A hands-on lab for building, deploying, and validating threat detection rules using Wazuh SIEM — complete with Terraform-deployed attack/defend infrastructure and MITRE ATT&CK mappings.
This repository is a full detection engineering lab environment. It includes TOML-formatted detection rules, a Terraform-deployed Wazuh SIEM with Windows targets and Kali attacker, and Python tooling for validation, reporting, and CI/CD.
What you get:
- Detection rules mapped to MITRE ATT&CK tactics and techniques
- Lab infrastructure (Wazuh Manager + Windows Server + Kali Linux) deployed via Terraform on AWS
- Development tooling for validation, MITRE mapping checks, and metrics generation
- Theory docs covering detection engineering workflows and security frameworks
Modern detection programs also emphasize:
- Detection-as-code practices (versioning, CI validation, peer review)
- Schema normalization (ECS, OCSF, or equivalent) to keep rules portable
- Threat emulation coverage (Atomic Red Team, CALDERA) to validate logic
- Telemetry quality (field completeness, logging policy, and data drift monitoring)
├── detections/ # TOML-formatted detection rules
├── development/ # Python scripts for validation and conversion
├── metrics/ # Generated metrics, reports, and visualizations
├── setup/ # Lab infrastructure (Terraform for Wazuh, Windows, Kali)
├── theory/ # Documentation on detection engineering concepts
└── .github/workflows/ # GitHub Actions workflows (currently disabled)
Each detection rule is stored as a TOML file with the following structure:
[metadata]
creation_date = "YYYY/MM/DD"
[rule]
author = ["Author Name"]
description = "Detection description"
name = "Detection Name"
risk_score = 50
severity = "medium"
type = "query"
rule_id = "unique-uuid"
query = "your detection query here"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"Explore detection engineering concepts in the theory/ directory:
- Security Operations: Overview of SecOps functions
- Detection Engineering Workflow: Workflow documentation
- Frameworks: Security frameworks (MITRE ATT&CK, Cyber Kill Chain, F3EAD)
- Valid TOML syntax
- All required fields present
- Valid MITRE ATT&CK technique/tactic mappings
- Sub-techniques included when applicable
- Unique
rule_id(UUID format) - Descriptive
nameanddescription - Appropriate
risk_scoreandseverity - Documented data sources and assumptions (what logs/fields the rule relies on)
MIT License - see LICENSE file for details.