMpEng.exe" or SourceImage endswith "\\wmiprvse.exe"))))</code></pre>
285
<h2>Correlation rules</h2>
286
<p>Single events are often informational; the alert is in the aggregate. SSH brute force is modelled as a Sigma correlation over a per-event base rule. The base rule is tagged <code>informational</code> and matches one failed authentication:</p><pre><code>title: SSH Authentication Failure
287
name: ssh_auth_failure
288
id: cc6fd1c9-b264-4be8-bb53-b6f4e2af9776
289
status: experimental
290
description: Base detection for a single failed SSH authentication, used by the brute-force correlation.
291
logsource:
292
  product: linux
293
  service: sshd
294
detection:
295
  selection:
296
    - Message|contains: 'Failed password for'
297
    - Message|contains: 'Invalid user'
298
    - Message|startswith: 'Connection closed by authenticating user'
299
  condition: selection
300
level: informational</code></pre><p>The correlation rule references that base by <code>name</code> and fires on eight or more failures from one source IP inside a two-minute window:</p><pre><code>correlation:
301
  type: event_count
302
  rules:
303
    - ssh_auth_failure
304
  group-by:
305
    - src_ip
306
  timespan: 2m
307
  condition:
308
    gte: 8</code></pre><p>Because a correlation needs its referenced rule present in the same collection, these are compiled together (<code>make correlations</code> converts the whole <code>linux/credential-access/</code> directory at once).</p>
309
<h2>The test suite</h2>
310
<p><code>pytest</code> gates rule quality before anything compiles. Schema, ATT&CK tagging, unique IDs, and correlation references are all enforced. The technique tag is matched against a regex and tactic tags against the full ATT&CK enterprise set:</p><pre><code>TECHNIQUE_RE = re.compile(r"^attack\.t\d{4}(\.\d{3})?$")
311
312
313
@pytest.mark.parametrize("path", RULES, ids=[p.name for p in RULES])
314
def test_rule_schema(path):
315
    rule = load(path)
316
    for field in ("title", "id", "status", "description", "tags", "level"):
317
        assert rule.get(field), f"{path.name} missing {field}"
318
    assert "detection" in rule or "correlation" in rule, f"{path.name} has no detection/correlation"
319
    assert rule["level"] in {"informational", "low", "medium", "high", "critical"}
320
    assert rule["status"] in {"experimental", "test", "stable", "deprecated", "unsupported"}
321
322
323
@pytest.mark.parametrize("path", RULES, ids=[p.name for p in RULES])
324
def test_attack_tags(path):
325
    tags = load(path).get("tags", [])
326
    techniques = [t for t in tags if TECHNIQUE_RE.match(t)]
327
    assert techniques, f"{path.name} has no ATT&CK technique tag"</code></pre><p>The correlation check loads every rule's <code>name</code> and asserts that each correlation's references resolve, so a renamed or deleted base rule fails the build instead of silently producing an empty alert:</p><pre><code>def test_correlation_refs_resolve():
328
    names = {load(p).get("name") for p in RULES if load(p).get("name")}
329
    for path in RULES:
330
        corr = load(path).get("correlation")
331
        if corr:
332
            for ref in corr.get("rules", []):
333
                assert ref in names, f"{path.name} references unknown rule '{ref}'"</code></pre>
334
<h2>CI workflow</h2>
335
<p>Every push and pull request to <code>main</code> runs a single <code>validate</code> job that lints, tests, and compiles in order, then uploads the generated queries as an artifact. The trimmed workflow:</p><pre><code>jobs:
336
  validate:
337
    runs-on: ubuntu-latest
338
    steps:
339
      - uses: actions/checkout@v4
340
      - uses: actions/setup-python@v5
341
        with:
342
          python-version: "3.11"
343
      - run: pip install -r requirements.txt
344
      - name: Lint Sigma rules
345
        run: sigma check rules/
346
      - name: Schema + ATT&CK tests
347
        run: pytest -q
348
      - name: Convert to Splunk / Elastic / Sentinel
349
        run: python tools/convert.py
350
      - uses: actions/upload-artifact@v4
351
        with:
352
          name: converted-queries
353
          path: dist/</code></pre><p>A conversion error fails the job, so a rule that lints but does not compile to one of the three backends never merges. The <code>dist/</code> tree is gitignored and rebuilt from source on every run.</p>
354
<h2>ATT&amp;CK coverage and validation</h2>
355
<p>A focused, high-signal set covering the techniques that show up most in real triage: credential dumping, phishing-to-execution, persistence, and brute force. Nine techniques across five tactics, every rule tagged and tuned past the naive version.</p><table><thead><tr><th>Tactic</th><th>Technique</th><th>Detection</th><th>Platform</th><th>Level</th></tr></thead><tbody><tr><td>Initial Access</td><td>T1566.001</td><td>Office spawns scripting host / LOLBin</td><td>Windows</td><td>high</td></tr><tr><td>Execution</td><td>T1059.001</td><td>PowerShell EncodedCommand</td><td>Windows</td><td>medium</td></tr><tr><td>Execution</td><td>T1059.004</td><td>Reverse shell one-liner</td><td>Linux</td><td>high</td></tr><tr><td>Defense Evasion</td><td>T1218.011</td><td>Suspicious rundll32</td><td>Windows</td><td>high</td></tr><tr><td>Persistence</td><td>T1543.003</td><td>New service installed (7045)</td><td>Windows</td><td>high</td></tr><tr><td>Persistence</td><td>T1053.005</td><td>Scheduled task created (4698)</td><td>Windows</td><td>medium</td></tr><tr><td>Persistence</td><td>T1543.002</td><td>Systemd persistence</td><td>Linux</td><td>medium</td></tr><tr><td>Credential Access</td><td>T1003.001</td><td>Suspicious LSASS access</td><td>Windows</td><td>high</td></tr><tr><td>Credential Access</td><td>T1110</td><td>SSH brute force (correlation)</td><td>Linux</td><td>high</td></tr></tbody></table><p>CI proves the rules lint, pass their tests, and compile. Behaviour is validated separately: in a companion purple-team lab, Atomic Red Team fires each technique and the matching detection is confirmed in a Wazuh SIEM before a rule is promoted here. New detections are only added after they survive that loop, which keeps the set small, high-signal, and grounded in observed telemetry rather than copied from public rule dumps.</p>
356
  </div>
357
358
  <p class="repo-line">Repository &middot; github.com/zionboggan/detection-as-code</p>
359
</div></section>
360
<footer><div class="wrap row">
361
  <div class="links">
362
    <a href="/">Portfolio</a>
363
    <a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a>
364
    <a href="https://oversightprotocol.dev/">Oversight</a>
365
    <a href="mailto:zionboggan0@gmail.com">Email</a>
366
  </div>
367
  <div class="note">Built and deployed on a self-hosted Proxmox homelab. This page mirrors the
368
  project's documentation and results so the work is fully viewable here.</div>
369
</div></footer>
370
</body>
371
</html>