Maturity + first live-fire evidence for the 04-validation-lab testbed — from "well-engineered but never run" to tested, automated, and producing real defensive-validation evidence.
Highlights
- Live-fire 3/3. In a running, air-gapped
cafesec.lab(DC + Sysmon on three Windows VMs + Windows Event Forwarding), all three Sigma rules were lit by benign, reversible, lab-owned stimuli that target non-existent dummy objects — captured live (Sysmon EID 1 / System 7045 / Security 4657) with timestamps and verbatim event fields, then confirmed forwarded to the central collector. Seedocs/cvp/live-fire-evidence.md. - Offline 6/6. All Sigma rules convert and all YARA rules compile cleanly (first real, all-pass run).
- Tested & automated. 58 Pester tests (100%
LabLogiccoverage); CI adds Pester, ShellCheck, and an offline rule-validation gate plus a weekly drift sweep. - Reproducible. Pinned tool/ISO versions + SHA256 in
config/versions.psd1, verified at deploy time. - Unattended provisioning (Windows autounattend + Ubuntu cloud-init + tested seed-ISO builder) and a resumable M0->M4 build walkthrough (zh + en) with the real install gotchas captured.
- Fixes:
Invoke-RuleValidationSigma backend target,04-Verify-IsolationIP projection,Setup-RuleEngines$?gating,Reset-Labteardown guard.
Safety
Synthetic / benign / lab-owned, not field-validated. No exploit, payload, or detection-bypass content; every stimulus targets a non-existent dummy and is fully reverted; the lab is driven over PowerShell Direct so isolation is never broken. Evidence docs carry a human reviewer gate.
Full detail: CHANGELOG.