Stats
Actions
Tags
From sentinel
Documents Microsoft Sentinel analytics rules as comprehensive SOC use cases. Use when the user wants to document a Sentinel rule, create SOC documentation, generate use case docs from an ARM template, or document a KQL detection query.
How this skill is triggered — by the user, by Claude, or both
Slash command
/sentinel:sentinel-use-case-documentorThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Transforms Sentinel ARM template exports into standardized SOC use case documentation.
Transforms Sentinel ARM template exports into standardized SOC use case documentation.
Example: Document this Sentinel rule: @rule.json
| Mode | Use When | Behavior |
|---|---|---|
| Quick | Batch processing, time-sensitive | Generate with [HUMAN INPUT REQUIRED] placeholders |
| Guided | Critical rules, compliance audits | Interactive Q&A before generating |
Read these files to understand expected output:
expected_output.md - Complete examplereferences/TEMPLATE.md - Copyable templateUse AskUserQuestion: "How would you like to document this rule?"
Extract from resources[0].properties:
| Field | Path | Output Section |
|---|---|---|
| displayName | .displayName | Use Case Name |
| description | .description | Purpose |
| severity | .severity | SOC Notification |
| query | .query | Detection Logic |
| queryFrequency | .queryFrequency | Timing |
| queryPeriod | .queryPeriod | Timing |
| tactics | .tactics[] | MITRE Mapping |
| techniques | .techniques[] | MITRE Mapping |
| entityMappings | .entityMappings[] | Alert Fields |
Identify from query field:
references/REFERENCE.md for full mapping)count() >= N, where X > Nbin(TimeGenerated, Xm), ago(Xd)// DESCRIPTION:, // INVESTIGATION STEPS:, // FALSE POSITIVE:Apply inference rules from references/REFERENCE.md:
Copy references/TEMPLATE.md and fill placeholders.
Quick Mode: Fill what you can, mark gaps with [HUMAN INPUT REQUIRED]
Guided Mode: Ask for each gap:
Save to {original_filename}_UseCase.md in the same directory.
| File | Purpose |
|---|---|
references/TEMPLATE.md | Copyable template with placeholders |
references/FORMS.md | Guide explaining each section |
references/REFERENCE.md | Technical details: ARM parsing, KQL analysis, inference mappings |
references/MCP_INTEGRATION.md | Optional MCP server enhancements |
expected_output.md | Complete example output |
sample_input.json | Example ARM template |
If available, use these MCP servers to enrich documentation:
mitreattack - Official MITRE technique descriptionsMS-Sentinel-MCP-Server - Validate table schemas and KQLdetection-nexus - Find related detectionsSee references/MCP_INTEGRATION.md for details.
npx claudepluginhub dstreefkerk/claude-skills --plugin sentinelExpert guidance for Azure Sentinel: troubleshooting connectors, KQL/ASIM, Logic Apps playbooks, UEBA, multi-tenant MSSP, deployment, and cost optimization.
Deploys Microsoft Sentinel as cloud-native SIEM/SOAR for multi-cloud security ops. Configures data connectors for AWS/Azure/GCP logs, KQL detection queries, Logic Apps playbooks, and petabyte-scale threat hunting.
Configures Microsoft Sentinel as a cloud-native SIEM with multi-cloud connectors, KQL detection queries, and automated response playbooks.