Visual Rule Builder
GUI-based correlation rule creation with drag-and-drop conditions, logical grouping, and threshold configuration — no query syntax required for common detection patterns.
- Home
- Documentation
- Detection Engineering
Detection Engineering
Build, Test & Monitor Detections at Scale
Log360 provides a comprehensive detection engineering platform with 2,286 pre-built rules, native Sigma import, historical back-testing, and AI-powered threat hunting, covering the full MITRE ATT&CK framework across 13 tactics.
- 2,286
- OOTB Detection Rules
- 13
- MITRE Tactics Covered
- Weekly
- Threat Content Updates
- Sigma
- Native Import & Translation
End-to-End Workflow
The Detection Rule Lifecycle
From authoring through production monitoring, manage every stage of detection development within Log360.
- AuthorVisual + query builder
- ValidateSyntax linting & checks
- Back-TestRun against historical logs
- DeployPromote to production
- MonitorTrack FP rates & health
- TuneAI-assisted optimization
Rule Authoring
Correlation Rule Workbench
Both visual (GUI-based) and query-based rule creation with structured metadata, MITRE tagging, and real-time syntax validation.
Query-Based Editor
Full query editor with syntax highlighting and auto-complete for advanced users who need precise control over detection logic, aggregations, and time windows.
Structured Metadata
Every rule carries: MITRE ATT&CK mapping, severity, confidence score, data source dependencies, author, version number, and searchable tags.
Vendor-Provided Content
2,286 Out-of-the-Box Detection Rules
Continuously updated by ManageEngine's security research team. Covering Windows, Active Directory, AWS, Microsoft 365, Cisco, Palo Alto, Fortinet, Sophos, and more.
Three Rule Severity Levels
Critical: Immediate action required. Trouble: Suspicious activity needing investigation. Attention: Low-confidence signals for correlation and context building.
Three Detection Types
Standard: Signature/pattern-based correlation rules. Anomaly: Behavioral deviation detection via UEBA baselines. Advanced: Multi-stage chain and threshold-based detections.
Weekly + Ad-Hoc Updates
Regular weekly content pushes from ManageEngine Threat Research, plus emergency ad-hoc releases for critical zero-days and active campaigns.
Multi-Platform Coverage
Windows, Active Directory, AWS, Microsoft 365, Azure, Cisco, Sophos, SonicWall, Juniper, Fortinet, Palo Alto, Barracuda, SQL Server, network devices, and ManageEngine applications.
MITRE-Mapped from Day One
Every OOTB rule is tagged with MITRE ATT&CK tactic and technique IDs (e.g., TA0008, T1110.001). Filterable by tactic, platform, severity, data component, and rule type.
Searchable Rule Library
Filter by severity, platform, rule type, MITRE tactic/technique, and data components. Each rule includes detailed documentation: description, logic, and update history.
Detection-as-Code
Native Sigma Rule Support
Import community and commercial Sigma rules directly into Log360 with automatic field mapping and translation to the native correlation engine.
Sigma Import with Field Mapping
Import Sigma rules from SigmaHQ or commercial providers. Automatic field name resolution and log source mapping to Log360's normalized schema.
API-Based Rule Deployment
Log360 provides a REST API for log search, alert retrieval, incident management, and workflow execution. Rule creation and management is performed through the visual rule builder interface.
Preserve MITRE Context
Imported Sigma rules retain their MITRE ATT&CK tags, severity levels, and metadata. They appear in the same rule library and coverage map as native content.
Coverage Mapping
MITRE ATT&CK Detection Coverage
All 2,286 detection rules are mapped to MITRE ATT&CK Enterprise tactics and techniques. Filter by tactic in the rule library or build custom dashboards to visualize and track coverage.
2,286 Rules Across 13 ATT&CK Tactics
Enterprise ATT&CK v14 • Updated weekly
- Initial Access79rules
- Execution461rules
- Persistence332rules
- Priv Esc243rules
- Def Evasion963rules
- Cred Access219rules
- Discovery175rules
- Lat Movement79rules
- Collection69rules
- C2199rules
- Exfiltration67rules
- Impact157rules
- Recon38rules
Rule Distribution by Tactic
Horizontal scale relative to highest count (Defense Evasion: 963)
Full Tactic & Technique Tagging
Every rule is tagged with ATT&CK tactic ID (e.g., TA0006) and technique/sub-technique ID (e.g., T1110.001). Filter the rule library by any combination of tactic and technique.
