Stats
Actions
Tags
Implements multi-event correlation rules in Splunk SPL and Sigma formats to detect APT lateral movement by linking Windows events (4624, 4648, 4688) and Sysmon (1/3) across hosts in time windows.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:implementing-siem-correlation-rules-for-aptThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
1. 安装依赖:`pip install requests pyyaml sigma-cli`
pip install requests pyyaml sigma-clisigma-cli convert 将 Sigma 规则转换为 Splunk SPL。python scripts/agent.py --splunk-url https://localhost:8089 --username admin --password changeme --output correlation_report.json
index=wineventlog (EventCode=4624 Logon_Type=10) OR (EventCode=7045)
| transaction Computer maxspan=15m startswith=(EventCode=4624) endswith=(EventCode=7045)
| where eventcount >= 2
| table _time Computer Account_Name ServiceName
title: PsExec 横向移动检测
logsource:
product: windows
service: sysmon
detection:
pipe_created:
EventID: 17
PipeName|startswith: '\PSEXESVC'
service_installed:
EventID: 7045
ServiceFileName|contains: 'PSEXESVC'
timeframe: 5m
condition: pipe_created | near service_installed
level: high
npx claudepluginhub killvxk/cybersecurity-skills-zhWrites multi-event SIEM correlation rules to detect APT lateral movement by chaining Windows authentication, process execution, and network logs across hosts using Splunk SPL and Sigma rule format.
Writes multi-event SIEM correlation rules to detect APT lateral movement by chaining Windows authentication, process execution, and network logs across hosts using Splunk SPL and Sigma rule format.
Generates multi-event correlation rules in Splunk SPL and Sigma format to detect APT lateral movement by chaining Windows Event IDs 4624, 4648, 4688 and Sysmon Events 1/3 across hosts in time windows.