<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Toriola Opeyemi </title>
    <description>The latest articles on DEV Community by Toriola Opeyemi  (@geekyblessing).</description>
    <link>https://dev.to/geekyblessing</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3950260%2F79c969b0-f48c-4a17-8f43-66c4ca791a8a.png</url>
      <title>DEV Community: Toriola Opeyemi </title>
      <link>https://dev.to/geekyblessing</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/geekyblessing"/>
    <language>en</language>
    <item>
      <title>Building an AWS Detection-as-Code Engine Using Sigma Rules and MITRE ATT&amp;CK</title>
      <dc:creator>Toriola Opeyemi </dc:creator>
      <pubDate>Wed, 01 Jul 2026 17:26:45 +0000</pubDate>
      <link>https://dev.to/geekyblessing/building-an-aws-detection-as-code-engine-using-sigma-rules-and-mitre-attck-1kdn</link>
      <guid>https://dev.to/geekyblessing/building-an-aws-detection-as-code-engine-using-sigma-rules-and-mitre-attck-1kdn</guid>
      <description>&lt;h1&gt;
  
  
  Building an AWS Dete
&lt;/h1&gt;

&lt;p&gt;&lt;em&gt;How I built Sentinel Rules, a detection engineering project that turns AWS threat detection logic into version-controlled, testable, CI-validated code.&lt;/em&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Why this project exists
&lt;/h2&gt;

&lt;p&gt;Most cloud security portfolios lean heavily on offensive tooling: attack path analyzers, privilege escalation mappers, exploitation frameworks. Mine did too. I had built an AWS Attack Path Analyzer that could find 34 exploitable paths in a live account and score them for risk. It was a strong offensive piece, but it was missing its counterpart.&lt;/p&gt;

&lt;p&gt;Finding an attack path is only half the story. The other half is catching someone who actually walks it.&lt;/p&gt;

&lt;p&gt;That gap is what Sentinel Rules is built to close: an AWS Detection-as-Code engine that codifies threat detection logic as version-controlled Sigma rules, evaluates them against real CloudTrail activity, and maps every finding back to MITRE ATT&amp;amp;CK. It's the blue-team layer that complements the red-team work I'd already done.&lt;/p&gt;

&lt;h2&gt;
  
  
  Detection engineering principles
&lt;/h2&gt;

&lt;p&gt;Writing a rule that says "alert when X happens" is easy. Writing a rule that survives contact with a real, noisy AWS account is a different problem entirely, and that difference is the actual discipline of detection engineering.&lt;/p&gt;

&lt;p&gt;I structured the project around a threat model first, not a tool list. I asked: what does a real account takeover actually look like, step by step, in AWS? The answer, drawn from documented cloud breach patterns, looks roughly like this:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;An attacker gets valid but stolen credentials&lt;/li&gt;
&lt;li&gt;They disable MFA so they can't be locked out&lt;/li&gt;
&lt;li&gt;They attach an administrator policy to escalate privileges&lt;/li&gt;
&lt;li&gt;They create persistent access, in the worst case, a root access key&lt;/li&gt;
&lt;li&gt;They open a data store to the public to exfiltrate&lt;/li&gt;
&lt;li&gt;They pivot laterally into other accounts in the organization&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Each of those six steps became a Sigma rule, tagged with its corresponding MITRE ATT&amp;amp;CK technique. Sigma specifically, not a custom format, because using an industry-standard rule syntax means these rules are portable to real SIEM tooling, not locked into a one-off script.&lt;/p&gt;

&lt;h2&gt;
  
  
  False positive reduction: the part nobody shows you
&lt;/h2&gt;

&lt;p&gt;The moment I ran the engine against static test fixtures, it worked perfectly. Every rule fired exactly where it should. That felt like a finished project.&lt;/p&gt;

&lt;p&gt;Then I pointed it at a live AWS account, using the AWS CloudTrail Event History API, and watched the "Suspicious Cross-Account AssumeRole" rule fire dozens of times in a single day. Every single hit was &lt;code&gt;userIdentity.type: AWSService&lt;/code&gt;, AWS's own internal service-linked roles doing routine background work. Not an attacker in sight.&lt;/p&gt;

