Case studies first, then verified library content
The repo ships multi-platform detection content and IR playbooks with reproducible counts. All numbers are verified (reproducible today) — no inflated totals, no hand-waving.
What the detections actually caught
Read the write-ups to understand the context behind the rule counts: what triggered, how it was triaged, what changed.
Expandable detection content
Multi-platform detection content organized by format. Expand a card to see what's inside and copy a verification command.
pwsh -NoProfile -File .\scripts\verify\verify-counts.ps1MITRE ATT&CK tactic coverage
Sigma rules are organized by tactic folder. The table below shows which ATT&CK tactics have detection coverage. Expand any tactic card to see technique examples and pivots.
Full tactic-to-rule mapping lives in detection-rules/INDEX.md in the repo. Browse on GitHub →
Sigma (103 rules)
Where: detection-rules/sigma/ • Format: YAML • Organized by MITRE tactics.
# from repo root (Get-ChildItem -Recurse .\detection-rules\sigma -Filter *.yml).Count
Repo proof: Counts are generated and published in PROOF_PACK/VERIFIED_COUNTS.md via verification scripts.
Wazuh (28 rule blocks, 24 XML files)
Where: detection-rules/wazuh/rules/ • Deployment: bundle to local_rules.xml.
# from repo root pwsh -File .\scripts\build-wazuh-bundle.ps1
# XML files (Get-ChildItem .\detection-rules\wazuh\rules -Filter *.xml).Count # rule blocks (simple regex count) Select-String -Path .\detection-rules\wazuh\rules\*.xml -Pattern '<rule\s+id=' | Measure-Object | % Count
Splunk (8 SPL queries)
Where: detection-rules/splunk/ • Format: SPL.
(Get-ChildItem .\detection-rules\splunk -Filter *.spl).Count
Incident Response Playbooks (10)
Where: incident-response/playbooks/ • Format: Markdown.
(Get-ChildItem .\incident-response\playbooks -Filter *.md).Count
Verification workflow
Why: credibility. The CI pipeline validates counts on commits and generates a verification report.
scripts/verify/verify-counts.ps1reproduces counts locally.PROOF_PACK/VERIFIED_COUNTS.mdis auto-generated by CI.- Release notes document the exact locations and totals.
pwsh -NoProfile -File .\scripts\verify\verify-counts.ps1
Initial Access
Rules grouped under the tactic folder in Sigma. Use these to spot the start of a compromise chain.
- Malicious macro execution patterns
- Suspicious attachment and script launch indicators
- Initial payload staging behaviors
Execution
- PowerShell encoded/obfuscated execution
- LOLBin abuse (signed binaries doing unspeakable things)
- Script host anomalies
Persistence
- Scheduled task creation and tampering
- Registry Run key abuse
- Service installation anomalies
Privilege Escalation
- Token manipulation
- Abnormal admin group changes
- Exploitation indicators in logs
Defense Evasion
- Log clearing and disabling security tooling
- Obfuscation and masquerading signals
- Suspicious config changes
Credential Access
- Credential dumping indicators
- LSASS access patterns
- Password store abuse
Discovery
- Host and domain reconnaissance commands
- Share enumeration
- Process/service inventory patterns
Lateral Movement
- Remote service execution
- WMI/WinRM patterns
- Credential reuse artifacts
Command and Control
- Suspicious outbound connections and beaconing
- Known tooling patterns
- DNS/HTTP anomalies
Collection
- Archive creation and data staging patterns
- Screen capture and clipboard access
- Local data gathering and file collection signals
Exfiltration
- Unusual outbound volume and staging signals
- Archive and transfer indicators
- Cloud storage upload patterns
Impact
- Ransomware and encryption patterns
- Wiping/destructive actions
- Service disruption indicators