Detection Engineering Loop

Detection engineering spans human judgment (what deserves a detection, what the telemetry shows) and repeatable software work (authoring, testing, deployment, detection, alerting, measurement, hunting). RSigma owns the software phases and exposes clean interfaces to the rest. This page is the map: one revolution of the loop, station by station, with links into the detailed guides.

RSigma detection engineering loop

The Engineer cycle (blue) is detection-as-code: turn incident evidence into a linted rule, prove it against history, and ship it through CI. The Operate cycle (orange) is security operations: evaluate the live stream, compress raw matches into incidents, and grade what earns its keep. Hunt bridges the two: compile the same rule for whatever store holds the archive, find variants the live path missed, and feed new exemplars back into Author.

Before the loop

RSigma does not replace threat-intel review, severity triage of candidate detections, or analyst investigation of what normal looks like. Those phases produce the NDJSON exemplars and the baseline corpus that rule draft and rule backtest expect. Once you have them, the stations below pick up.

Engineer cycle

Author

Turn exemplar events into a draft Sigma rule, finish metadata and correlation logic, and document the detection strategy.

Test

Prove the rule before it ships: why an event matched or did not, whether it regresses on known-good and known-bad corpora, and how field-mapping pipelines transform it. RSigma replays corpora you already have; it does not generate attacker telemetry (see Atomic Red Team for that).

Deploy

Turn a green laptop check into merge policy and a live ruleset.

  • rule validate: parse, compile, and resolve dynamic sources before merge.
  • CI/CD: lint, rule validate --resolve-sources, merge-base fields-drift diff, backtest, and coverage in the pipeline. Use rsigma-action for a single GitHub Action gate.
  • Streaming detection: hot-reload rules and pipelines without restart.
  • Docker and installation: signed containers and release binaries.

Operate cycle

Detect

Hold rules against the live event stream with correlation, schema routing, and bounded state.

Alert and triage

Turn raw matches into one incident per entity, enrich before the page, and ingest analyst verdicts.

Measure

Review the portfolio on evidence instead of vibes.

Hunt

The daemon only sees now. Hunt compiles the same rule for historical stores and feeds findings back into authoring.

  • backend convert: native PostgreSQL, LynxDB, and Fibratus targets; sigma-cli delegation for Splunk, Elasticsearch, Sentinel, and 30+ more. See Rule Conversion.
  • rule fields: mapping catalog for the fields a rule references.

What RSigma does not own

Phase Handoff
Requirements and discovery Threat intel, business context, analyst judgment
Attack simulation Atomic Red Team; RSigma replays and converts
Log storage and search Hunt targets PostgreSQL, LynxDB, or your SIEM via backend convert
Case management Dispositions API consumes verdicts; the durable record stays in your case system
Response Webhooks hand off to whatever runs the playbook

Further reading