{% extends "base.html" %} {% block title %}{% if rule %}{{ rule.title }}{% else %}Rule Details{% endif %}{% endblock %} {% block styles %} {% endblock %} {% block content %}
Back to Rules
{% for _ in range(4) %}
{% endfor %}
{% for _ in range(2) %}
{% endfor %}
{% if error %}

Error Loading Rule

{{ error }}

{% elif rule %}

Quality Score

{{ rule.quality_score }}%

MITRE Techniques

{{ rule.stats.mitre_technique_count if rule.stats else (rule.mitre_attack|length if rule.mitre_attack else 0) }}
ATT&CK Coverage

Detection Fields

{{ rule.stats.total_fields if rule.stats else 'N/A' }}
{{ rule.detection_complexity }} Logic
{% if rule.stats and rule.stats.uses_regex %} RegEx {% endif %} {% if rule.stats and rule.stats.has_filters %} Filters {% endif %} {% if rule.stats and rule.stats.uses_wildcards %} Wildcards {% endif %}

Recent Matches

{{ rule.stats.recent_matches if rule.stats else (recent_matches|length if recent_matches else 0) }}
Last 24 Hours
{% if rule.mitre_attack %}

MITRE ATT&CK Intelligence

{{ rule.mitre_attack|length }} technique(s)

MITRE ATT&CK Framework Integration

This rule maps to specific adversary techniques documented in the MITRE ATT&CK knowledge base. Each technique includes risk assessment, detection difficulty, and prevalence data sourced from official MITRE repositories and threat intelligence.

{% for technique in rule.mitre_attack %}
{{ technique.technique_id or 'Unknown ID' }} {% if technique.is_subtechnique %} Sub-technique {% endif %}

{{ technique.name or technique.display_name or 'Unknown Technique' }}

{{ technique.description or 'Advanced adversary technique used in cyber attacks. This technique represents documented tactics, techniques, and procedures (TTPs) observed in real-world operations.' }}

Risk

{{ technique.risk_level|title if technique.risk_level else 'Medium' }}

Prevalence

{{ technique.prevalence|title if technique.prevalence else 'Low' }}

Detection

{{ technique.difficulty|title if technique.difficulty else 'Easy' }}

{% if technique.platforms %}

PLATFORMS

{% for platform in technique.platforms[:4] %} {{ platform }} {% endfor %} {% if technique.platforms|length > 4 %} +{{ technique.platforms|length - 4 }} more {% endif %}
{% endif %} {% if technique.tactics %}

TACTICS

{% for tactic in technique.tactics[:3] %} {{ tactic|replace('_', ' ')|title }} {% endfor %} {% if technique.tactics|length > 3 %} +{{ technique.tactics|length - 3 }} more {% endif %}
{% endif %} {% if technique.data_sources %}

DATA SOURCES

{% for source in technique.data_sources[:3] %} {{ source|truncate(15) }} {% endfor %} {% if technique.data_sources|length > 3 %} +{{ technique.data_sources|length - 3 }} more {% endif %}
{% endif %}
{% if technique.detection and technique.detection != 'No detection information available' %}

DETECTION GUIDANCE

{{ technique.detection|truncate(200) }}

{% endif %}
View Documentation
{% endfor %}
Coverage Analysis: This rule provides detection for {{ rule.mitre_attack|length }} documented adversary technique(s)
Learn more about MITRE ATT&CK
{% else %}

No MITRE ATT&CK Mapping

This rule is not currently mapped to specific MITRE ATT&CK techniques. Consider adding relevant technique tags to improve threat intelligence context.

{% endif %}

Detection Logic

How This Detection Works

This Sigma rule defines specific patterns and conditions that security tools should monitor for. The detection logic below shows the exact criteria used to identify potential threats.

