Angetic.sec — Detection Rule Management Platform

Overview

Angetic.sec is a full-stack SOC platform built to solve a real problem: security teams managing hundreds of detection rules across multiple SIEM platforms (Splunk SPL, Microsoft Sentinel KQL, Elastic Security) with no centralized visibility or tooling.

The platform covers the full detection engineering workflow:

Ingest → Catalog → Analyze → Test → Convert → Review

It ingests rules from multiple formats, catalogs them in a searchable database, classifies them using AI, detects duplicates, tests them against real log samples, and exposes an AI agent that SOC analysts can query in natural language.

Key Features

Feature	Description
Multi-Format Ingestion	Parse Sigma (YAML), Sentinel (KQL/YAML), and Elastic (TOML) rules
Intelligent Catalog	Searchable database with filters: severity, MITRE technique/tactic, format, tags, author
AI Agent (Chat)	Gemini-powered agent with 11 security tools, streaming SSE responses
Rule Review Board	AI-generated review manifest: verdict, findings, suggested rewrite, test scenarios
Rule Testing	Run Sigma rules against JSON event datasets, get TP/FP/TN/FN metrics
Format Conversion	LLM-powered conversion of any rule to Sigma YAML with caching
Duplicate Detection	TF-IDF similarity matching to surface overlapping rules
MITRE ATT&CK Coverage	Heatmap with clickable techniques showing associated rules
Rule Classification	Atomic vs. Composite detection logic analysis
CloudTrail Analysis	Kill-chain reconstruction from AWS CloudTrail logs
Intelligence Dashboards	IP reputation, CVE lookup, MITRE technique detail — rendered inline

---

Architecture

┌────────────────────────────────────────────────────────────┐
│                         Frontend                           │
│               React 18 + TypeScript + Vite                 │
│                    TailwindCSS styling                      │
│                                                            │
│  Agent │ Rules │ Analysis │ Testing │ Conversion │ Review  │
└────────────────────────┬───────────────────────────────────┘
                         │ HTTP / REST + SSE
                         ▼
┌────────────────────────────────────────────────────────────┐
│                         Backend                            │
│                  FastAPI  ·  Python 3.11+                  │
│                                                            │
│  API Routes: /rules /analysis /chat /review /testing       │
│               /ingestion /dashboard /search                │
│                                                            │
│  Services: IngestionService · ClassificationService        │
│            DuplicateService · ReviewService                │
│            AgentService (Gemini) · CloudTrailService       │
│                                                            │
│  MCP Services: MITRE · ThreatIntel · CVE · SigmaHQ         │
│                                                            │
│  Parsers: SigmaParser · SentinelParser · ElasticParser     │
└────────────────────────┬───────────────────────────────────┘
                         │
                         ▼
┌────────────────────────────────────────────────────────────┐
│                       SQLite (SQLAlchemy)                  │
│  rules · rule_classifications · rule_comments              │
│  sigma_conversions                                         │
└────────────────────────────────────────────────────────────┘

---

Directory Structure

detection-rules-platform/
├── backend/
│   ├── app/
│   │   ├── api/routes/        # API endpoint handlers
│   │   ├── core/
│   │   │   ├── parsers/       # Sigma, Sentinel, Elastic parsers
│   │   │   └── services/      # Business logic & AI services
│   │   │       └── mcp/       # MITRE, ThreatIntel, CVE, SigmaHQ
│   │   ├── db/                # SQLAlchemy models and repository
│   │   └── models/            # Pydantic schemas
│   ├── requirements.txt
│   └── .env.example
├── frontend/
│   ├── src/
│   │   ├── pages/             # React page components
│   │   ├── components/        # Reusable UI components
│   │   ├── api.ts             # API client
│   │   └── types.ts           # TypeScript interfaces
│   └── vite.config.ts
├── rules/                     # Detection rules (mount point)
│   └── detection-rules/
├── dataset/                   # Sample event datasets
├── data/                      # SQLite database (persisted)
└── docker-compose.yml

---

Gemini Integration

The platform uses Google Gemini as its AI backbone via the google-generativeai Python SDK. Gemini powers four distinct capabilities:

1. Conversational Agent (/api/v1/chat)

The AgentService implements a function-calling agent that streams responses over SSE. The agent has access to 11 security tools it can invoke autonomously:

Tool	What it does
search_rules	Query the rule library with filters
review_rule	Generate a full AI review for a rule
get_coverage_gaps	Show MITRE ATT&CK coverage heatmap
find_duplicate_rules	Surface overlapping rules
get_statistics	Library statistics
lookup_mitre_technique	MITRE technique detail
check_ip_reputation	IP threat intelligence
lookup_cve	CVE/NVD data
search_community_rules	Compare against SigmaHQ community rules
show_library_overview	Executive summary dashboard
analyze_cloudtrail	Kill-chain analysis from CloudTrail logs

The agent emits typed SSE events: thinking, text, tool_call, error, done.

