| name | sigma-rule-deployer |
| description | Use this skill when the user needs help deploying, managing, or understanding Sigma rules, Soteria rules, SOC Prime rules, Community rules, or any other managed rulesets in LimaCharlie. |
LimaCharlie Managed Ruleset Deployer
This skill helps you deploy and manage Sigma rules and other managed rulesets in LimaCharlie. Use this when users need help with:
- Deploying Sigma rules from SigmaHQ
- Converting Sigma rules to LimaCharlie format
- Managing Soteria EDR, AWS, or M365 rulesets
- Configuring SOC Prime rules
- Using Community Rules
- Understanding managed ruleset pricing and subscriptions
- Tuning and managing false positives
- Updating and versioning rulesets
What are Managed Rulesets?
Managed rulesets are professionally maintained, pre-built detection rules that can be deployed with one click to a LimaCharlie organization. They provide:
- Expert-curated detections: Rules written by security professionals
- Automatic updates: Rulesets are updated as new threats emerge
- Broad coverage: MITRE ATT&CK framework alignment
- Reduced maintenance: No need to write rules from scratch
- Cost efficiency: Leverage community and commercial detections
- Quick deployment: Enable comprehensive detection in minutes
LimaCharlie supports multiple managed ruleset sources:
- Sigma Rules - Open-source detection rules from SigmaHQ
- Soteria Rules - Managed EDR, AWS, and M365 detection rulesets
- SOC Prime Rules - Community and enterprise detection content
- Community Rules - AI-assisted conversion of third-party rules
Quick Start by Ruleset Type
Sigma Rules - Quick Start
What: Open-source detection rules automatically converted to LimaCharlie format
Best for: Free, customizable coverage with community-maintained rules
Quick Deploy:
curl -X POST https://sigma.limacharlie.io/convert/rule \
-H 'content-type: application/x-www-form-urlencoded' \
--data-urlencode "rule@my-sigma-rule.yaml"
curl -X POST https://sigma.limacharlie.io/convert/repo \
-d "repo=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation"
Common targets: edr (default for endpoint detection), artifact (for log analysis)
See REFERENCE.md for complete API documentation.
See EXAMPLES.md for deployment examples.
Soteria EDR Rules - Quick Start
What: Professional managed EDR detection ruleset with auto-updates
Best for: Comprehensive EDR coverage across Windows, Linux, macOS
Quick Deploy:
- Navigate to Add-On Marketplace
- Search for "Soteria" or select
soteria-rules-edr
- Select your organization
- Click Subscribe
- Configure required events (listed in subscription UI)
Required events: NEW_PROCESS, DNS_REQUEST, NETWORK_CONNECTIONS, FILE_CREATE, REGISTRY_WRITE, and more
MITRE Coverage: https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fstorage.googleapis.com%2Fsoteria-detector-mapping%2F%2Fall.json
See REFERENCE.md for complete event list and configuration.
See EXAMPLES.md for deployment scenarios.
Soteria AWS Rules - Quick Start
What: Managed AWS threat detection using CloudTrail and GuardDuty
Best for: AWS cloud security monitoring
Quick Deploy:
- Configure AWS CloudTrail adapter
- Configure AWS GuardDuty adapter
- Navigate to Add-On Marketplace
- Subscribe to
tor lookup (free)
- Subscribe to
soteria-rules-aws
Prerequisites: Active AWS CloudTrail and GuardDuty integrations
See REFERENCE.md for adapter configuration.
See EXAMPLES.md for AWS deployment scenarios.
Soteria M365 Rules - Quick Start
What: Managed Microsoft 365 threat detection
Best for: M365/Office 365 security monitoring
Quick Deploy:
- Configure Office 365 adapter to collect audit logs
- Navigate to Add-On Marketplace
- Subscribe to
tor lookup (free)
- Subscribe to
soteria-rules-o365
Coverage: Teams, Word, Excel, PowerPoint, Outlook, OneDrive
See REFERENCE.md for adapter configuration.
See EXAMPLES.md for M365 scenarios.
SOC Prime Rules - Quick Start
What: Enterprise content platform with continuous updates
Best for: Organizations with SOC Prime subscriptions wanting automated content management
Quick Deploy:
- Create content lists in SOC Prime platform
- Get API key from SOC Prime (requires trial/paid subscription)
- Enable
socprime add-on in LimaCharlie
- Go to Integrations page
- Enter API key and select content lists
Sync: Rules sync automatically every 3 hours
Attribution: All detections show socprime as author
See REFERENCE.md for detailed setup.
See EXAMPLES.md for integration scenarios.
Community Rules - Quick Start
What: AI-powered conversion of third-party rules (Anvilogic, Sigma, Panther, Okta)
Best for: Quick deployment of specific detections from various sources
Quick Deploy:
- Navigate to Automation > Rules
- Click Add Rule
- Click Community Library (upper right)
- Search by CVE, keywords, or MITRE ATT&CK tags
- Click on a rule to view details
- Click Load Rule (AI converts to LimaCharlie format)
- Review and customize the converted logic
- Save and deploy
Sources: Anvilogic, Sigma, Panther, Okta rules
See REFERENCE.md for source details.