&lt;p&gt;This is the part of detection engineering that separates a demo from a usable tool. A rule that fires on every legitimate automation event isn't a detection, it's noise, and noise is worse than nothing because it trains people to ignore alerts. I added an explicit filter to exclude AWS service principals and known CI/CD automation ARNs, then re-ran the engine. The false positives disappeared; the real signal stayed.&lt;/p&gt;

&lt;p&gt;That tuning cycle, deploy against real data, get burned by noise, add a targeted filter, re-validate, is the actual job. It's also the story I'm proudest of in this project, because it's the difference between a rule that looks good in a README and a rule that would survive a week in a real SOC.&lt;/p&gt;

&lt;h2&gt;
  
  
  Correlation logic: making weak signals strong
&lt;/h2&gt;

&lt;p&gt;Individually, an MFA deactivation event has a legitimate explanation. So does a privilege escalation event. Either one, alone, generates a medium-confidence alert at best, the kind of thing an analyst might reasonably dismiss.&lt;/p&gt;

&lt;p&gt;But the same actor doing both within a ten minute window is a different story. That sequence, disable defenses, then escalate privileges, is close to a textbook account takeover pattern, and it's far less likely to have an innocent explanation.&lt;/p&gt;

&lt;p&gt;I built a correlation rule specifically to catch this. It's the most technically interesting piece of the engine: it groups matching events by actor, sorts them chronologically, and checks whether all required event types occur within a defined timeframe for the same principal. When they do, it emits a single critical-severity alert instead of two separate medium-severity ones.&lt;/p&gt;

&lt;p&gt;This is the same pattern real SIEM correlation engines use to reduce alert fatigue while actually improving detection of multi-stage attacks: don't just detect events, detect &lt;em&gt;sequences&lt;/em&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Lessons learned
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Testing catches things you don't expect.&lt;/strong&gt; While writing unit tests for the condition parser, one test deliberately fed it a malformed expression to confirm it failed safely. It did fail, but with the wrong exception type, a &lt;code&gt;SyntaxError&lt;/code&gt; instead of a clean, expected &lt;code&gt;ValidationError&lt;/code&gt;. No actual code executed, since the parser's tokenizer had already stripped out anything dangerous, but it was a reminder that "it works" and "it fails safely" are two different claims, and only tests prove the second one.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Static fixtures lie by omission.&lt;/strong&gt; They prove your logic is correct. They don't prove your rule is usable. Only real data, with its irrelevant background noise, its automation traffic, its unpredictable weirdness, tells you whether a detection rule is actually deployable or just theoretically correct.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Documentation is part of the engineering, not an afterthought.&lt;/strong&gt; Writing out the threat model forced me to be explicit about what this project does and does not detect. It only sees what CloudTrail logs; if logging is disabled or a region isn't covered, an attacker is invisible to it. Writing that down isn't just for a README, it's an honest accounting of the tool's actual boundaries.&lt;/p&gt;

&lt;h2&gt;
  
  
  What's next
&lt;/h2&gt;

&lt;p&gt;Sentinel Rules currently supports two-stage correlation chains and CloudTrail as its only log source. The natural next steps are GuardDuty finding ingestion as an additional signal, N-stage correlation for longer attack chains, and expanding coverage beyond IAM and S3 into services like Lambda and EC2.&lt;/p&gt;

&lt;p&gt;The full project, including the Sigma rules, the Python detection engine, the test suite, and the CI pipeline, is open source: &lt;a href="https://github.com/GeekyBlessing/sentinel-rules" rel="noopener noreferrer"&gt;github.com/GeekyBlessing/sentinel-rules&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Toriola Opeyemi is a Cloud Security Engineer focused on detection engineering, cloud security automation, and offensive security tooling. More at &lt;a href="https://toriolaopeyemi.com" rel="noopener noreferrer"&gt;toriolaopeyemi.com&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>automation</category>
      <category>aws</category>
      <category>security</category>
      <category>showdev</category>
    </item>
  </channel>
</rss>
