Release prep: 54 engines, self-hosted signatures, i18n, dashboard updates

2026-04-26 04:46:22 +02:00 · 2026-03-23 16:45:40 +10:00 · 2026-03-23 16:45:40 +10:00 · 41cbfd6e0a
commit 41cbfd6e0a
parent 694e32be26
178 changed files with 36008 additions and 399 deletions
--- a/examples/soc_rules.yaml
+++ b/examples/soc_rules.yaml
@ -0,0 +1,38 @@
+# Syntrex SOC Custom Correlation Rules (§7.5)
+# Place this file at .rlm/soc_rules.yaml
+# These rules are loaded on startup and merged with built-in rules.
+
+rules:
+  # Detect API key spray attacks across multiple sensors.
+  - id: CUSTOM-001
+    name: API Key Spray Attack
+    required_categories: [auth_bypass, brute_force]
+    min_events: 5
+    time_window: 2m
+    severity: HIGH
+    kill_chain_phase: Reconnaissance
+    mitre_mapping: [T1110, T1110.001]
+    description: "5+ auth bypass or brute force events within 2 minutes indicates credential spray."
+    cross_sensor: true
+
+  # Detect prompt injection evolving into data exfiltration.
+  - id: CUSTOM-002
+    name: Injection-to-Exfil Pipeline
+    required_categories: [prompt_injection, exfiltration]
+    min_events: 2
+    time_window: 15m
+    severity: CRITICAL
+    kill_chain_phase: Exfiltration
+    mitre_mapping: [T1059.007, T1041]
+    description: "Prompt injection followed by exfiltration within 15 minutes — potential data theft pipeline."
+
+  # Detect model poisoning attempts.
+  - id: CUSTOM-003
+    name: Model Poisoning
+    required_categories: [data_poisoning, model_manipulation]
+    min_events: 3
+    time_window: 30m
+    severity: CRITICAL
+    kill_chain_phase: Impact
+    mitre_mapping: [T1565]
+    description: "Multiple data poisoning or model manipulation events — potential integrity attack."