Step 1: Review attack data on both platforms
Before writing detection rules, look at what you are detecting. Open the Unit 2 attack data in both monitoring systems.
In Grafana Explore, query Loki for the SQL injection attempts against the tourism portal. The LogQL query filters by service label and looks for the injection patterns sqlmap generated. The field names -- request_uri, detected_level, service -- are the Loki schema.
In the Wazuh dashboard, search for the same time period. Wazuh shows the same attack through a different lens: its own field names (rule.id, data.srcip, data.url), its own severity categories, and its own rule groups. The same SQL injection attempt produces different field structures in each system.
This is the cross-platform detection problem. A rule that matches request_uri in Loki needs to match data.url in Wazuh. The field mapping difference is not cosmetic -- it determines whether the rule fires.
Step 2: Write a Sigma rule
Write a Sigma rule for the SQL injection pattern found in the Tourism Services Portal. Sigma is the abstraction layer -- write the detection logic once, then convert it for each platform.
Use sigma-cli to validate the rule syntax. The rule should describe the attack pattern in Sigma's generic field names. The conversion backends handle the mapping to platform-specific fields.
AI generates Sigma rules quickly but may not test whether the generic field names it chose have valid mappings in both backends. A Sigma rule that validates syntactically can still produce conversions that reference nonexistent fields on one platform.
Step 3: Deploy on Loki
Convert the Sigma rule to LogQL using pySigma-backend-loki.
sigma convert -t loki -p loki-basic rule.yml
Take the converted LogQL query and deploy it as a Grafana alert. Test it against the attack data from Unit 2. Does the alert fire?
If it fires, the detection works on the Loki side. If it does not, check the field mapping -- the conversion may have produced a syntactically valid query that references labels or fields that do not exist in your Loki data. With AI now connected to Loki via MCP, you can direct AI to verify the rule by querying for matching log entries.
Step 4: Deploy on Wazuh
Convert the same Sigma rule to OpenSearch using pySigma-backend-opensearch.
sigma convert -t opensearch -p opensearch-default rule.yml
Deploy the converted rule in Wazuh. Test it against the same attack data. Does it fire on Wazuh the way it fired on Loki?
The same Sigma rule may have different false positive profiles on the two platforms. Different field mappings mean different matching behavior. Different parsing means the same log line may be tokenized differently. If one backend fires and the other does not, the investigation is the learning: which field mapping failed, which parser handled the data differently, which platform's query language imposed a constraint the other did not.
Step 5: Compare cross-platform results
Document what happened when you deployed the same rule on both platforms. If both fired, check whether they fired on the same events or different subsets. If one fired and the other did not, investigate why.
This is detection portability in practice. Sigma provides the abstraction, but the backends produce different operational results. A rule that works on Loki and fails on Wazuh is not a broken rule -- it is a rule that needs platform-specific tuning. The portability promise is a design goal, not a guaranteed outcome.
Dani Okafor, a senior detection engineer, reviews your cross-SIEM approach. She asks: "What happens to your detection rules when the log format changes between portals?" The Tourism Services Portal (Node.js) and the Guide Management System (Python/Flask) produce different log formats. Your Sigma rules need different field mappings for each platform-portal combination -- not just per-SIEM, but per-SIEM-per-portal.
Step 6: Write additional detection rules
Write detection rules for at least two more findings from Unit 2. The API authentication bypass pattern is essential -- it is the most critical finding.
For each rule:
- Write the Sigma rule and validate with sigma-cli
- Convert to LogQL and deploy on Loki
- Convert to OpenSearch and deploy on Wazuh
- Test on both platforms against the attack data
- Apply the detection naming convention from your engagement memory: CS-BTC-[TTP]-[SIEM]-[VERSION]
For each finding, pair the detection rule with a remediation plan. Prevention stops the attack. Detection alerts when someone tries. A system that prevents without detecting does not know it is under attack. A system that detects without preventing only watches. Both are incomplete.
Check: At least one rule fires successfully on both platforms against the Unit 2 attack data. The student has documented at least one cross-platform difference where the same rule behaves differently on Loki versus Wazuh.