Module 12: Sigma — Detection Engineering
Write universal detection rules. Make your SIEM smarter.
Tools:SigmaWazuh
6
Lessons
6
Hands-on Labs
Lessons
123456
Why Detection Engineering Matters
From reacting to creating alerts
Sigma Rule Structure
Title, logsource, detection, tags
Writing Your First Detection
Brute force, suspicious process
Sigma → Wazuh/OpenSearch
Converting and deploying rules
Tuning & False Positives
Filters, exclusions, real-world rules
SigmaHQ: 3,000+ Rules
Navigating the repository
Labs
Lab 12.1 — Read a Sigma Rule
5 rules. Explain and map ATT&CK.
Lab 12.2 — Brute Force Detection
Write 5+ failed logons in 5m rule.
Lab 12.3 — Suspicious PowerShell
Detect encoded PowerShell.
Lab 12.4 — Threat Report → Detection
Write, convert, deploy, test.
Lab 12.5 — Tune a Noisy Rule
200/day → <5/day without misses.
Lab 12.6 — SigmaHQ Deployment
10 rules. Batch-convert. Deploy.