// tool reference · Monitoring & Detection
AI Detection-Engineering Studio Pro
Turn a threat description or log sample into a Sigma detection rule, a SIEM query, false-positive tuning, and test cases.
Open AI Detection-Engineering Studio →
What it does
Turns a threat description in plain language into deployable detection logic — with the false-positive analysis that decides whether a rule survives contact with production.
When to use it
- You know the behaviour you want to catch but not the rule syntax.
- You need a Sigma rule plus honest FP notes before shipping it.
Inputs
Field names are the actual form parameters, verified against source.
| Field | Type | Required | Notes |
|---|---|---|---|
| intent | textarea | required | What you want to detect, in plain language. |
| source | select | optional | Log source the rule will run against. |
What you get back
Detection logic, the reasoning, expected false positives, and test cases.
Worked example
Input
Detect a user creating an inbox rule that forwards mail to an external domain
Output (abridged)
title: Suspicious External Forwarding Rule
status: experimental
logsource: { product: m365, service: exchange }
detection:
sel:
Operation: 'New-InboxRule'
Parameters|contains: 'ForwardTo'
filter:
Parameters|contains: '@yourcompany.com'
condition: sel and not filter
level: high
FALSE POSITIVES
· execs legitimately forwarding to a personal address (allow-list them)
· migration tooling during a tenant move
TEST: create a rule forwarding to an external address; confirm it fires.
How it works
AI generation constrained to a detection-rule format, reviewed against a defensive prompt. Output is text you review — nothing is deployed for you.
Limits
Read live from the platform configuration.
| Rate limit | 5 requests / 10 minutes |
Privacy
Your description is sent to the AI provider.
Standards
SigmaMITRE ATT&CK