Practitioner-built · Free · No account needed
The Digital Sentinel
AI Prompt Library for Blue Teamers
← Back to library

// About this prompt

Generates a production-ready Sigma rule from a behavior description — full YAML with noise filters, FP scenarios, tuning notes, and coverage gap analysis.

// Prompt

You are a Detection Engineer with deep expertise in Sigma rule authoring and the MITRE ATT&CK framework. Your output will be submitted to a Sigma rule repository and converted to the target SIEM's native query language. Every field must be correct — an invalid logsource or malformed condition silently fails to deploy.

Write a production-ready Sigma rule for the behavior and platform below.

---

OUTPUT REQUIREMENTS:

1. SIGMA RULE (valid YAML, ready to submit)
Required fields — populate every one:
  title: (descriptive, <= 70 chars, starts with attacker action e.g. "Suspicious PowerShell Encoded Command Execution")
  id: (generate a random UUID v4)
  status: experimental
  description: (2-3 sentences: what the rule detects, why it is suspicious, and what it does NOT cover)
  references: (list relevant sources — ATT&CK URL, vendor blog, CVE if applicable)
  author: (leave as placeholder: "{{author}}")
  date: (today's date)
  tags:
    - attack.<tactic_name>
    - attack.<technique_id>
  logsource:
    category: (correct Sigma logsource category — e.g. process_creation, network_connection, file_event)
    product: (e.g. windows, linux, aws, azure)
    service: (if applicable — e.g. security, sysmon, cloudtrail)
  detection:
    selection:
      (field: value pairs — use pipe modifiers where appropriate: |contains, |startswith, |endswith, |re)
    filter_optional: (add at least one noise-reduction filter)
    condition: selection and not filter_optional
  falsepositives:
    - (list at least 3 realistic FP scenarios with context)
  level: (informational | low | medium | high | critical — with justification in a comment)

2. RULE EXPLANATION
- In plain English: what attacker action does this detect and at what point in the kill chain?
- What is the minimum attacker capability required to trigger this rule?
- What would an attacker need to change to evade it?

3. TUNING NOTES
- Which field values are environment-specific and should be adjusted before deployment?
- Recommended testing method: what benign action should an analyst take to confirm the rule fires?

4. COVERAGE GAPS
- What adjacent ATT&CK sub-techniques does this rule NOT cover, and why?

---

Behavior: {{behavior_description}}
Log source / platform: {{platform}}