01
Where rules come from
- The engine emits one Sigma rule per finding with a detectable log signal. Rules are generated from the probe's attack pattern and the target's specific response — not generic templates.
- Download the full bundle from the run page (Download Sigma rules .yml button) or via API: GET /v1/demo/runs/{run_id}/sigma for sandbox runs, GET /v1/runs/{run_id}/sigma for tenant runs.
- Each rule ships with a starter disclaimer — tune field names, thresholds, and log source paths for your SIEM before deploying to production.
02
Import and tune
- Splunk: pipe the YAML to sigma-cli convert -t splunk. Import the resulting SPL as a correlation search. Set timeframe and threshold to match your log ingestion latency.
- Elastic (ESQL / Security Solution): use sigma-cli convert -t esql or the Security Solution import endpoint. Map sigma.logsource.service to the matching index pattern in your deployment.
- Track rule status: starter (import as-is), tuned (thresholds adjusted for your environment), verified (no false positives in production for 7 days — confirmed by replay that the patch closes the bypass).