>_
Marketplace

sigma-rule-deployer

Use this skill when the user needs help deploying, managing, or understanding Sigma rules, Soteria rules, SOC Prime rules, Community rules, or any other managed rulesets in LimaCharlie.

$ Installer

git clone https://github.com/tekgrunt/boot-test /tmp/boot-test && cp -r /tmp/boot-test/.claude-plugin/plugins/limacharlie-skills/skills/sigma-rule-deployer ~/.claude/skills/boot-test

// tip: Run this command in your terminal to install the skill

SKILL.md
View on GitHub →

name: sigma-rule-deployer description: Use this skill when the user needs help deploying, managing, or understanding Sigma rules, Soteria rules, SOC Prime rules, Community rules, or any other managed rulesets in LimaCharlie.

LimaCharlie Managed Ruleset Deployer

This skill helps you deploy and manage Sigma rules and other managed rulesets in LimaCharlie. Use this when users need help with:

  • Deploying Sigma rules from SigmaHQ
  • Converting Sigma rules to LimaCharlie format
  • Managing Soteria EDR, AWS, or M365 rulesets
  • Configuring SOC Prime rules
  • Using Community Rules
  • Understanding managed ruleset pricing and subscriptions
  • Tuning and managing false positives
  • Updating and versioning rulesets

What are Managed Rulesets?

Managed rulesets are professionally maintained, pre-built detection rules that can be deployed with one click to a LimaCharlie organization. They provide:

  • Expert-curated detections: Rules written by security professionals
  • Automatic updates: Rulesets are updated as new threats emerge
  • Broad coverage: MITRE ATT&CK framework alignment
  • Reduced maintenance: No need to write rules from scratch
  • Cost efficiency: Leverage community and commercial detections
  • Quick deployment: Enable comprehensive detection in minutes

LimaCharlie supports multiple managed ruleset sources:

  1. Sigma Rules - Open-source detection rules from SigmaHQ
  2. Soteria Rules - Managed EDR, AWS, and M365 detection rulesets
  3. SOC Prime Rules - Community and enterprise detection content
  4. Community Rules - AI-assisted conversion of third-party rules

Quick Start by Ruleset Type

Sigma Rules - Quick Start

What: Open-source detection rules automatically converted to LimaCharlie format

Best for: Free, customizable coverage with community-maintained rules

Quick Deploy:

# Convert a single Sigma rule
curl -X POST https://sigma.limacharlie.io/convert/rule \
  -H 'content-type: application/x-www-form-urlencoded' \
  --data-urlencode "rule@my-sigma-rule.yaml"

# Convert multiple rules from GitHub directory
curl -X POST https://sigma.limacharlie.io/convert/repo \
  -d "repo=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation"

Common targets: edr (default for endpoint detection), artifact (for log analysis)

See REFERENCE.md for complete API documentation. See EXAMPLES.md for deployment examples.

Soteria EDR Rules - Quick Start

What: Professional managed EDR detection ruleset with auto-updates

Best for: Comprehensive EDR coverage across Windows, Linux, macOS

Quick Deploy:

  1. Navigate to Add-On Marketplace
  2. Search for "Soteria" or select soteria-rules-edr
  3. Select your organization
  4. Click Subscribe
  5. Configure required events (listed in subscription UI)

Required events: NEW_PROCESS, DNS_REQUEST, NETWORK_CONNECTIONS, FILE_CREATE, REGISTRY_WRITE, and more

MITRE Coverage: https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fstorage.googleapis.com%2Fsoteria-detector-mapping%2F%2Fall.json

See REFERENCE.md for complete event list and configuration. See EXAMPLES.md for deployment scenarios.

Soteria AWS Rules - Quick Start

What: Managed AWS threat detection using CloudTrail and GuardDuty

Best for: AWS cloud security monitoring

Quick Deploy:

  1. Configure AWS CloudTrail adapter
  2. Configure AWS GuardDuty adapter
  3. Navigate to Add-On Marketplace
  4. Subscribe to tor lookup (free)
  5. Subscribe to soteria-rules-aws

Prerequisites: Active AWS CloudTrail and GuardDuty integrations

See REFERENCE.md for adapter configuration. See EXAMPLES.md for AWS deployment scenarios.

