Tooling

Detection — Sigma, YARA, ATT&CK

Open detection rule formats and adversary-emulation testing.

Detection content is the codified knowledge of "how do we know something bad happened?" The 2024–26 lingua franca: Sigma for log-based detection, YARA for pattern-matching files / memory, MITRE ATT&CK as the technique vocabulary, Atomic Red Team for validation. For SIEM consumers see SIEM (Wazuh / Graylog). For threat-intel that drives detections see Threat Intelligence (MISP). For network-side detection see Network IDS (Suricata / Zeek). For endpoint see EDR / OSQuery.

Sigma — vendor-neutral log detection

  • ★ ★ Sigma (sigmahq) — YAML rule format for log detection; SIEM-agnostic. Convert one rule to Splunk, Sentinel, Elastic, Sumo, Graylog, Wazuh, Chronicle, Panther, etc. Free OSS.
  • SigmaHQ rule repo — 3,000+ community rules; curated; updated near-daily. Free.
  • sigma-cli / pySigma — modern v2 conversion engine (replaces legacy sigmac). Free.
  • Splunk2sigma / sentinel2sigma — reverse-converters.
  • Uncoder.io (SOC Prime) — free / freemium web converter; Sigma → many backends + AI assistance.
  • Awesome Sigma — curated lists.

YARA — pattern matching

  • ★ ★ YARA — string + condition rules over files / processes / memory. Free OSS — the reference malware-pattern format.
  • YARA-X — Rust rewrite, 2024+ stable; faster, safer, mostly compatible.
  • YARA rule repos:
    • Neo23x0/signature-base (Florian Roth) — APT / hack-tool / webshell rules.
    • Yara-Rules/rules — community.
    • ReversingLabs YARA Rules.
    • Elastic YARA repo.
    • InQuest/awesome-yara — curated list.
    • Yara-Forge (Florian Roth) — auto-built up-to-date packs.
  • YaraScanner / yarGen / yarAnalyzer (Roth) — generate YARA from a sample.
  • THOR / THOR Lite / Loki (Nextron Systems) — YARA-driven scanner; THOR paid + Lite free.

ATT&CK / TTPs

  • ★ ★ MITRE ATT&CK — knowledge base of adversary tactics × techniques × procedures; the reference vocabulary. Free.
    • ATT&CK Navigator — heatmap your detection / control coverage.
    • DeTT&CT — map detections to ATT&CK techniques.
    • ATT&CK STIX/TAXII feed — programmatic.
  • MITRE D3FEND — defensive countermeasures vocabulary; complementary to ATT&CK.
  • MITRE Engage — deception / engagement framework.
  • MITRE CALDERA — automated adversary emulation; free.

Detection-as-code platforms

  • Panther — paid; detection-as-code (Python); see SIEM (Wazuh / Graylog).
  • Tines / Torq / Workato — paid; SOAR-as-code.
  • Sigma rules in Git, sync to SIEM via CI — common 2024–26 pattern with sigma-cli.
  • DetectionLab (Chris Long) — free lab to test rules.

Atomic / runnable techniques

  • ★ ★ Atomic Red Team (Red Canary) — runnable ATT&CK techniques as PowerShell / Bash / Python scripts. The validation default — "does my detection actually fire?" Free.
    • Invoke-AtomicRedTeam — PowerShell runner.
    • Atomic Test Harness — coordinated runs.
  • CALDERA (MITRE) — automated adversary emulation; multi-step.
  • Stratus Red Team (Datadog) — cloud-focused (AWS / Azure / GCP / k8s); see Cloud Pentesting.
  • Vectr (SRA) — purple-team campaign tracking; free OSS + paid.
  • AtomicTestHarnesses (Microsoft) — atomic-style test variations for Windows.
  • APTSimulator (NextronSystems) — single-script "make it look like an APT walked through."
  • PurpleSharp — .NET adversary simulation.

Sysmon / event-log enrichers

  • Sysmon (Microsoft Sysinternals) — Windows; the default endpoint event enricher.
  • Sysmon for Linux — same.
  • SwiftOnSecurity / Olaf Hartong sysmon-modular — community Sysmon configs.
  • See EDR / OSQuery.

Sigma over event logs (offline / DFIR)

  • Hayabusa (Yamato Security) — Sigma-against-evtx; fast Rust; great for DFIR pre-SIEM. Free.
  • Chainsaw (WithSecure) — same niche; one-shot triage.
  • Zircolite — Sigma + SQLite; massive logs at speed.
  • EVTX-ATTACK-SAMPLES (sbousseaden) — labelled evtx samples for testing rules.
  • Elastic Detection Rules — public; free.
  • Splunk Security Content (Splunk ESCU) — free; Splunk-flavoured.
  • Sentinel Hunting Queries — KQL; free; on GitHub.
  • CrowdStrike CrowdSearch / Falcon Forensics — paid.

Flow that pays off

  • ★ Pull SigmaHQ → convert → deploy to your SIEM weekly via CI.
  • ★ Run Atomic Red Team for every new technique you onboard rules for.
  • Map every rule to ATT&CK; visualise on Navigator.
  • Tune false positives; suppress at the rule, not at the SIEM.

Pick this if…

  • Default vendor-neutral log detection format: Sigma.
  • Default malware pattern matching: YARA / YARA-X.
  • TTP knowledge base / vocabulary: MITRE ATT&CK.
  • Validate detections fire: Atomic Red Team.
  • Cloud-side adversary emulation: Stratus Red Team.
  • DFIR Sigma-on-evtx triage: Hayabusa.
  • Mature purple program: CALDERA + Vectr.

On this page