Custom Coverage Dashboards
Build custom dashboards that visualize detection coverage mapped to MITRE tactics. Track how coverage improves as you add rules and onboard new data sources.
Data Component Filtering
Rules are also tagged by data component (Process Creation, Network Connection, File Modification, etc.) enabling gap analysis by data source type.
Validation
Pre-Production Rule Testing
Validate detection logic before deployment. Run rules against historical data and catch syntax errors before they reach production.
Syntax Validation & Linting
Real-time syntax checking during rule authoring. Catch errors — undefined fields, type mismatches, impossible conditions — before saving. Rules that don't pass validation cannot be deployed.
Historical Back-Testing
Run any rule (new or modified) against stored historical log data. See exactly which events would have matched, estimate alert volume, and identify potential false positives before going live.
In-Production Monitoring
Detection Health & Tuning
Monitor the effectiveness of deployed rules. Track false positive rates and receive system-generated tuning recommendations to continuously improve detection quality.
- 2,286
- Available Rules
- FP Rate Tracked
- Per-Rule False Positive Monitoring
- AI-Assisted
- Tuning Recommendations
False Positive Rate Monitoring
Track false positive rates for each active detection rule. Identify noisy rules that degrade analyst productivity and prioritize them for tuning based on FP volume and analyst feedback.
System-Generated Tuning Recommendations
Log360 analyzes rule performance and recommends tuning actions: threshold adjustments, exclusion suggestions, and logic refinements based on observed patterns in your environment.
AI-Powered
NLP-Based Threat Hunting
Use natural language to query security data and hunt for threats. Log360's AI-powered search translates plain-English questions into structured queries across your entire log corpus.
Natural Language Querying
Ask questions in plain English. The NLP engine translates to structured log queries, executes across relevant sources, and returns contextualized results with threat intelligence enrichment.
AI-Assisted Threat Hunting
AI helps investigators pivot between data points, follow attack chains, and surface related events that a manual search might miss. Reduces mean-time-to-hunt for complex scenarios.
Contextual Recommendations
Based on hunting results, the AI suggests investigation next steps, highlights risk indicators, and correlates findings with known threat patterns from the detection rule library.
Feature Matrix
Detection Engineering Capabilities
Capability table describing detection engineering features, current availability status, and implementation details for Log360.
| Capability | Status | Details |
|---|---|---|
| Rules & query workbench | Yes | Visual builder + query editor, both available. |
| Tuning workbench | Yes | FP monitoring + AI-driven tuning recommendations. |
| Detection coverage — MITRE framework mapping | Yes | All rules tagged to ATT&CK tactics/techniques; custom dashboard for coverage view. |
| Detection coverage — data source gap ID | Via filtering | Data component tags enable gap analysis per source type. |
| OOTB detection library | 2,286 rules | Standard, Anomaly, and Advanced rule types. |
| Vendor-updated threat content | Yes | Weekly updates + ad-hoc for critical threats. |
| Version controlled — native | External | Version control via external Git; audit logs track changes internally. |
| Version controlled — CI/CD | Via API | REST API enables push-to-deploy from CI/CD pipelines. |
| Structured metadata per rule | Yes | MITRE mapping, severity, confidence, data source, author, version, tags. |
| Sigma rule import & translation | Yes | Native Sigma import with auto field mapping and translation. |
| Pre-prod — syntax validation & linting | Yes | Real-time validation during authoring. |
| Pre-prod — historical back-testing | Yes | Test rules against stored historical log data. |
| Pre-prod — adversary emulation | Not native | Integration with third-party emulation tools via log ingestion. |
| Detection health — data source availability | Planned | Source monitoring available via system health; dedicated detection-linked alerting in roadmap. |
| Detection health — schema drift | Planned | Roadmap item. |
| False positive rate monitoring | Yes | Per-rule FP tracking with analyst feedback loop. |
| AI-assisted threat hunting (NLP) | Yes | Natural language query across all log sources. |
| AI rule generation (NL to rule) | Roadmap | Planned capability; not GA as of May 2026. |
See Detection Engineering in Action
Explore 2,286 detection rules mapped to MITRE ATT&CK, native Sigma import, and AI-powered threat hunting in a live environment.
