About

The Project

Every SOC in Australia works to the ASD Essential Eight maturity model, but almost no public detection content is mapped to it. Everyone maps to MITRE ATT&CK — which is great, but generic. This project fills that gap.

The goal: for every E8 control, write a Sigma rule that detects the bypass technique that control is designed to prevent, pair it with a safe emulation script you can run in a Windows lab VM, and submit the best rules upstream to SigmaHQ.

When a SOC manager asks "tell me about a detection you wrote" — the answer lives here.

Current Status — v0.1

Roadmap

• v0.1 Baseline rules — 1–2 per control, all 8 controls covered ✓
• v0.2 3+ rules per control, emulation scripts for all 8 controls
• v0.3 First SigmaHQ upstream PR submitted
• → ML2/ML3 detection coverage, cloud log sources (Entra ID, M365 Defender)
• → Sigma correlation rules for multi-event detections