SignalFoundry — Flagship System

SignalFoundry

The flagship triage pipeline behind HawkinsOps. A 35-script Python system that continuously ingests Wazuh SIEM alerts, classifies them through a deterministic policy engine, enforces PII redaction, validates state across four independent surfaces, and publishes evidence-backed escalation packs to a public repository — all CI-gated and reconciled. Specific incidents and remediations live under Case Studies. Reconciled metrics and verification commands live under Proof.

View Proof & Evidence Case Studies Inspect Repository
System State

SignalFoundry — current operational metrics

SUCCESSHeartbeat
324,074Cases
~88%Auto-closed
8,574Escalated
8/8Coverage
Pipeline

How SignalFoundry works

Every alert passes through every stage in fixed order. No skip paths. No manual overrides. Policy dictates disposition. Every outcome is auditable.

01
INGEST
poll-alerts.py
02
TRIAGE
triage.py
03
REDACT
redact.py
04
PACK
assemble-pack.py
05
RECONCILE
reconcile-state.py
06
GATE
coverage-check.py
07
PUBLISH
proof output
Input
Raw Wazuh alerts polled from the Wazuh Indexer OpenSearch API via exponential-backoff retry. Supports backfill (cursor-based) and realtime (60-minute window) modes. Queue capped at 2,000 files per run.
Decision / Policy Layer
Every alert is evaluated through a multi-layer deterministic policy: known-FP match, always-escalate rules and groups, per-agent rule overrides, Sysmon tiering and suppressions, level thresholds, and protected-agent logic. Each policy entry is environment-derived with a documented reason. No analyst judgment in the main triage path.
Validation / Reconciliation
4-way consistency check cross-references the ledger, portfolio repo incident directories, content index, and staging state. Reports six mismatch categories. Coverage-check validates all required hosts reported within a 168-hour window with legacy alias normalization.
Publish / Evidence Output
Escalated cases produce 5 structured artifacts: one-pager, full report, timeline, queries, and closure report. All pass mandatory PII redaction with post-redaction validation. Absolute path leak detection enforced. Published to GitHub as PRs. Metrics CI-gated against the proof chain.
System Logic

Why alerts close, escalate, or block

Auto-Close (~88%)
Alerts matching known-FP signatures or expected activity patterns close automatically with a logged reason and audit trail. Each suppression was derived from direct observation of the monitored environment, not vendor defaults. The known-FP library and policy overrides are scoped per-agent, per-rule, and per-content match.
Escalation (~2.6%)
Alerts matching always-escalate policy entries, high-confidence suspicious patterns, or Sysmon high-risk binary indicators are promoted to full evidence packs. Sysmon process-access events (e.g. LSASS credential access) always escalate. Network-connection events escalate on living-off-the-land binary match. These are the cases that reach the public portfolio.
Redaction Gate
Before any case data leaves the internal store, regex-based sanitization removes IPs, hostnames, usernames, Windows paths, and email addresses. Post-redaction validation hard-fails if any forbidden pattern survives. Absolute path leak detection blocks any internal path reference from reaching published output.
Reconciliation Gate
No output publishes unless the ledger, repo, content index, and staging state agree. Six mismatch categories are checked. If reconciliation fails in strict mode, the pipeline halts. This gate caught a real serialization defect on March 13, 2026 — the system blocked its own bad output and the defect was fixed within one session. Full case study →
Architecture

System map

SignalFoundry architecture: sources, pipeline gates, output controls
Triage Logic

Deterministic dispositions

No analyst judgment in the triage path. Policy dictates disposition. Every outcome is auditable.

DispositionConditionAction
AUTO_CLOSE_BENIGNExpected activity patternClose + log evidence summary
AUTO_CLOSE_KNOWN_FPKnown false positiveClose + annotate reason + audit trail
ESCALATESuspicious / high-confidenceGenerate evidence pack → escalation
~88% auto-closed
Escalation Output

Evidence pack structure

Every escalated case produces 5 artifacts. All pass mandatory redaction before publication.

00_one_pager.mdAnalyst-ready intake summary
01_full_report.mdInvestigative narrative with context
02_timeline.csvMachine-readable event chronology
03_queries.mdReproduction queries for the alert
04_closure_report.mdFinal disposition + audit trail
SignalFoundry evidence capture surface
Continue

Explore further

Case Studies Incidents, remediations, threat hunts, detection audits, and engineering narratives — each with documented proof. Proof & Evidence Canonical metrics, reconciliation status, verification commands, and artifact references. Detections Verified detection inventory across Sigma, Splunk, Wazuh, and IR playbooks — CI-enforced counts.