Documentation
Everything you need to install, configure, and run CraftedSignal.
Getting Started
Getting Started
Install CraftedSignal (SaaS or self-hosted), connect your SIEM, import or create detection rules, and deploy your first rule in minutes with csctl.
Configuration
Complete YAML configuration reference for CraftedSignal covering HTTP, storage, security, Temporal, AI, email, logging, and production hardening options.
CLI Reference
Full reference for csctl, the CraftedSignal CLI. Covers commands for init, validate, push, pull, sync, diff, library management, and CI/CD integration.
Pricing & Limits
Compare CraftedSignal pricing tiers: Free, Professional, Enterprise, and Unlimited. See rule limits, SIEM connections, API quotas, and self-hosted licensing.
Core Concepts
Rules
How detection rules are structured in CraftedSignal: metadata, MITRE ATT&CK mapping, multi-platform implementations, lifecycle states, versioning, and dependencies.
Testing
Test detection rules with positive, negative, and enrichment tests run against your live SIEM. Covers validation, CI/CD pipelines, and continuous monitoring.
Deployment & Rollback
Deploy detection rules to Splunk, Sentinel, CrowdStrike, and Rapid7 with approval workflows, dry-run previews, atomic rollback, and drift detection.
Threat Hunting
Hypothesis-driven hunts that fan out across every connected SIEM. Cluster results, verdict them in batch, and promote winning queries to tested Sigma detections — with a full audit trail of every cluster you've touched.
Health & Analytics
Monitor detection health with MITRE ATT&CK coverage heatmaps, noise budgets, signal-to-noise ratios, team workload metrics, MTTR, and ROI tracking dashboards.
Risks
The Risk Ops Board turns each company attack path into a tracked risk with a state machine, priority score, and lifecycle audit trail. Hunt, accept residual, escalate, or schedule a re-hunt — the loop closes back into coverage.
Threat Modeling & Risk Scoring
Model business services, declare attack paths, and score every MITRE technique by the exposure it represents to your organization. Accepted paths become tracked risks with a full lifecycle.
Threat Actors
A normalized catalog of threat groups linked to briefs, risks, detections, and hunts. Seeded from MITRE ATT&CK and grown automatically by an LLM that adjudicates names from incoming intel.
Threat Feed
Curated threat briefs with Sigma rules, IOCs, MITRE mappings, and affected vendor/product/OS metadata. Briefs are scored against your context, surface as risk candidates, and can be adopted, hunted, watchlisted, or dismissed per-tenant.
Features
AI Assistance
AI-assisted detection engineering: rule generation, translation linting, health insights, and autofix. Self-hosted via Ollama with full data privacy and human approval.
Secure Detection Workflows
Secure detection workflows with mandatory validation, automated SIEM testing, approval gates, atomic rollback, drift detection, and breakglass emergency procedures.
Operations
Drift Detection
Every deployed rule is re-hashed on a schedule. Any out-of-band change in the SIEM is flagged, diffed, and queued for review.
Noise Budgets
Set daily alert budgets per team, service, or rule. Deploys that would blow the budget are held. Monitoring mode proves volume out before alerts reach analysts.
Git-native Backups
Push every rule, version, and test to your Git repository on a schedule. Restore from any point, audit offline, or migrate environments without touching the SIEM.
Air-gapped Mode
Run the platform with all outbound network access blocked, including DNS. For regulated and isolated environments where the platform must not reach the internet.
Integrations
API Reference
CraftedSignal REST API reference for CI/CD integration: lint, test, deploy, rollback, approval workflows, health metrics, and rate limits by pricing tier.
Platform Guides
Platform integration guides for Splunk (SPL), Microsoft Sentinel (KQL), CrowdStrike (IOA), and Rapid7 InsightIDR (LEQL) with setup, credentials, and multi-SIEM deployment.