Stats
Actions
Tags
From cybersecurity-skills
Engineers and audits SIEM detection rules — log source coverage, Sigma/KQL/SPL/Elastic query authoring, MITRE ATT&CK mapping, and false-positive tuning.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:siem-detectionThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Build, audit, and maintain SIEM detection content — the rules that fire alerts. Distinct from `incident-triage` (responds when alerts fire) and from `soc-operations` (runs the SOC that triages alerts). This skill is the engineering layer: log coverage, rule authoring, tuning, and detection-as-code workflows.
Build, audit, and maintain SIEM detection content — the rules that fire alerts. Distinct from incident-triage (responds when alerts fire) and from soc-operations (runs the SOC that triages alerts). This skill is the engineering layer: log coverage, rule authoring, tuning, and detection-as-code workflows.
Cross-references: incident-triage for what happens after the alert, threat-hunting for proactive hypothesis-driven hunts that often graduate into detection rules, breach-patterns for detection ideas pulled from public breach disclosures, soc-operations for the alert-triage operations on top of the detections engineered here.
This skill covers:
This skill does NOT cover:
incident-triage)soc-operations)threat-hunting)Before writing any rule, audit what you can detect.
Categorize log sources by what they observe:
| Category | Sources | Observes |
|---|---|---|
| Endpoint | EDR (CrowdStrike, SentinelOne, Defender), Sysmon, osquery | Process exec, file write, network, registry, parent-child |
| Network | Zeek/Bro, Suricata, NSM, firewall, DNS query logs | Connections, protocols, DNS queries, TLS metadata |
| Identity | Okta, Entra ID, AD, Auth0, GCP/AWS sign-in | Authentications, MFA, group changes, role assignments |
| Cloud | CloudTrail (AWS), Audit Logs (GCP), Activity Log (Azure) | API calls — what was created/changed/deleted |
| Application | App logs, WAF logs, load balancer logs, gateway logs | Request URLs, status codes, auth outcomes |
| SaaS | Google Workspace, M365, Salesforce, GitHub audit | Admin actions, sharing, sensitive doc access |
Run a gap check:
Common blind spots:
ReadOnly: true events filtered out — pre-attack recon invisibleNot every threat needs a SIEM rule. Match the detection model to what you're detecting.
| Threat character | Best model | Example |
|---|---|---|
| Known IOC (hash, IP, domain) | Threat-intel lookup | Sysmon hash matches known malware |
| Known pattern (specific command, specific path) | Signature rule | powershell.exe -enc <base64> |
| Known anomaly (behavior outside baseline) | Statistical detection | Service account suddenly authenticating from new geography |
| Sequence of events | Correlation rule | Failed logon → success → privilege change in 5 min |
| Novel / never-seen-before | Threat hunting (see threat-hunting) | Hypothesis-driven SIEM search |
| Insider abuse | UEBA / risk scoring | Cumulative risky behaviors weighted over time |
Signature rules are cheapest to write and easiest to tune; statistical detections need baseline data and produce more false positives in the first month.
Sigma is the cross-SIEM detection format. Write the rule in Sigma; auto-convert to your backend via sigmac / sigma-cli / pySigma. Even if you only target Splunk today, future-you will thank you.
title: AWS IAM CreateUser Followed by AttachUserPolicy
id: <UUID>
status: experimental
description: Detects an identity creating a new IAM user and immediately attaching an admin policy
references:
- https://attack.mitre.org/techniques/T1136/003/
author: <name>
date: 2026-05-26
tags:
- attack.persistence
- attack.t1136.003
logsource:
product: aws
service: cloudtrail
detection:
create_user:
eventName: CreateUser
attach_policy:
eventName: AttachUserPolicy
requestParameters.policyArn|contains: 'Administrator'
timeframe: 10m
condition: create_user and attach_policy
falsepositives:
- Legitimate provisioning workflows (CI roles that bootstrap admin accounts)
level: high
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType != 0
| summarize FailureCount = count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 5m)
| where FailureCount > 10
| join kind=inner (
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
) on UserPrincipalName, IPAddress
| project TimeGenerated, UserPrincipalName, IPAddress, FailureCount
(Failed logons spike on one user/IP, then a success on the same user/IP — classic password spray success.)
index=aws sourcetype=aws:cloudtrail
(eventName=CreateUser OR eventName=AttachUserPolicy)
| transaction userIdentity.arn maxspan=10m
| where like(eventName, "%CreateUser%") AND like(eventName, "%AttachUserPolicy%")
| table _time, userIdentity.arn, eventName, requestParameters
FROM logs-aws.cloudtrail-*
| WHERE event.action == "CreateUser" OR event.action == "AttachUserPolicy"
| STATS create_count = COUNT(*) BY user.arn, event.action
| WHERE create_count > 0
(Use the LookML / KQL / SPL / ES|QL that matches your SIEM, but author the canonical version in Sigma.)
Every rule should tag at least one ATT&CK technique. Coverage maps roll up to ATT&CK Navigator (navigator.mitre-attack.org):
The Navigator JSON format is open; building this report from your rules-as-code repo is a few hundred lines of Python and pays for itself the first time someone asks "what do we detect?"
The false-positive lifecycle:
level: experimental for 1-2 weekslevel: high / production only after FP rate is acceptableRules that have never fired are also a signal — either the log coverage is broken, the query is wrong, or the threat truly hasn't occurred. Verify which by running a deliberate-test event through the system.
Rules live in Git, not in the SIEM console.
detections/
├── aws/
│ ├── credential-access/
│ │ └── iam-create-user-attach-admin.yml
│ └── ...
├── windows/
├── linux/
└── identity/
└── okta-password-spray.yml
.github/workflows/
└── detection-ci.yml
CI checks:
sigma-cli check)sigma convert -t splunk etc.)Deployment: post-merge, push rules to the SIEM via API. Roll back via Git revert.
Coverage assessment:
# SIEM Detection Coverage
## Environment: [name]
## Date: [date]
### Log sources mapped
| Source | Status | Notes |
|---|---|---|
### ATT&CK coverage
| Tactic | Techniques covered / total | Blind spots |
|---|---|---|
### Rule inventory
| Rule | ATT&CK | Severity | Status | Last fired |
|------|--------|----------|--------|------------|
### Tuning queue
[Rules in experimental / needing FP triage]
### Recommended next 30 days
[Prioritized — usually 3-5 items]
Per-rule documentation lives with the rule (Sigma YAML), not in a separate runbook. The description, references, and falsepositives fields are the runbook.
npx claudepluginhub briiirussell/cybersecurity-skills --plugin cybersecurity-skillsBuilds vendor-agnostic Sigma detection rules for SIEMs like Splunk, Elastic, Sentinel from threat intel or MITRE ATT&CK. Converts rules to platform queries using pySigma or sigmac.
Designs SIEM correlation rules, threshold alerts, and behavioral analytics mapped to MITRE ATT&CK across Splunk, Elastic, and Sentinel. Use when SOC teams need to expand detection coverage or formalize use case lifecycle management.
Designs SIEM correlation rules, threshold alerts, and behavioral analytics mapped to MITRE ATT&CK across Splunk, Elastic, and Sentinel. Use when SOC teams need to expand detection coverage or formalize use case lifecycle management.