Detection lifecycle manager for the detection engineer who writes Sigma rules first.
Tracks detections from idea through stable, wires into sigma-to-spl for conversion, detection-validator for testing, and Claude for hypothesis generation and rule critique. Every AI output is input to the engineer's judgment — not a finished product.
pip install -e .Requires Python 3.10+. Claude features require ANTHROPIC_API_KEY.
$ workbench init
wrote .workbench.yml — set ANTHROPIC_API_KEY before running AI commands
$ workbench new T1071.004 --slug dns-tunneling --tactic command-and-control
Hypothesis (what behavior are you detecting?) high-entropy subdomains used for DNS C2
created dns-tunneling [idea]
$ workbench lookup T1071.004
T1071.004 Application Layer Protocol: DNS
tactics: command-and-control, exfiltration
data sources: Network Traffic: Network Traffic Content
Network Traffic: Network Traffic Flow
log sources:
zeek_dns
fields: query, qtype_name, qtype, answers, TTL, rejected, rcode_name, id.orig_h, id.resp_h
notes: Primary. Entropy on query labels, label count, answer-less queries (beaconing), high TTL variance.
...
$ workbench hypothesis dns-tunneling # regenerate via Claude
$ workbench convert dns-tunneling --rule ../sigma-to-spl/rules/network/dns-tunneling.yml
$ workbench test dns-tunneling --rule ../sigma-to-spl/rules/network/dns-tunneling.yml \
--test-data ../detection-notes/detections/network/dns/dns-tunneling-high-entropy-subdomains/test-data/
$ workbench critique dns-tunneling # peer review via Claude
$ workbench promote dns-tunneling stable
$ workbench status
| Command | What it does |
|---|---|
workbench init |
Write starter .workbench.yml |
workbench new <technique> |
Create detection record, capture hypothesis |
workbench lookup <technique> |
ATT&CK data sources, log fields, coverage gaps |
workbench lookup --list |
All known techniques in the lookup table |
workbench status |
Pipeline view grouped by status |
workbench show <slug> |
All fields for a detection record |
workbench convert <slug> |
Run sigma-to-spl, store SPL in record |
workbench test <slug> |
Run detection-validator, store result |
workbench hypothesis <slug> |
Re-generate hypothesis via Claude |
workbench critique <slug> |
Rule critique via Claude |
workbench promote <slug> <status> |
Manually advance lifecycle status |
idea → in_progress → testing → stable
→ deprecated
convert advances idea → in_progress. test (PASS/WARN) advances to testing. promote handles the rest.
sigma_to_spl_path: ../sigma-to-spl
detection_notes_path: ../detection-notes
detection_validator_path: ../detection-validator
model: claude-sonnet-4-6
db_path: workbench.dbAPI key is read from ANTHROPIC_API_KEY — never put it in the config file.
Claude's role is critique and drafting, not autonomous authorship. The engineer decides what to build and whether to use Claude's output.
hypothesis— surfaces observable artifacts, data source options, detection shape, and known noise for a technique. Input for writing a Sigma rule, not a finished rule.critique— reviews the Sigma rule for detection gaps, FP surface, data source dependencies, and condition logic issues. Peer review stand-in.
Both commands use prompt caching on the system prompt (5-minute TTL). Back-to-back calls within a session hit cache. Model selection and caching rationale are documented in detection_workbench/ai/client.py.
Default model: claude-sonnet-4-6. Override in .workbench.yml.
workbench lookup is a curated, offline reference — no API call, no network. Covers the techniques actively written in this portfolio:
| Technique | Name |
|---|---|
| T1071, T1071.001, T1071.004 | Application Layer Protocol (parent + DNS + Web) |
| T1003.001 | LSASS Memory |
| T1021.002 | SMB/Windows Admin Shares |
| T1528 | Steal Application Access Token |
| T1546.003 | WMI Event Subscription |
| T1558.003 | Kerberoasting |
| T1078.004 | Valid Accounts: Cloud |
| T1098.001 | Additional Cloud Credentials |
Each entry includes ATT&CK data source components, log source field lists, coverage gaps, and environment-specific notes. Zeek/Corelight-first; Windows event log and cloud provider sources included where relevant.
Detection records are stored in a local SQLite database (workbench.db by default). No server required.
- sigma-to-spl — Sigma rules + Corelight/Zeek-specific SPL converter
- detection-notes — ADS-format detection writeups
- detection-validator — Sigma-native test runner (no Splunk required)
- spl-coverage-map — ATT&CK Navigator layer generation