2. Rule Classification

ClassificationService calls Gemini to determine whether a rule represents atomic detection logic (single event, single condition) or composite logic (correlation across multiple events/conditions). Results are cached in rule_classifications to avoid repeat LLM calls.

3. Rule Review Board (/api/v1/review/{rule_id})

ReviewService uses Gemini to generate a structured review manifest containing:

• Overall verdict (approve / needs work / reject)
• Finding cards with severity and suggested fixes
• A rewritten version of the rule
• Test scenarios with expected outcomes
• MITRE ATT&CK notes
• Cross-reference against known duplicates

4. Rule Format Conversion

LLM-powered conversion translates Sentinel KQL or Elastic TOML rules into Sigma YAML. Gemini receives the source rule, the target format specification, and examples, then returns valid YAML. Conversions are cached by content hash in sigma_conversions.

Configuration

Gemini is configured via three environment variables:

Variable	Description	Example
LLM_API_KEY	Your Google AI Studio API key	AIzaSy...
LLM_MODEL	Gemini model name	gemini-1.5-flash
LLM_ENDPOINT	Optional custom endpoint	https://...

All Gemini features degrade gracefully — the platform works without an API key, but AI endpoints return errors for those specific features.

---

Docker Installation

Docker is the recommended way to run Angetic.sec. It starts both the backend and frontend with a single command.

Prerequisites

• Docker 20.10+
• Docker Compose 2.0+

1. Clone the repository

git clone <repository-url>
cd detection-rules-platform

2. Configure environment variables

Open docker-compose.yml and set your Gemini credentials in the backend environment block:

services:
  backend:
    environment:
      - DATABASE_URL=sqlite:///./data/rules.db
      - DEBUG=false
      - LLM_API_KEY=your-gemini-api-key-here
      - LLM_MODEL=gemini-1.5-flash
      # LLM_ENDPOINT is optional; omit for default Google AI endpoint

To get a Gemini API key, visit Google AI Studio.

3. Create the data directory

mkdir -p data

The data/ directory must exist before the first run so Docker can mount it for SQLite persistence. If you skip this step you may get a "permission denied" mount error.

4. Build and start

# Build images and start in the foreground
docker-compose up --build

# Or start in the background
docker-compose up -d --build

On first startup the backend will auto-ingest any rules found under ./rules/detection-rules/.

5. Access the application

Service	URL
Frontend	http://localhost:80
Backend API	http://localhost:8000
API Documentation	http://localhost:8000/docs

Useful Docker commands

# Stop all services
docker-compose down

# View logs
docker-compose logs -f

# Rebuild after code changes
docker-compose up --build -d

# Reset the database (delete and recreate)
rm data/rules.db && docker-compose restart backend

Note on the Analysis page: The Atomic/Composite classification makes one LLM call per rule. For large rule sets this runs in the background and may take several minutes. If you see a "Failed to refresh connection" error, wait a moment and refresh the page.

---

Local Development Setup

If you prefer to run without Docker:

Backend

cd backend

python -m venv venv
source venv/bin/activate        # Windows: venv\Scripts\activate

pip install -r requirements.txt

cp .env.example .env
# Edit .env — set LLM_API_KEY, LLM_MODEL

uvicorn app.main:app --reload --port 8000

Frontend

cd frontend

npm install
npm run dev

Access the frontend at http://localhost:5173. The Vite dev server proxies /api requests to the backend.

---

Environment Variables Reference

Variable	Default	Description
DEBUG	false	Enable verbose logging
DATABASE_URL	sqlite:///./data/rules.db	SQLAlchemy database URL
LLM_API_KEY	—	Gemini API key (required for AI features)
LLM_MODEL	gemini-1.5-flash	Gemini model to use
LLM_ENDPOINT	—	Custom LLM endpoint (optional)

---

Tech Stack

Layer	Technology
Frontend	React 18, TypeScript, Vite, TailwindCSS
Backend	Python 3.11+, FastAPI, SQLAlchemy, Pydantic
Database	SQLite
AI	Google Gemini (google-generativeai)
Rule Execution	pySigma, pySigma-backend-splunk, pySigma-backend-elasticsearch
Containerization	Docker, Docker Compose, nginx

---

License

MIT License