Module 12: Sigma — Detection Engineering

Write universal detection rules. Make your SIEM smarter.

Tools:SigmaWazuh
7
Lessons
6
Hands-on Labs
Operation Shadow Broker Thread

You'll write Sigma detection rules for the attack patterns — brute force, encoded PowerShell, suspicious services.

Lessons & Labs

Why Detection Engineering Matters

From reacting to creating alerts

Lab 12.1 — Read a Sigma Rule

5 rules. Explain and map ATT&CK.

Intermediate

Sigma Rule Structure

Title, logsource, detection, tags

Lab 12.2 — Brute Force Detection

Write 5+ failed logons in 5m rule.

Intermediate

Writing Your First Detection

Brute force, suspicious process

Lab 12.3 — Suspicious PowerShell

Detect encoded PowerShell.

Advanced

Sigma → Wazuh/OpenSearch

Converting and deploying rules

Lab 12.4 — Threat Report → Detection

Write, convert, deploy, test.

Advanced

Tuning & False Positives

Filters, exclusions, real-world rules

Lab 12.5 — Tune a Noisy Rule

200/day → <5/day without misses.

Advanced

SigmaHQ: 3,000+ Rules

Navigating the repository

Lab 12.6 — SigmaHQ Deployment

10 rules. Batch-convert. Deploy.

Expert

Detection-as-Code: Engineering Your Defenses

Version-controlling detections with Git, CI/CD pipelines for automated rule testing and deployment, coverage metrics