You're building an evasion-aware detection system for a savings cooperative in Mbabane, Eswatini — a banking platform with a mobile app, a staff web portal, and 400 daily alerts that the two-person IT team ignores entirely.
The discipline skills: writing detection rules that withstand evasion (case variations, URL encoding, comment injection), building correlation rules that combine Suricata network alerts with web and API logs, authoring Wazuh decoders for new log sources, and managing operational alert volume for a team that cannot absorb more noise.
The AI-direction lesson: you are encoding workflows into reusable AI infrastructure for the first time. A custom skill that validates, converts, tests, deploys, and verifies a Sigma rule without re-specifying each step. Hooks that block a rule with incorrect field names before it deploys. A delegated agent scoped to a specific task with specific access. The difference between directing AI in real time and directing by design is that design-time decisions compound — a well-scoped skill used twenty times saves twenty conversations, and a badly scoped one introduces the same error twenty times.
Your Role
You are building a detection system that works under adversarial conditions — rules that hold up when an attacker reads them and looks for gaps. The compliance evidence is a deliverable, but the real work is making detection mean something for a team that already ignores everything.
No detection strategy template. You decide which attack patterns need rules, which log sources to correlate, and what alert volume is acceptable.
What's New
Last time you deployed Wazuh alongside Loki for the Bhutan Tourism Council, wrote cross-SIEM detection rules, authored your first engagement memory, and connected AI to Loki via MCP.
Evasion-aware detection. You will write detection rules and then attack them yourself -- generating case variations, URL-encoded payloads, and comment injection to test whether your rules hold. A rule that catches UNION SELECT but not UniOn SeLeCt is worse than it looks.
Correlation rules. Single-source rules miss multi-stage attacks. You will combine signals from Suricata network alerts, web application logs, and API logs to detect attack sequences that no individual source reveals.
AI infrastructure. You will write your first custom skill -- a Sigma deployment workflow that validates, converts, tests, deploys, and verifies without re-specifying each step. You will configure your first hooks -- deterministic guards that block a rule with incorrect field names before it deploys. And you will delegate focused work to a custom agent, experiencing the difference between directing in real time and directing by design.
The hard part: every detection rule has an operational cost. A rule that fires 50 times a day on normal traffic consumes analyst attention. You are building for a two-person IT team that already ignores everything.
Tools
- Suricata -- network intrusion detection, generating alerts for SIEM integration. New.
- Codex CLI -- cross-tool agent configuration for delegated work. New.
- Sigma + sigma-cli -- evasion-aware rule authoring and validation. Continuing.
- pySigma backends (Loki + OpenSearch) -- rule conversion for both monitoring systems. Continuing.
- Grafana + Loki + Alloy -- log aggregation, querying, and collection. Continuing.
- Wazuh -- SIEM with decoder authoring and multi-source integration. Continuing.
- Nmap -- reconnaissance. Continuing.
- sqlmap -- exploitation for generating evasion test data. Continuing.
- Docker -- lab environment. Continuing.
- MCP -- multiple connections: Loki API, Docker management, Wazuh API. Continuing.
- Claude Code -- AI directing with engagement memory, first skill, first hooks, first delegated agent.
Materials
- Docker environment -- web portal (staff access), mobile API (member transactions), core banking backend, Suricata network monitor, plus the Grafana/Loki/Alloy/Wazuh monitoring stack.
- Field mapping reference -- field names across four log sources (web portal, mobile API, Suricata, Wazuh) with a normalisation table for cross-source detection.
- FSRA compliance evidence template -- six-section report structure aligned to the regulator's requirements.
- CLAUDE.md -- project governance file with detection naming conventions and scope boundaries.