{"id":50681200,"url":"https://github.com/mostafa/rsigma-siem-article","last_synced_at":"2026-06-08T19:04:03.129Z","repository":{"id":355622959,"uuid":"1228857356","full_name":"mostafa/rsigma-siem-article","owner":"mostafa","description":null,"archived":false,"fork":false,"pushed_at":"2026-05-04T13:25:33.000Z","size":14,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-04T15:30:41.319Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mostafa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-04T12:59:29.000Z","updated_at":"2026-05-04T13:25:46.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mostafa/rsigma-siem-article","commit_stats":null,"previous_names":["mostafa/rsigma-siem-article"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/mostafa/rsigma-siem-article","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Frsigma-siem-article","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Frsigma-siem-article/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Frsigma-siem-article/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Frsigma-siem-article/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mostafa","download_url":"https://codeload.github.com/mostafa/rsigma-siem-article/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mostafa%2Frsigma-siem-article/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34076014,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-08T02:00:07.615Z","response_time":111,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-08T19:04:00.873Z","updated_at":"2026-06-08T19:04:03.117Z","avatar_url":"https://github.com/mostafa.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Security Observability with RSigma and the LGTM Stack\n\nCompanion repository for the article [Security Observability with RSigma and the LGTM Stack](https://mostafa.dev/).\n\nA complete, self-contained detection-to-alert pipeline using RSigma, Grafana Alloy, Loki, Mimir, Grafana 12 Alerting with dynamic labels, and a Webhook Tester for inspecting alert payloads. One `docker compose up` and you have a working lightweight SIEM.\n\n## Architecture\n\n```mermaid\nflowchart LR\n    Helr[\"Helr\"] --\u003e|\"stdout NDJSON\"| Alloy\n    Alloy --\u003e|\"OTLP/HTTP\"| RSigma[\"RSigma daemon\"]\n    Alloy --\u003e|\"Loki push\"| Loki\n    RSigma --\u003e|\"/metrics\"| Alloy\n    Alloy --\u003e|\"remote_write\"| Mimir\n    Mimir --\u003e Grafana\n    Loki --\u003e Grafana\n    Grafana --\u003e|\"dynamic-label alerts\"| WebhookTester[\"Webhook Tester\"]\n```\n\n## Quick start\n\nDocker requires authentication for pulling from `ghcr.io`, even for public packages. Log in first:\n\n```bash\n# With GitHub CLI\ngh auth token | docker login ghcr.io -u YOUR_GITHUB_USERNAME --password-stdin\n\n# Or with a personal access token (read:packages scope)\necho $GITHUB_TOKEN | docker login ghcr.io -u YOUR_GITHUB_USERNAME --password-stdin\n```\n\nThen start the stack:\n\n```bash\ndocker compose up -d\n```\n\nThe first run downloads the Helr binary from GitHub Releases, which takes a few seconds. Subsequent runs use the cached container layer.\n\nWait about 15 seconds for the stack to initialize, then open:\n\n- **Grafana**: http://localhost:3000 (no login required)\n- **Webhook Tester**: http://localhost:8080 (alert notifications UI)\n- **RSigma metrics**: http://localhost:9090/metrics\n- **RSigma health**: http://localhost:9090/healthz\n- **Mimir**: http://localhost:9009\n\nThe helr container automatically replays the Okta audit events on startup. To trigger a manual replay via the REST API:\n\n```bash\n./scripts/replay.sh\n```\n\n## What to expect\n\nAfter the replay completes, you should see:\n\n1. **Four detection matches** on RSigma's `/metrics` endpoint (proxy session, MFA deactivation, admin role grant, IdP creation).\n2. **One correlation match** for the cross-tenant impersonation sequence (`level=critical`).\n3. **Grafana dashboard** (\"RSigma Detections\") showing detection and correlation rates.\n4. **Grafana alerts** firing with dynamic `severity` labels:\n   - Proxy session (level=high) -\u003e severity=P2\n   - MFA/Admin/IdP (level=medium) -\u003e severity=P3\n   - Cross-tenant correlation (level=critical) -\u003e severity=P1\n5. **Webhook Tester** receiving alert notifications at http://localhost:8080. Open the session URL shown in `docker-compose.yml` comments to inspect the full payloads.\n\n## Scenario\n\nOkta cross-tenant impersonation attack (August 2023). Six sample events, four SigmaHQ detection rules, one custom `temporal_ordered` correlation rule. See the [second article](https://mostafa.dev/streaming-logs-to-rsigma-for-real-time-detection-72084b8041ad) for the full scenario walkthrough.\n\n## Repository structure\n\n```\n.\n├── docker-compose.yml                         # Full stack (7 services)\n├── helr/\n│   └── config.yml                             # Helr source configuration\n├── recordings/\n│   └── okta-audit/\n│       └── 000.json                           # Recorded Okta API response\n├── alloy/\n│   └── config.alloy                           # OTLP fanout + metrics scraping\n├── mimir/\n│   └── config.yml                             # Mimir monolithic mode config\n├── grafana/\n│   └── provisioning/\n│       ├── datasources/datasources.yml        # Prometheus + Loki\n│       ├── dashboards/\n│       │   ├── dashboards.yml                 # Dashboard provider\n│       │   └── rsigma-detections.json         # Detection dashboard\n│       └── alerting/alerting.yml              # Alert rules + dynamic labels\n├── rules/                                     # Sigma detection + correlation rules\n│   ├── okta_user_session_start_via_anonymised_proxy.yml\n│   ├── okta_mfa_reset_or_deactivated.yml\n│   ├── okta_admin_role_assigned_to_user_or_group.yml\n│   ├── okta_identity_provider_created.yml\n│   └── okta_cross_tenant_impersonation_correlation.yml\n├── events/\n│   └── okta_audit.ndjson                      # 6 sample Okta events (reference)\n└── scripts/\n    └── replay.sh                              # Manual event replay via REST API\n```\n\n## Dynamic label alerting\n\nThe key integration between RSigma and Grafana Alerting is the dynamic `severity` label. RSigma's per-rule Prometheus metrics carry the Sigma rule's `level` field as a metric label. The Grafana alert rule uses a Go template to map it to P1-P4 priority:\n\n```go\n{{- if eq $labels.level \"critical\" -}}P1\n{{- else if eq $labels.level \"high\" -}}P2\n{{- else if eq $labels.level \"medium\" -}}P3\n{{- else -}}P4\n{{- end -}}\n```\n\nNotification policies then route by `severity`. In this demo, all routes point to the [Webhook Tester](https://github.com/tarampampam/webhook-tester) service so you can inspect the full alert payloads. In a real-world setup, you would replace these with incident response and management (IRM) tools like PagerDuty or Grafana OnCall for P1, messaging platforms like Slack or Microsoft Teams for P2, and email or a ticket queue for P3-P4.\n\n## Related\n\n- [RSigma](https://github.com/timescale/rsigma) -- Rust toolkit for Sigma detection rules\n- [Helr](https://github.com/timescale/helr) -- Log source poller\n- [Grafana Alloy](https://grafana.com/docs/alloy/latest/) -- OpenTelemetry collector\n- [Grafana dynamic labels](https://grafana.com/docs/grafana/latest/alerting/examples/dynamic-labels/) -- Dynamic label documentation\n- [Webhook Tester](https://github.com/tarampampam/webhook-tester) -- Self-hosted webhook receiver with web UI\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmostafa%2Frsigma-siem-article","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmostafa%2Frsigma-siem-article","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmostafa%2Frsigma-siem-article/lists"}