Detection Rules
A free, growing library of Sigma detection rules. Every rule is grounded in a real attack LogTriage detects, mapped to its log format and MITRE ATT&CK technique, and validated against real sample logs — it has to fire on the malicious sample and stay quiet on the benign one before it ships.
New rules added regularly. Copy any rule into your SIEM — or upload your logs to LogTriage and let it detect these automatically.
Detect Credential Stuffing in Okta System Log
LTR-0007 · T1110.004, T1110.001
Detect IAM Privilege Escalation in GCP Cloud Audit Logs
LTR-0008 · T1098, T1078.004
Detect Kubernetes Secret Exfiltration in Audit Logs
LTR-0009 · T1552.007, T1078
Detect Path Traversal & Sensitive-File Recon in Cloudflare Logs
LTR-0010 · T1190, T1083, T1595.001
Detect Business Email Compromise via Malicious Inbox Rules (Microsoft 365)
LTR-0006 · T1114.003, T1564.008
Detect Legacy-Auth MFA Bypass in Azure AD Sign-In Logs
LTR-0004 · T1078.004, T1556
Detect Port Scanning in AWS VPC Flow Logs
LTR-0005 · T1046, T1595.001
Detect Credential Stuffing Against Authentication Endpoints (nginx / web logs)
LTR-0001 · T1110.004, T1110.001
Detect IAM Privilege Escalation in AWS CloudTrail
LTR-0002 · T1098, T1078.004, T1484
Detect LSASS Credential Dumping with Sysmon
LTR-0003 · T1003.001, T1055