See EXAMPLES.md for conversion examples.
Ruleset Comparison
| Ruleset | Cost | Updates | Visibility | Best For |
|---|
| Sigma | Free | Manual | Full | Custom rules, open-source coverage |
| Soteria EDR | Paid | Auto | None | Comprehensive EDR coverage |
| Soteria AWS | Paid | Auto | None | AWS security monitoring |
| Soteria M365 | Paid | Auto | None | M365/O365 security |
| SOC Prime | Paid* | Auto (3h) | Full | Enterprise content management |
| Community | Free | Manual | Full | Specific detections, quick starts |
*Requires SOC Prime subscription (separate from LimaCharlie)
For detailed comparison and selection guidance, see REFERENCE.md.
False Positive Management
False Positive (FP) rules filter detections globally to reduce alert fatigue.
Quick FP Rule Creation
From a detection (fastest method):
- Navigate to Detections page
- Find a false positive detection
- Click Mark False Positive
- Review auto-generated rule
- Save
From scratch:
- Navigate to Automation > False Positive Rules
- Click New Rule
- Define matching logic
- Optionally set expiry date
- Save
Common FP Patterns
op: is
path: cat
value: my-detection-name
op: ends with
path: detect/event/FILE_PATH
value: legitimate-tool.exe
case sensitive: false
op: is
path: routing/hostname
value: build-server-01
For complete FP rule syntax and advanced examples, see REFERENCE.md.
For FP troubleshooting by ruleset, see TROUBLESHOOTING.md.
Rule Testing
Always test rules before production deployment.
Quick Test Commands
limacharlie replay --validate --rule-content rule.yaml
limacharlie replay --rule-content rule.yaml \
--entire-org --last-seconds 604800
limacharlie replay --rule-content rule.yaml \
--events event.json --trace
For complete testing workflows, see EXAMPLES.md.
For test troubleshooting, see TROUBLESHOOTING.md.
Rule Management
View Rules
limacharlie dr list
limacharlie dr get --rule-name my-rule
Deploy Rules
limacharlie dr add --rule-name my-rule --rule-file rule.yaml
limacharlie dr remove --rule-name my-rule
limacharlie dr list --format json > rules-backup.json
Organization with Namespaces
Use prefixes to organize rules by source:
sigma-windows-process-creation-suspicious-cmdsoteria-edr-windows-lateral-movementcustom-ransomware-indicators
For version control and IaC approaches, see REFERENCE.md.
Best Practices Summary
Deployment Strategy
-
Start with high-fidelity rulesets
- Soteria rules for managed coverage
- SOC Prime for enterprise content
-
Add broad coverage
- Deploy Sigma rules for common threats
- Use Community Rules for specific techniques
-
Customize and tune
- Create custom rules for org-specific threats
- Add FP rules to reduce noise
-
Continuous improvement
- Monitor detection quality
- Refine rules based on feedback
- Keep rulesets updated
Performance Tips
- Don't deploy all rules at once
- Focus on high-priority threats first
- Put restrictive conditions first in rules
- Use suppression for noisy rules
- Monitor rule evaluation metrics
Security Posture
- Update Sigma rules monthly
- Monitor Soteria/SOC Prime updates
- Map rules to MITRE ATT&CK
- Maintain documentation
- Regular effectiveness reviews
For complete best practices, see REFERENCE.md.
Common Issues - Quick Reference
Sigma conversion fails
No detections from Soteria
- Verify required events configured
- Check subscription is active
- Wait 24-48 hours for activation
- See TROUBLESHOOTING.md
SOC Prime rules not syncing
- Verify API key is valid
- Check subscription is not free tier
- Wait for 3-hour sync cycle
- See TROUBLESHOOTING.md
Community rules fail to convert
High false positive rate
- Create FP rules from detections
- Exclude test environments
- Tune thresholds
- See TROUBLESHOOTING.md
Rules not matching events
Navigation
- REFERENCE.md - Complete API documentation, configuration details, and advanced features
- EXAMPLES.md - Deployment scenarios, use cases, and step-by-step guides
- TROUBLESHOOTING.md - Issue resolution by ruleset type
Quick Reference Links
Documentation
MITRE Coverage
Add-on Extensions
soteria-rules-edr - EDR detection rulesetsoteria-rules-aws - AWS detection rulesetsoteria-rules-o365 - M365 detection rulesetsocprime - SOC Prime integrationtor-ips - TOR lookup (free)
Summary
This skill provides guidance for deploying and managing four types of managed rulesets:
- Sigma Rules: Free, customizable open-source rules requiring manual conversion
- Soteria Rules: Professional managed rulesets with auto-updates (EDR, AWS, M365)
- SOC Prime Rules: Enterprise content platform with continuous sync
- Community Rules: AI-assisted conversion from multiple sources
When helping users:
- Understand their environment and needs
- Recommend appropriate rulesets (see comparison table)
- Guide through testing before production
- Help tune for false positives
- Provide troubleshooting assistance
- Encourage Infrastructure as Code for scale
The best approach combines managed rulesets for baseline coverage with custom rules for organization-specific needs.
