Detection Rule Naming Convention
Purpose
Every detection rule in this engagement follows a consistent naming convention so that rules are identifiable, traceable, and maintainable across both SIEM platforms.
Convention Format
CS-BTC-[TTP]-[SIEM]-[VERSION]
- CS -- engagement identifier (cybersecurity assessment)
- BTC -- client identifier (Bhutan Tourism Council)
- TTP -- ATT&CK technique ID (e.g., T1190, T1059)
- SIEM -- platform identifier:
lokiorwazuh - VERSION -- version number: v1, v2, etc. (increment when tuning)
Naming Rules
- Use lowercase for the SIEM identifier
- Use the ATT&CK technique ID exactly as published (T followed by four digits)
- Increment the version number each time a rule is tuned or modified
- The same detection logic deployed on both platforms gets the same base name with different SIEM identifiers
- If a rule covers a sub-technique, use the full ID (e.g., T1190.002)
Examples
| Sigma rule name | Loki variant | Wazuh variant |
|---|---|---|
| SQL injection detection for tourism portal search | CS-BTC-T1190-loki-v1 | CS-BTC-T1190-wazuh-v1 |
| API authentication bypass detection | CS-BTC-T1078-loki-v1 | CS-BTC-T1078-wazuh-v1 |
| File upload validation bypass (operations platform) | CS-BTC-T1203-loki-v1 | CS-BTC-T1203-wazuh-v1 |
When a rule is tuned (e.g., to reduce false positives), increment the version: CS-BTC-T1190-loki-v2. The previous version remains in the git history for comparison.