SigmaOptimizer: End-to-End LLM Tool for Automated Sigma Rule Generation and Testing
SigmaOptimizer is a End-to-End Sigma rule generation and optimization tool that automatically creates, tests, and improves Sigma rules based on real-world logs using LLM. It is implemented as a PowerShell script and integrates log analysis, rule evaluation, and iterative refinement to enhance detection capabilities. You can also try SigmaOptimizer-UI, which offers a user-friendly interface for easier use.
✅ Automated Sigma rule generation based on real-world logs
✅ Integration with MITRE Caldera (β version)
✅ Rule validation with syntax checks (Invoke-SigmaRuleTests)
✅ Detection rate measurement using Hayabusa
✅ FP check of created rules using evtx-baseline
✅ Command obfuscation support (Invoke-ArgFuscator) for robust detection
Background
- LLM-based Sigma rule creation has inherent limitations. When generating rules solely based on user prompts, without analyzing real-world logs, hallucinations are more likely to occur. More importantly, because the rules are not grounded in the actual log events generated by the malicious behavior they aim to detect, they risk being unreliable and lacking robustness..
- Threat reports are typically published some time after an attack has occurred. If Sigma rules are created based on these reports, the time lag may result in incidents occurring before adequate detection measures are in place. To mitigate this risk, it is essential to actively execute malware samples and exploited red team tools to generate and refine Sigma rules based on real-world logs.
- Rule creation and validation are often separate processes, meaning even improved rules need to be re-validated manually, which is inefficient.
- Creating effective Sigma rules requires a deep understanding of threats. While it’s possible to create rules with limited knowledge, such rules are easily bypassed by attackers due to their simplicity.
Features
- End-to-end rule creation, syntax validation, detection testing, and improvement in a single workflow.
- Log-based rule generation, rather than relying on user prompts, ensuring rules align with actual system events.
- Detection rule creation for various attack techniques enabled through integration with MITRE Caldera.
- Automated command obfuscation support, allowing rules to be more resilient against evasion techniques.
- Reducing hallucinations through multiple validation mechanisms
Use Cases – Powerful Detection with SigmaOptimizer
Analyze Executable Files & Generate Sigma Rules
- You have obtained a new malware sample or a Red Team tool (e.g.,
mimikatz.exe) - Execute the file in a controlled environment, Capture all relevant event logs, Analyze the logs and generate a custom Sigma rule
Integration with MITRE Caldera (β version)
- Using MITRE Caldera, various attack techniques can be selected, and detection rules can be easily created for them.
Detect Malicious Commands (with Obfuscation) & Build Detection Rules
- Input the suspicious command you want to detect(e.g.,
certutil /f /urlcache https://www.example.org/ homepage.txt) - Automatically obfuscates the entered command and generates logs. (Note: Only commands included in the repository’s model that support obfuscation are applicable.)
- Capture system logs to understand its behavior, Automatically generate a Sigma rule.
Install & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
