Custom Sigma detection rules developed and tuned in a homelab environment running Security Onion, Wazuh, and TheHive/Cortex.
| Category | Rules | Focus Areas | MITRE ATT&CK |
|---|---|---|---|
| DNS | 3 | Tunneling, DGA, suspicious TLDs | T1071.004 |
| HTTP | 3 | Beaconing, C2 callbacks, user-agents | T1071.001 |
| Authentication | 2 | Brute force, credential stuffing | T1110 |
| Lateral Movement | 2 | SMB, PsExec, WMI abuse | T1021, T1047 |
| Exfiltration | 2 | Large transfers, encrypted channels | T1048 |
Total: 12 detection rules
These rules were tuned over a 3-month lab period to reduce false positives:
| Detection | Initial FP | After Tuning | Method |
|---|---|---|---|
| DNS tunneling | ~35% | ~12% | CDN allowlisting, entropy threshold |
| HTTP beaconing | ~40% | ~18% | Time-window correlation, UA filtering |
| Auth anomalies | ~25% | ~8% | Baseline normal hours per user group |
| Lateral movement | ~30% | ~15% | Admin workstation exclusions |
Average FP reduction: ~20%
Rules were developed and tested against:
- SIEM: Security Onion 2.4.x (Suricata, Zeek, Elasticsearch)
- Host-Based: Wazuh 4.x (endpoint logs, FIM)
- Case Management: TheHive 5.x + Cortex 3.x
- Threat Intel: MISP community feeds
- Targets: Windows 11, Active Directory, Ubuntu/Docker, DVWA, Juice Shop
# Clone the repo
git clone https://github.com/Pharns/detection-rules.git
# Convert Sigma to Elasticsearch query
sigma convert -t elasticsearch rules/dns/dns_tunneling_entropy.ymlsigma convert -t splunk rules/dns/dns_tunneling_entropy.ymlsigma convert -t azure-monitor rules/dns/dns_tunneling_entropy.ymlEach rule follows the Sigma specification:
title: Descriptive title
status: experimental | test | stable
description: What the rule detects and why
author: Pharns Genece
date: YYYY/MM/DD
references:
- https://attack.mitre.org/techniques/TXXXX/
logsource:
product: zeek | windows | ...
service: dns | security | ...
detection:
selection:
field|modifier: value
condition: selection
falsepositives:
- Known benign scenarios
level: low | medium | high | critical
tags:
- attack.tactic
- attack.tXXXXdetection-rules/
├── README.md
├── LICENSE
├── rules/
│ ├── dns/
│ │ ├── dns_tunneling_entropy.yml
│ │ ├── dns_dga_detection.yml
│ │ └── dns_suspicious_tld.yml
│ ├── http/
│ │ ├── http_beaconing_pattern.yml
│ │ ├── http_c2_callback.yml
│ │ └── http_suspicious_user_agent.yml
│ ├── authentication/
│ │ ├── auth_brute_force.yml
│ │ └── auth_anomalous_login_time.yml
│ ├── lateral-movement/
│ │ ├── lateral_smb_enumeration.yml
│ │ └── lateral_psexec_wmi.yml
│ └── exfiltration/
│ ├── exfil_large_outbound.yml
│ └── exfil_encrypted_channel.yml
└── .github/
└── workflows/
└── validate.yml
Contributions welcome. Please:
- Follow the Sigma specification
- Include MITRE ATT&CK mapping
- Document false positive scenarios
- Test in a lab environment before submitting
- Portfolio - Detection Engineering — Full detection lab documentation
- TraceLock — RF/wireless detection engineering
Pharns Genece GRC Engineer | Detection Engineering | Cloud Security
MIT License - See LICENSE for details.