From Attack Simulation to SIEM Rule: Deterministic Detection-as-Code Synthesis with Probe-Level Traceability

Researchers present a deterministic synthesis method that automatically converts findings from attack simulation tools into SIEM detection rules, eliminating manual translation work. The system uses a 23-template library indexed by OWASP categories to map security probe findings to Sigma rules with full traceability to originating attacks, achieving 100% parseability across multiple backends.

The security operations workflow has long suffered from a labor-intensive bottleneck: breach simulation tools generate attack findings, but operators must manually craft detection rules to catch those attacks in production. This research addresses a critical pain point by introducing deterministic synthesis that bridges the gap between attack simulation and deployable detection rules, replacing ad-hoc human interpretation with reproducible, auditable processes.

The approach trades generative flexibility for verifiable reproducibility. Rather than using large language models to generate rules—which might produce creative but unpredictable outputs—the authors employ a locked corpus of probes paired with a small template library. This constraint means every finding maps deterministically to a starter rule, and crucially, any fired alert can be traced back to the exact originating probe. The methodology proves robust across multiple SIEM backends: all 17 LLM-based rules parse correctly in Splunk, Elasticsearch, and OpenSearch without modification.

For security teams managing enterprise detection infrastructure, this represents a significant operational efficiency gain. Manual rule writing consumes hours per finding, introduces human error, and creates documentation gaps. The system reduces this to automated derivation while maintaining full auditability—a requirement for regulated industries and mature security programs. The 7.7% false positive rate on benign baselines suggests practical deployability, though the 30% detection rate against held-out attacks indicates these starter rules require operator refinement rather than serving as final deployments.

The approach's real value emerges in institutionalizing security workflows: organizations can publish their probe corpora and template libraries, enabling other teams to reproduce identical detection rules from the same simulation data. This standardization could accelerate industry maturation of detection engineering practices.

• →Deterministic synthesis automatically converts attack simulation findings to deployable Sigma rules without manual translation, reducing operator workload.
• →The system achieves 100% parseability across Splunk, Elasticsearch, and OpenSearch backends with full traceability from alerts back to originating probes.
• →Trading LLM generality for byte-stable reproducibility enables auditable detection rules suitable for regulated environments requiring proof of detection logic origins.
• →Template-based approach scales to diverse attack categories (LLM and Web) with locked probe corpuses, making results reproducible across organizations.
• →7.7% false positive rate indicates practical deployment viability, though 30% detection performance suggests starter rules require operator refinement before production use.