Soteria M365 Rules - Quick Start

What: Managed Microsoft 365 threat detection

Best for: M365/Office 365 security monitoring

Quick Deploy:

  1. Configure Office 365 adapter to collect audit logs
  2. Navigate to Add-On Marketplace
  3. Subscribe to tor lookup (free)
  4. Subscribe to soteria-rules-o365

Coverage: Teams, Word, Excel, PowerPoint, Outlook, OneDrive

See REFERENCE.md for adapter configuration. See EXAMPLES.md for M365 scenarios.

SOC Prime Rules - Quick Start

What: Enterprise content platform with continuous updates

Best for: Organizations with SOC Prime subscriptions wanting automated content management

Quick Deploy:

  1. Create content lists in SOC Prime platform
  2. Get API key from SOC Prime (requires trial/paid subscription)
  3. Enable socprime add-on in LimaCharlie
  4. Go to Integrations page
  5. Enter API key and select content lists

Sync: Rules sync automatically every 3 hours Attribution: All detections show socprime as author

See REFERENCE.md for detailed setup. See EXAMPLES.md for integration scenarios.

Community Rules - Quick Start

What: AI-powered conversion of third-party rules (Anvilogic, Sigma, Panther, Okta)

Best for: Quick deployment of specific detections from various sources

Quick Deploy:

  1. Navigate to Automation > Rules
  2. Click Add Rule
  3. Click Community Library (upper right)
  4. Search by CVE, keywords, or MITRE ATT&CK tags
  5. Click on a rule to view details
  6. Click Load Rule (AI converts to LimaCharlie format)
  7. Review and customize the converted logic
  8. Save and deploy

Sources: Anvilogic, Sigma, Panther, Okta rules

See REFERENCE.md for source details. See EXAMPLES.md for conversion examples.

Ruleset Comparison

RulesetCostUpdatesVisibilityBest For
SigmaFreeManualFullCustom rules, open-source coverage
Soteria EDRPaidAutoNoneComprehensive EDR coverage
Soteria AWSPaidAutoNoneAWS security monitoring
Soteria M365PaidAutoNoneM365/O365 security
SOC PrimePaid*Auto (3h)FullEnterprise content management
CommunityFreeManualFullSpecific detections, quick starts

*Requires SOC Prime subscription (separate from LimaCharlie)

For detailed comparison and selection guidance, see REFERENCE.md.

False Positive Management

False Positive (FP) rules filter detections globally to reduce alert fatigue.

Quick FP Rule Creation

From a detection (fastest method):

  1. Navigate to Detections page
  2. Find a false positive detection
  3. Click Mark False Positive
  4. Review auto-generated rule
  5. Save

From scratch:

  1. Navigate to Automation > False Positive Rules
  2. Click New Rule
  3. Define matching logic
  4. Optionally set expiry date
  5. Save

Common FP Patterns

# Ignore detection by name
op: is
path: cat
value: my-detection-name

# Ignore specific file
op: ends with
path: detect/event/FILE_PATH
value: legitimate-tool.exe
case sensitive: false

# Ignore specific host
op: is
path: routing/hostname
value: build-server-01

For complete FP rule syntax and advanced examples, see REFERENCE.md. For FP troubleshooting by ruleset, see TROUBLESHOOTING.md.

Rule Testing

Always test rules before production deployment.

Quick Test Commands

# Validate rule syntax
limacharlie replay --validate --rule-content rule.yaml

# Test against recent data (last 7 days)
limacharlie replay --rule-content rule.yaml \
  --entire-org --last-seconds 604800

# Test with trace mode for debugging
limacharlie replay --rule-content rule.yaml \
  --events event.json --trace

For complete testing workflows, see EXAMPLES.md. For test troubleshooting, see TROUBLESHOOTING.md.

