The repo ships multi-platform detection content and IR playbooks with reproducible counts. All numbers below are Verified (reproducible today); no inflated "total library" number is shown.
pwsh -NoProfile -File .\scripts\verify\verify-counts.ps1 and pwsh -NoProfile -File .\scripts\verify\generate-verified-counts.ps1 -OutFile .\PROOF_PACK\VERIFIED_COUNTS.md.Sigma rules are organized by tactic. Tiles expand with examples and pivots. Full mapping lives in the repo.
Where: detection-rules/sigma/ • Format: YAML • Organized by MITRE tactics.
# from repo root (Get-ChildItem -Recurse .\detection-rules\sigma -Filter *.yml).Count
Repo proof: Counts are generated and published in PROOF_PACK/VERIFIED_COUNTS.md via verification scripts.
Where: detection-rules/wazuh/rules/ • Deployment: bundle to local_rules.xml.
# from repo root pwsh -File .\scripts\build-wazuh-bundle.ps1
# XML files (Get-ChildItem .\detection-rules\wazuh\rules -Filter *.xml).Count # rule blocks (simple regex count) Select-String -Path .\detection-rules\wazuh\rules\*.xml -Pattern '<rule\s+id=' | Measure-Object | % Count
Where: detection-rules/splunk/ • Format: SPL.
(Get-ChildItem .\detection-rules\splunk -Filter *.spl).Count
Where: incident-response/playbooks/ • Format: Markdown.
(Get-ChildItem .\incident-response\playbooks -Filter *.md).Count
Why: credibility. The CI pipeline validates counts on commits and generates a verification report.
scripts/verify/verify-counts.ps1 reproduces counts locally.PROOF_PACK/VERIFIED_COUNTS.md is auto-generated by CI.pwsh -NoProfile -File .\scripts\verify\verify-counts.ps1
Rules grouped under the tactic folder in Sigma. Use these to spot the start of a compromise chain.