Stats
Actions
Tags
From cybersecurity-skills
Writes multi-event SIEM correlation rules to detect APT lateral movement by chaining Windows authentication, process execution, and network logs across hosts using Splunk SPL and Sigma rule format.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:implementing-siem-correlation-rules-for-aptThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- When deploying or configuring implementing siem correlation rules for apt capabilities in your environment
pip install requests pyyaml sigma-clisigma-cli convert.python scripts/agent.py --splunk-url https://localhost:8089 --username admin --password changeme --output correlation_report.json
index=wineventlog (EventCode=4624 Logon_Type=10) OR (EventCode=7045)
| transaction Computer maxspan=15m startswith=(EventCode=4624) endswith=(EventCode=7045)
| where eventcount >= 2
| table _time Computer Account_Name ServiceName
title: PsExec Lateral Movement Detection
logsource:
product: windows
service: sysmon
detection:
pipe_created:
EventID: 17
PipeName|startswith: '\PSEXESVC'
service_installed:
EventID: 7045
ServiceFileName|contains: 'PSEXESVC'
timeframe: 5m
condition: pipe_created | near service_installed
level: high
npx claudepluginhub costrict-plugins-repo/mukul975-anthropic-cybersecurity-skills-cybersecurity-skillsWrites multi-event SIEM correlation rules to detect APT lateral movement by chaining Windows authentication, process execution, and network logs across hosts using Splunk SPL and Sigma rule format.
Writes multi-event SIEM correlation rules to detect APT lateral movement by chaining Windows authentication, process execution, and network logs across hosts using Splunk SPL and Sigma rule format.
Generates multi-event correlation rules in Splunk SPL and Sigma format to detect APT lateral movement by chaining Windows Event IDs 4624, 4648, 4688 and Sysmon Events 1/3 across hosts in time windows.