{"id":50681186,"url":"https://github.com/mostafa/rsigma-cloud-detection-article","last_synced_at":"2026-06-08T19:03:51.326Z","repository":{"id":360169169,"uuid":"1246944146","full_name":"mostafa/rsigma-cloud-detection-article","owner":"mostafa","description":null,"archived":false,"fork":false,"pushed_at":"2026-05-25T08:57:34.000Z","size":47,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-25T10:30:26.554Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://mostafa.dev/cloud-detection-at-scale-on-a-laptop-e46540322856","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mostafa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-22T18:19:43.000Z","updated_at":"2026-05-25T08:57:37.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mostafa/rsigma-cloud-detection-article","commit_stats":null,"previous_names":["mostafa/rsigma-cloud-detection-article"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/mostafa/rsigma-cloud-detection-article","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Frsigma-cloud-detection-article","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Frsigma-cloud-detection-article/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Frsigma-cloud-detection-article/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Frsigma-cloud-detection-article/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mostafa","download_url":"https://codeload.github.com/mostafa/rsigma-cloud-detection-article/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Frsigma-cloud-detection-article/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34076007,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-08T02:00:07.615Z","response_time":111,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-08T19:03:50.047Z","updated_at":"2026-06-08T19:03:51.316Z","avatar_url":"https://github.com/mostafa.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# rsigma-cloud-detection-article\n\nCompanion repo for [Cloud Detection at Scale on a Laptop](https://mostafa.dev/cloud-detection-at-scale-on-a-laptop-e46540322856): how RSigma streams 1.9 million CloudTrail events through a community IR playbook in 17 seconds.\n\n## What's in here\n\n| Path | What it is |\n|---|---|\n| `rules/sigmahq/` | The 55-rule SigmaHQ AWS CloudTrail pack used for the runs in the article |\n| `rules/easttimor/` | Sigma rules derived from the [easttimor/aws-incident-response](https://github.com/easttimor/aws-incident-response) API Watchlist, with provenance footers |\n| `rules/correlations/` | Custom correlation rules layered on top of the detection rules |\n| `pipelines/cloudtrail_normalize.yml` | RSigma processing pipeline for CloudTrail field normalization |\n| `vector.toml` | Reference Vector configuration for the production OTLP path (Vector -\u003e RSigma daemon) |\n| `scripts/flatten.sh` | One-liner that turns the flaws.cloud tar into NDJSON |\n| `scripts/replay.sh` | One-shot replay of the corpus through `rsigma eval` |\n| `scripts/bench.sh` | Toggles `--bloom-prefilter` / `--cross-rule-ac` and captures comparison metrics |\n| `grafana/dashboards/cloud-detection.json` | Grafana dashboard, panels grouped by ATT\u0026CK tactic |\n| `docs/rule-pack.md` | Per-rule provenance table mapping each Sigma rule to its source |\n| `docs/attack-coverage.md` | Coverage breakdown by ATT\u0026CK tactic, generated from real runs |\n\n## Quick start\n\nPrerequisites: `rsigma` (build with `cargo install rsigma --features daachorse-index` or pull `ghcr.io/timescale/rsigma:0.11.0`), `jq`, `curl`, about 3 GB of free disk.\n\n```bash\n# 1. Download the dataset (240 MB) and flatten to NDJSON\n./scripts/flatten.sh\n\n# 2. One-shot detection pass against the SigmaHQ rule pack\n./scripts/replay.sh\n\n# 3. Toggle the v0.11.0 optimizer layers and compare\n./scripts/bench.sh\n```\n\nExpected baseline output on an Apple Silicon laptop:\n\n```\nLoaded 55 rules from rules/sigmahq/\nProcessed 1939207 events, 68576 matches.\n       16.76 real        16.04 user         0.60 sys\n            14319616  maximum resident set size\n```\n\nAbout 17 seconds of wall time. Roughly 115k events per second. Less than 15 MB of resident memory. No SIEM, no Athena cost, no infrastructure.\n\n## Running the production pipeline\n\nFor continuous detection rather than one-shot replay, use Vector + the RSigma daemon:\n\n```bash\n# Terminal 1: start the daemon\nrsigma engine daemon \\\n  --rules rules/sigmahq/ \\\n  --pipeline pipelines/cloudtrail_normalize.yml \\\n  --input http \\\n  --api-addr 127.0.0.1:9090\n\n# Terminal 2: stream the corpus through Vector\nvector --config vector.toml\n```\n\nSee [`vector.toml`](./vector.toml) for the reference configuration.\n\n## License\n\nMIT for the article scaffolding, scripts, and easttimor-derived rules. SigmaHQ rules under `rules/sigmahq/` retain the Detection Rule License (DRL 1.1). The flaws.cloud dataset itself is owned by Scott Piper / Summit Route and is downloaded at runtime; it is not redistributed here.\n\nSee [LICENSE](./LICENSE) for full attribution.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmostafa%2Frsigma-cloud-detection-article","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmostafa%2Frsigma-cloud-detection-article","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmostafa%2Frsigma-cloud-detection-article/lists"}