CTI Detection Rule Development Workflow

Critical: Always Start With CTI Reports

Successful investigations begin by understanding the threat BEFORE exploring data. Do NOT jump straight to data tables — that leads to blind querying and wasted attempts.

Recommended Steps

1. Discover CTI reports — use list_cti_report_tags() to see available tags, then get_cti_reports_by_tag(tag) to pull reports matching your detection objective. Read the report content carefully — it gives you IoCs, technique names, and detection context that will guide everything else.
2. Map MITRE techniques — use search_mitre_techniques(tactic) to find technique IDs (e.g. T1053.003). Always identify at least one technique ID for your Sigma rule. Valid tactics use hyphens: persistence, execution, privilege-escalation, defense-evasion, credential-access, discovery, lateral-movement, collection, command-and-control, exfiltration, impact.
3. Search Sigma rules — use search_sigma_rules(keyword, technique_id, platform) to find existing detection logic you can adapt or reference.
4. Explore data — use list_kusto_tables() to discover available tables, then get_table_schema(table) to see exact column names and types, then sample_table_data(table) to see real values. Always check the schema BEFORE writing any query.
5. Write & test KQL — use execute_kql_query(query). Before each query, verify column names match the schema exactly. If a query returns 0 rows:
   • Check column names against the schema (case matters)
   • Use contains instead of == for string filters
   • Sample the table first to see what values actually exist
6. Build Sigma rule — write a YAML Sigma rule covering the detection. Include the MITRE technique tag from step 2.
7. Validate & submit — always call validate_output_json(json_string) before submitting your final answer.