The Autonomous Blue Team: Build a Self-Healing SIEM with the AI Detection Engineering Lab

What This Does

An AI agent (Claude Code) acts as a senior detection engineer, executing the full lifecycle:

INTEL → DISCOVER → AUTHOR → VALIDATE → DEPLOY → TUNE → REPORT

1. Reads threat intel about the Fawkes C2 agent (59 commands mapped to ATT&CK)
2. Discovers available log data in your SIEM
3. Authors a Sigma rule with full MITRE ATT&CK mapping
4. Validates against simulated attack telemetry (true positive + false positive testing)
5. Deploys to Elastic Security and/or Splunk saved searches
6. Tunes based on alert feedback — adding exclusions, tightening thresholds
7. Updates coverage tracking and commits to git with conventional messages

Data Sources

Simulated Telemetry (Always Available)

Event types generated: Sysmon EID 1, 3, 7, 8, 10, 11, 13, 17/18, 22 + WinEvent 4624, 4104, 7045

Attack Scenarios

The simulator generates 13 attack scenarios matching Fawkes C2 + Scattered Spider capabilities:

• Process injection (vanilla-injection) — EID 8 + 10
• Registry persistence — EID 13
• PowerShell with bypass flags — EID 1
• Scheduled task creation — EID 1
• Discovery command burst — EID 1
• LSASS token theft — EID 10
• C2 beaconing — EID 3
• AMSI/CLR bypass — EID 7
• Encoded PowerShell / Mimikatz via Script Block — EID 4104
• RMM tool binary drops (AnyDesk, TeamViewer, ScreenConnect) — EID 11
• RMM tool DNS resolution — EID 22
• C2 named pipe communication — EID 17/18
• Malicious service persistence — EID 7045

Install & Use