{{ rule.detection_pretty }}
{% if rule.detection %}

Detection Components

Detection Fields: {{ rule.detection.keys()|list|length if rule.detection else 0 }}
Complexity: {{ rule.detection_complexity or 'Not specified' }}
{% if rule.detection and rule.detection.get('condition') %}
Condition: {{ rule.detection.condition }}
{% endif %}
{% endif %}
{% if rule.quality_factors %}

Quality Indicators

{% for factor in rule.quality_factors %}
{{ factor }}
{% endfor %}
{% endif %} {% if rule.falsepositives %}

False Positives

{% for fp in rule.falsepositives %}
{{ fp }}
{% endfor %}
{% endif %} {% if rule.references %}

References

{% for ref in rule.references %}
{% if ref.startswith('http') %} {{ ref }} {% else %}
{{ ref }}
{% endif %}
{% endfor %}
{% endif %}

Rule Metadata

{{ rule.id }}
{% if rule.author and rule.author != 'Not specified' %}
{{ rule.author }}
{% endif %} {% if rule.date and rule.date != 'Not specified' %}
{{ rule.date }}
{% endif %} {% if rule.modified and rule.modified != 'Not specified' %}
{{ rule.modified }}
{% endif %} {% if rule.status and rule.status != 'Not specified' %}
{{ rule.status|title }}
{% endif %} {% if rule.license and rule.license != 'Not specified' %}
{{ rule.license }}
{% endif %} {% if rule.category and rule.category != 'Not specified' %}
{{ rule.category }}
{% endif %} {% if rule.product and rule.product != 'Not specified' %}
{{ rule.product }}
{% endif %} {% if rule.service and rule.service != 'Not specified' %}
{{ rule.service }}
{% endif %} {% if rule.filename and rule.filename != 'Not specified' %}
{{ rule.filename }}
{% endif %} {% if rule.file_path and rule.file_path != 'Not specified' %}
{{ rule.file_path }}
{% endif %}
{% if rule.logsource %}

Log Source

{{ rule.category }}
{{ rule.product }}
{{ rule.service }}
{% if rule.platforms %}
{% for platform in rule.platforms %} {{ platform }} {% endfor %}
{% endif %} {% if rule.data_sources %}
{% for source in rule.data_sources %} {{ source }} {% endfor %}
{% endif %}
{% endif %} {% if recent_matches %}

Recent Matches

{% for match in recent_matches %}
{{ match.computer }} View
{{ match.user }} | Event {{ match.event_id }}
{{ match.time_created }}
{% endfor %}
{% endif %}

Statistics

{{ rule.stats.total_fields }}
Detection Fields
{{ rule.stats.condition_complexity }}
Condition Words
{{ rule.stats.reference_count }}
References
{{ rule.stats.false_positive_count }}
False Positives
{% if rule.stats.has_filters %}
This rule includes filters
{% endif %}

Performance Impact

{% if rule.estimated_performance %}
Performance Score:
{{ rule.estimated_performance.score }}/100
Impact Level: {{ rule.estimated_performance.impact_level }}
{% if rule.estimated_performance.factors %}
Performance Factors:
    {% for factor in rule.estimated_performance.factors %}
  • {{ factor }}
    • {% endfor %}
{% endif %}
{% else %}

Performance analysis not available

{% endif %}

Platform Coverage

{% if rule.platforms and rule.platforms|length > 0 %}
{% for platform in rule.platforms %} {{ platform }} {% endfor %}
{% endif %} {% if rule.data_sources and rule.data_sources|length > 0 %}
Data Sources:
{% for source in rule.data_sources %} {{ source }} {% endfor %}
{% endif %} {% if not rule.platforms and not rule.data_sources %}

Platform agnostic

Works across different platforms

{% endif %}
{% if rule.deployment_considerations %}

Deployment Considerations

{% for consideration in rule.deployment_considerations %}
{{ consideration }}
{% endfor %}
{% endif %}

Rule Dependencies

{% if rule.dependencies and rule.dependencies|length > 0 %}
{% for dep in rule.dependencies %}
{{ dep.type|title }}: {{ dep.id }}

{{ dep.description }}

{% endfor %}
{% else %}

No dependencies found

This rule can operate independently

{% endif %}

Similar Rules

{% if rule.similar_rules and rule.similar_rules|length > 0 %}
{% for similar in rule.similar_rules %}
{{ similar.title }} {{ similar.similarity }}% match
{{ similar.id }}
{% for tag in similar.common_tags[:3] %} {{ tag }} {% endfor %}
{% endfor %}
{% else %}

No similar rules found

This rule has unique characteristics

{% endif %}
{% else %}

No Rule Found

The requested rule could not be located.

{% endif %}
{% endblock %}