From Attack Simulation to SIEM Rule: Deterministic Detection-as-Code Synthesis with Probe-Level Traceability

2026-05-16 · Source: cs.AI updates on arXiv.org · Field: Technology & Digital — Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning · Depth: Advanced, long

Summary

A deterministic synthesis function automates the creation of vendor-neutral Sigma detection rules directly from Breach-and-Attack-Simulation (BAS) findings. This system addresses the manual gap where security analysts traditionally translate BAS findings into SIEM rules. It utilizes a template library of 23 Sigma rule skeletons, indexed by OWASP LLM and Web Top 10 categories, mapping findings with stable probe identifiers to starter rules. The approach was validated on 17-probe LLM and 23-probe Web corpora, with all 17 LLM rules successfully parsing and converting to Splunk and Elasticsearch. Replayed through OpenSearch, LLM rules detected 30% of an AdvBench subset and 14% of HarmBench, with 7.7% false positives. This method provides a verifiable, byte-stable path from BAS finding to deployable rule, ensuring exact reproducibility and probe-level traceability.

Key takeaway

For Security Operations Center (SOC) teams aiming to streamline detection engineering workflows, this deterministic synthesis approach offers a significant efficiency gain. You can generate reproducible, traceable starter Sigma rules from BAS findings in milliseconds, drastically reducing the manual effort of writing rules from scratch. This allows your analysts to focus on refining auto-generated content rather than initial authoring, accelerating the deployment of new detections and improving governance through version-controlled, auditable rule sets.

Key insights

Automating BAS finding-to-SIEM rule translation ensures deterministic, traceable, and reproducible detection content.

Principles

• Locked corpora enable stable probe IDs for consistent findings.
• Deterministic synthesis ensures reproducible rule generation.
• Traceability links fired alerts back to original probes.

Method

A synthesis function maps BAS findings (from locked corpora, with probe_id and OWASP category) to starter Sigma rules using a 23-template library, providing MITRE ATT&CK and finding URIs.

In practice

• Generate starter Sigma rules from BAS findings in milliseconds.
• Integrate auto-generated rules into OpenSearch, Splunk, or Elasticsearch.
• Use probe_id for direct traceability from alerts to BAS findings.

Topics

• Detection-as-Code
• Breach-and-Attack Simulation
• SIEM Rules
• Sigma Rules
• OWASP Top 10
• MITRE ATT&CK
• OpenSearch

Best for: CTO, Research Scientist, Security Engineer, Automation Engineer

Related on AIssential

• From Attack Simulation to SIEM Rule: Deterministic Detection-as-Code Synthesis with Probe-Level Traceability — Deterministic synthesis automates SIEM rule generation from attack simulation findings, ensuring reproducibility and traceability.
• Evolution of Log-Based Detection Rules in Public Repositories — Log-based detection rules evolve non-monotonically, balancing coverage and false positives through iterative, often conflicting, revisions.
• MOLOT System Card: Malicious Operational Logic Observation Transformer — Static behavior-sequence modeling offers accurate, explainable, and deployable malicious-code detection for modern DevSecOps.
• GenTI: Benchmarking LLMs for Autonomous IDPS Rule Generation for Unseen Attacks — GenTI leverages LLMs and a comprehensive dataset to autonomously generate adaptive IDPS rules for unseen threats.
• With $1 Cyberattacks on the Rise, Durable Defenses Pay Off — Generative AI accelerates both cyberattacks and defenses, necessitating a shift to foundational security rather than reactive patching.
• Context-Aware Web Attack Detection in Open-Source SIEM Systems via MITRE ATT&CK-Enriched Behavioral Profiling — Context-aware behavioral profiling significantly enhances web attack detection and classification in SIEM systems.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.AI updates on arXiv.org.