Best Practices

Follow these recommendations to get the most accurate and useful detection rules from CloudSigma.

Input Quality

Choose the Right Input Type

Scenario	Recommended Input
Published advisory with technical details	URL
Specific vulnerability you need coverage for	CVE
Internal report or proprietary intelligence	Text
Content behind a paywall or requiring auth	Text (copy-paste the content)

Write Effective Text Input

When using text input, include:

Specific ATT&CK techniques mentioned in the intelligence (e.g., “T1098.001”)
Platform context — mention AWS, Azure, GCP, or other platforms involved
Concrete indicators — tool names, API calls, file paths, network behavior
Attack narrative — describe the sequence of events, not just isolated facts

Good example:

“The threat actor used stolen AWS credentials to create new IAM access keys (T1098.001), then modified Lambda functions to exfiltrate data to an external S3 bucket (T1537). The attacker used the AWS CLI from IP 203.0.113.42.”

Less effective:

“Attackers compromised cloud infrastructure.”

URL Input Tips

Use direct links to advisories (not index or listing pages)
CISA advisories, vendor security blogs, and detailed write-ups work best
Avoid paywalled content — the fetcher cannot authenticate
Short news articles without technical details produce fewer rules

Platform Selection

Target Your Environment

If you only run AWS workloads, specify targetProviders: ["aws"] to avoid generating rules for platforms you don’t use:


{
  "options": {
    "targetProviders": ["aws", "kubernetes-audit"]
  }
}

This reduces noise and speeds up generation.

Start Broad, Then Focus

For initial coverage building, omit targetProviders to generate rules for all applicable platforms. As your coverage grows, narrow to platforms with gaps.

Rule Management

Review Pipeline Notices

Always check the pipelineNotices array in the response. It contains warnings about:

TTPs that were filtered out (and why)
Rules that failed validation
Detection gaps (techniques with no applicable cloud detection)

Test Before Deploying

CloudSigma validates rules against pySigma, but you should still:

Review the rule logic against your environment’s log schema
Check for false positive potential (see falsepositives field)
Test in a staging SIEM before production deployment
Adjust severity levels based on your risk tolerance

Build Coverage Incrementally

Submit advisories as they’re published to build coverage over time
Use the Coverage Heatmap to identify gaps
Focus on high-impact techniques first (Persistence, Privilege Escalation, Defense Evasion)

API Integration

Implement Proper Polling

Don’t poll more frequently than every 2 seconds. Use exponential backoff:


delay = 2
while True:
    status = check_status(arn)
    if status in ("SUCCEEDED", "FAILED"):
        break
    time.sleep(delay)
    delay = min(delay * 1.5, 10)

Handle Rate Limits Gracefully

The API allows 5 pipeline executions per minute. If integrating into CI/CD or batch workflows, add delays between requests:


for advisory_url in urls:
    submit_generation(advisory_url)
    time.sleep(15)  # stay well under the 5/min limit

Store Results

The API does not provide long-term rule storage beyond the execution history (max 50 entries). Store generated rules in your own repository or SIEM for production use.