Rule Management

View Rules

# List all rules
limacharlie dr list

# Get specific rule
limacharlie dr get --rule-name my-rule

Deploy Rules

# Add a rule
limacharlie dr add --rule-name my-rule --rule-file rule.yaml

# Remove a rule
limacharlie dr remove --rule-name my-rule

# Export all rules (backup)
limacharlie dr list --format json > rules-backup.json

Organization with Namespaces

Use prefixes to organize rules by source:

  • sigma-windows-process-creation-suspicious-cmd
  • soteria-edr-windows-lateral-movement
  • custom-ransomware-indicators

For version control and IaC approaches, see REFERENCE.md.

Best Practices Summary

Deployment Strategy

  1. Start with high-fidelity rulesets

    • Soteria rules for managed coverage
    • SOC Prime for enterprise content

  2. Add broad coverage

    • Deploy Sigma rules for common threats
    • Use Community Rules for specific techniques

  3. Customize and tune

    • Create custom rules for org-specific threats
    • Add FP rules to reduce noise

  4. Continuous improvement

    • Monitor detection quality
    • Refine rules based on feedback
    • Keep rulesets updated

Performance Tips

  • Don't deploy all rules at once
  • Focus on high-priority threats first
  • Put restrictive conditions first in rules
  • Use suppression for noisy rules
  • Monitor rule evaluation metrics

Security Posture

  • Update Sigma rules monthly
  • Monitor Soteria/SOC Prime updates
  • Map rules to MITRE ATT&CK
  • Maintain documentation
  • Regular effectiveness reviews

For complete best practices, see REFERENCE.md.

Common Issues - Quick Reference

Sigma conversion fails

No detections from Soteria

  • Verify required events configured
  • Check subscription is active
  • Wait 24-48 hours for activation
  • See TROUBLESHOOTING.md

SOC Prime rules not syncing

  • Verify API key is valid
  • Check subscription is not free tier
  • Wait for 3-hour sync cycle
  • See TROUBLESHOOTING.md

Community rules fail to convert

High false positive rate

  • Create FP rules from detections
  • Exclude test environments
  • Tune thresholds
  • See TROUBLESHOOTING.md

Rules not matching events

  • Use replay with trace mode
  • Check event structure
  • Verify event type
  • See TROUBLESHOOTING.md

Navigation

  • REFERENCE.md - Complete API documentation, configuration details, and advanced features
  • EXAMPLES.md - Deployment scenarios, use cases, and step-by-step guides
  • TROUBLESHOOTING.md - Issue resolution by ruleset type

Quick Reference Links

Documentation

MITRE Coverage

Add-on Extensions

  • soteria-rules-edr - EDR detection ruleset
  • soteria-rules-aws - AWS detection ruleset
  • soteria-rules-o365 - M365 detection ruleset
  • socprime - SOC Prime integration
  • tor-ips - TOR lookup (free)

Summary

This skill provides guidance for deploying and managing four types of managed rulesets:

  1. Sigma Rules: Free, customizable open-source rules requiring manual conversion
  2. Soteria Rules: Professional managed rulesets with auto-updates (EDR, AWS, M365)
  3. SOC Prime Rules: Enterprise content platform with continuous sync
  4. Community Rules: AI-assisted conversion from multiple sources

When helping users:

  • Understand their environment and needs
  • Recommend appropriate rulesets (see comparison table)
  • Guide through testing before production
  • Help tune for false positives
  • Provide troubleshooting assistance
  • Encourage Infrastructure as Code for scale

The best approach combines managed rulesets for baseline coverage with custom rules for organization-specific needs.

Repository

tekgrunt
tekgrunt
Author
tekgrunt/boot-test/.claude-plugin/plugins/limacharlie-skills/skills/sigma-rule-deployer
0
Stars
0
Forks
Updated1d ago
Added1w ago

Actions

View on GitHubDownload ZIPReport Issue

Related Skills

skill-creator
openai/codex
54.7k
Plugin Settings
anthropics/claude-code
47.9k
MCP Integration
anthropics/claude-code
47.9k
creating-financial-models
anthropics/claude-cookbooks
28.3k
analyzing-financial-statements
anthropics/claude-cookbooks
28.3k