Pentestas / help

SOC detection rules

For every finding the platform emits, Pentestas also generates three SOC-ready detection rules — Sigma, Microsoft Sentinel KQL, and Splunk SPL. The red-team / blue-team handoff so the same vulnerability class doesn't slip past the SIEM next time.

What you get per finding

  • Sigma YAML — vendor-neutral; compile with the official Sigma CLI / pySigma to whatever SIEM you run.
  • Microsoft Sentinel KQL — drops straight into a scheduled analytics rule.
  • Splunk SPL — Splunk-native search syntax for teams that haven't adopted Sigma.

Each rule includes:

  • The attack pattern keyed on the URL path of the original finding.
  • MITRE ATT&CK technique tags (rendered into the right ATT&CK coverage column when imported into Sentinel / Splunk Enterprise Security).
  • Required log sources (so the SOC knows whether they already collect what the rule expects).
  • Common false-positive notes so the rule arrives pre-tuned.

Downloading the rule bundle

  1. Open a completed scan's detail page.
  2. Click SOC Detection Rules in the action bar (only visible on completed scans with at least one finding).
  3. You get a ZIP laid out as a SIEM repository: 
    pentestas-detection-rules-<scan-id>.zip
├── README.md
├── sigma/
│   ├── sql-injection-attempt-against-search.yml
│   └── ssrf-attempt-against-fetch.yml
├── kql/
│   ├── sql-injection-attempt-against-search.kql
│   └── ssrf-attempt-against-fetch.kql
└── spl/
    ├── sql-injection-attempt-against-search.spl
    └── ssrf-attempt-against-fetch.spl

Per-finding rules are also available via the API at GET /api/intel/findings/{finding_id}/detection-rules.

Tuning philosophy

The templates are tuned conservatively — high-precision, moderate-recall patterns the SOC can deploy on day one without drowning in alerts. Every Sigma rule's falsepositives: block names the common shapes that trigger it benignly so the SOC adds the right exclusions before promoting to high-severity alerting.

The intent is "deploy these alongside the code-level remediation". The patch fixes the bug; the rule catches the next attempt against the same class. Most vendor pentest reports stop at the patch.