Looking for feedback on my open-source OT detection ruleset (29 rules for Wazuh/Sigma)
This is an announcement of an open-source detection ruleset called OT Sentinel, designed for Operational Technology (OT) and Industrial Control Systems (ICS) protocols such as Modbus, DNP3, IEC 104, MQTT, and OPC-UA. The ruleset includes 29 detection rules for Wazuh and Sigma platforms, mapped to MITRE ATT&CK for ICS. The project is community-driven, lab-validated for Modbus, and intended as an educational and detection engineering resource rather than a production-ready solution. It aims to fill a gap in open-source OT detection capabilities, providing visibility into OT protocol attacks at the SIEM layer. The author requests community feedback and emphasizes testing in non-production environments before deployment. This is not a vulnerability or exploit but a security tool resource.
AI Analysis
Technical Summary
OT Sentinel is an open-source detection rule library for OT/ICS protocols, providing 29 rules for Wazuh and Sigma platforms. It covers protocols including Modbus (fully lab-validated), DNP3, IEC 104, MQTT, and OPC-UA (logtest-validated but pending hardware validation). The rules are mapped to MITRE ATT&CK for ICS and designed for passive network monitoring in lab or test environments. The project addresses the lack of open-source OT detection rules and offers a free alternative to costly commercial OT security tools. It is intended as a learning and detection engineering accelerator, not a production-ready product. Users are advised to validate and tune rules in their own environments before any production deployment. The repository includes decoders, rules, test scripts, and documentation to support OT security detection engineering.
Potential Impact
There is no direct security impact or vulnerability associated with this content. It is a community-driven open-source detection ruleset intended to improve OT/ICS security monitoring capabilities. The project helps security teams detect potential OT protocol attacks by providing detection logic for SIEM/XDR platforms. It does not introduce any new attack vectors or exploits. Instead, it potentially enhances defenders' ability to identify malicious activity in OT environments.
Mitigation Recommendations
No remediation or patch is required as this is not a vulnerability or exploit. Users interested in OT security detection can consider evaluating and contributing to the OT Sentinel ruleset in lab or test environments. The author advises rigorous testing and tuning before any production deployment to avoid operational risks. This project should be treated as an educational and detection engineering resource rather than a turnkey security solution.
Looking for feedback on my open-source OT detection ruleset (29 rules for Wazuh/Sigma)
Description
This is an announcement of an open-source detection ruleset called OT Sentinel, designed for Operational Technology (OT) and Industrial Control Systems (ICS) protocols such as Modbus, DNP3, IEC 104, MQTT, and OPC-UA. The ruleset includes 29 detection rules for Wazuh and Sigma platforms, mapped to MITRE ATT&CK for ICS. The project is community-driven, lab-validated for Modbus, and intended as an educational and detection engineering resource rather than a production-ready solution. It aims to fill a gap in open-source OT detection capabilities, providing visibility into OT protocol attacks at the SIEM layer. The author requests community feedback and emphasizes testing in non-production environments before deployment. This is not a vulnerability or exploit but a security tool resource.
Reddit Discussion
I've been working on an open-source detection ruleset for OT/ICS protocols: Modbus, DNP3, IEC 104, MQTT, and OPC-UA. It's 29 rules mapped to MITRE ATT&CK for ICS, built for Wazuh and Sigma.
Modbus is fully lab-validated. The others have Sigma rules but yet to be validated.
I'd really appreciate any feedback from this community, especially on the attack catalogs, rule logic, or any obvious TTPs I've missed.
Repo : https://github.com/Sbharadwaj05/ot-sentinel-rules.git
Thanks.
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OT Sentinel is an open-source detection rule library for OT/ICS protocols, providing 29 rules for Wazuh and Sigma platforms. It covers protocols including Modbus (fully lab-validated), DNP3, IEC 104, MQTT, and OPC-UA (logtest-validated but pending hardware validation). The rules are mapped to MITRE ATT&CK for ICS and designed for passive network monitoring in lab or test environments. The project addresses the lack of open-source OT detection rules and offers a free alternative to costly commercial OT security tools. It is intended as a learning and detection engineering accelerator, not a production-ready product. Users are advised to validate and tune rules in their own environments before any production deployment. The repository includes decoders, rules, test scripts, and documentation to support OT security detection engineering.
Potential Impact
There is no direct security impact or vulnerability associated with this content. It is a community-driven open-source detection ruleset intended to improve OT/ICS security monitoring capabilities. The project helps security teams detect potential OT protocol attacks by providing detection logic for SIEM/XDR platforms. It does not introduce any new attack vectors or exploits. Instead, it potentially enhances defenders' ability to identify malicious activity in OT environments.
Mitigation Recommendations
No remediation or patch is required as this is not a vulnerability or exploit. Users interested in OT security detection can consider evaluating and contributing to the OT Sentinel ruleset in lab or test environments. The author advises rigorous testing and tuning before any production deployment to avoid operational risks. This project should be treated as an educational and detection engineering resource rather than a turnkey security solution.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":28,"reasons":["external_link","newsworthy_keywords:rce,sigma","non_newsworthy_keywords:rules","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["rce","sigma"],"foundNonNewsworthy":["rules"]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a21233be29bf47b507575c9
Added to database: 6/4/2026, 7:03:23 AM
Last enriched: 6/4/2026, 7:03:48 AM
Last updated: 6/4/2026, 11:56:52 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.