KEV→Sigma Generator — turns newly-exploited CVEs into tuned detection drafts
A tool I built that watches the CISA KEV catalog and produces validated Sigma rule drafts with false-positive guardrails baked in, plus a Splunk/Sentinel export. Tested against sample telemetry before it emits anything.
Built this to scratch my own itch: close the disclosure-to-detection gap without flooding the queue. The guardrail logic is the point, not the generation.
The generator polls the KEV feed, enriches each entry, and drafts a Sigma rule mapped to the relevant ATT&CK technique — then runs it against sample telemetry to estimate noise before surfacing it.
Output includes ready-to-import Splunk SPL and Sentinel KQL, plus a confidence note on expected false-positive rate.
This is the first tool shipped through the autonomous build pipeline: scoped, tested, scanned, and reviewed before publish.