Sigma Playground

Interactive Sigma detection rule development, testing, and validation platform for cybersecurity detection engineering.

Module Overview

Have you ever searched online for "Test Sigma online" only to stumble on Agile methodologies and "Sigma Male Test" content? You are not alone.

The Sigma Playground module provides a comprehensive environment for developing, testing, and validating Sigma detection rules with real-world data and immediate feedback. While other detection engineering tools force you into tedious edit-test-deploy cycles with limited visibility, this module offers interactive rule development with instant validation against sample data in multiple formats.

Run your own sigma rules against JSON, XML or Windows Evtx files directly, or even better - run more thant 4000+ community rules against your test data or files to see what is already detected.

The module supports all Sigma conditions, String wildcards and all sigma field modifiers except expand. It works in "Data" or "File" mode where you can create Sigma rules against WinEVTX files or formatted XML and JSON data. The module provides support for JSON nested matching for any JSON format, as well as the flattened Windows EVTX format observed in existing community rules.

Whether you're building custom detections, converting rules between SIEM platforms, or validating detection logic, this module accelerates your detection engineering workflow from days to hours by providing immediate feedback and extensive rule libraries.

Use Cases

Detection Rule Development

  • Interactive Rule Creation: Build Sigma rules with real-time syntax validation and immediate feedback
  • Rule Testing and Validation: Test detection logic against sample data sets and known attack patterns
  • Cross-Platform Compatibility: Validate rules across different SIEM platforms and log formats
  • Performance Optimization: Identify and resolve performance bottlenecks in detection rules

Threat Hunting and Detection Engineering

  • Hypothesis Testing: Rapidly prototype and test threat hunting hypotheses with Sigma rules
  • IOC Integration: Convert threat intelligence indicators into actionable detection rules
  • Behavioral Detection: Develop rules for detecting anomalous behavior patterns and suspicious activities
  • Attack Simulation: Test detection effectiveness against known attack techniques and TTPs

Rule Migration and Conversion

  • Rule Standardization: Standardize detection rules across multiple security tools using the Sigma format
  • Legacy Rule Modernization: Convert proprietary detection rules to open-source Sigma format

Training and Education

  • Detection Engineering Training: Teach detection engineering concepts using interactive rule development
  • Rule Sharing and Collaboration: Share detection results on files with team members and the security community
  • Best Practices Development: Establish organizational standards for detection rule development
  • Knowledge Transfer: Document detection logic and reasoning for future reference and training

Usage Guidelines

Rule Development Environment

  • Syntax Highlighting: Advanced editor with Yaml, JSON and XML syntax highlighting
  • Real-Time Validation: Instant feedback on rule syntax completeness and matching condition
  • Version Control: Track rule changes and maintain version history for collaborative development
  • Rule Templates: Pre-built default rule and sample data that you can immediately start building upon

Testing and Validation

  • Sample Data Integration: Test rules against curated events from security events and attack samples
  • Custom Data Upload: Upload your own log samples for testing detection rules
  • Multi-Format Testing: Validate rules against various log formats (WinEVTX file parsing, XML and JSON data for Event Log analysis and JSON nested data for custom nested data matching)

Best Practices for Rule Development

  • Precision over Recall: Focus on reducing false positives while maintaining detection capability
  • Environment Specificity: Consider your environment's unique characteristics when developing rules
  • Documentation: Include comprehensive metadata, descriptions, and references in your rules
  • Testing Methodology: Test rules against both malicious and benign datasets for accuracy validation

Integration and Deployment (SOON)

  • SIEM Integration: Direct deployment to popular SIEM platforms (Splunk, Elastic, QRadar, etc.)
  • API Access: Programmatic access for automated rule management and deployment
  • CI/CD Integration: Integrate rule development into continuous integration pipelines

Token Pricing Breakdown

Basic Rule Operations

  • Rule Creation and Editing: 5 tokens - Interactive rule development with syntax validation
  • Rule Testing (Small Dataset): 10 tokens - Test rules against sample datasets (< 1000 events)
  • Rule Validation: 8 tokens - Comprehensive rule validation including syntax, logic, and performance checks
  • Rule Conversion: 12 tokens - Convert rules between different SIEM platforms and formats

Advanced Testing and Analysis

  • Custom Sigma Rule on Test Data: 2 tokens - Test rules against your XML (only for Windows Event Log for now) or JSON formatted data
  • Run Community Rules on Test Data: 3 tokens - Run 4000+ community rules on your XML or JSON formatted Windows Event Log data.
  • Custom Sigma Rule on Files: 3 tokens per 1000 records - Test your rule on a file and see how it performs.
  • Run Community Rules on Files: 6 tokens per 1000 records - Test the community's rules against your files

Why These Costs: The token costs reflect the computational complexity of rule validation and the value of immediate feedback that eliminates lengthy development cycles. Specifically for community rules (not many of which are optimised) this is necessary as they are computationally intense when ran at scale and in parallel.

Performance Expectations

Custom Sigma rules ran on test data in the low millisecond range depending on network latency and server throughput, with community rule checks also being in the same range for relatively small data sets. File-based processing can vary vastly depending on the volume of records, the rule performance and the choice of running it with a custom rule or against community rules. A maximum sized WinEVTX log of 20MB (around 63,000 events) can be processed in under 10 seconds WITH Community Rules (4000+) being ran across it.

Native Executable Lookup

Comprehensive Windows native executable and binary analysis service for malware detection and threat hunting.

Legal Policies & Terms

Comprehensive overview of all legal policies, terms of service, and data protection agreements governing your use of Cursed Tools.