Sigma Rule Suggestion
RuleSuggestionService watches the analyst feedback loop. When the same Drain3 pattern (template + entity context) racks up enough true-positive labels, the service can promote it into a draft Sigma YAML rule — validated by pySigma before it reaches the analyst’s editor.
This is how a one-off analyst label becomes a permanent rule, without anyone hand-writing YAML.
When it runs
Section titled “When it runs”- Manually, from the dashboard Sigma rules page: an operator opens the “Suggest from pattern” dialog and picks a pattern from the eligible list.
- Eligibility is computed by
aggregator.count_pattern_tps()— a pattern qualifies once it has accumulated at leastllm.rule_suggestion_min_tptrue-positive feedback events (default inLLMConfig). - Suggestions are cached by
pattern_key— repeat requests do not re-call the LLM.
1. Aggregator scans alert feedback (origin: dashboard | cli | api)2. Patterns with >= rule_suggestion_min_tp TPs become "eligible"3. Operator picks an eligible pattern in the dashboard4. LLM is prompted with: pattern template, top entity context, MITRE tags5. LLM returns YAML6. pySigma validator runs in three stages: - yaml — syntactic validity - schema — SigmaHQ schema compliance - compile — backend compile (smoke test)7. Operator sees the YAML + validator verdict in Monaco editor8. Operator either edits + accepts, or rejects9. Accepted rules drop into `detection.sigma_custom_upload_dir`Validator verdict
Section titled “Validator verdict”The result carries a structured verdict so the editor can highlight failing lines:
{ "valid": false, "rule_id": "rule_suggested_abc123", "title": "Suspicious cron persistence", "stage": "schema", "message": "logsource.product is required when logsource.category=process_creation", "line": 4, "field": "logsource"}A stage: "compile" failure means the YAML parses and matches the SigmaHQ schema but the backend cannot compile it — typically a malformed detection condition.
REST API
Section titled “REST API”| Method | Path | Purpose |
|---|---|---|
| GET | /api/v1/sigma/rule-suggestions | List patterns currently meeting the TP threshold (paginated). |
| POST | /api/v1/sigma/rule-suggestions/{pattern_key} | Generate (or fetch cached) suggestion for one pattern. |
| DELETE | /api/v1/sigma/rule-suggestions/{pattern_key} | Discard a suggestion. |
| POST | /api/v1/sigma/rules?dry_run=true | Validate a YAML draft without persisting. |
| POST | /api/v1/sigma/rules | Persist an accepted suggestion into sigma_custom_upload_dir. |
Configuration
Section titled “Configuration”llm: backend: ollama ollama_model: phi4-mini
detection: # Custom rules persisted by the dashboard live here. # Always discovered at startup regardless of `sigma_rules_dirs`. sigma_custom_upload_dir: ~/.local/share/seerflow/sigma-customWhy a suggestion, not auto-promote
Section titled “Why a suggestion, not auto-promote”The LLM never silently widens the detection surface. A suggestion enters the system only when:
- Multiple analysts independently labelled the pattern as a true positive, and
- An operator actively reviewed and approved the generated YAML
Both gates are deliberate — the goal is to turn recurring true positives into pre-approved drafts the team can ship in seconds, not to replace human review with model output.