Stats
Actions
Tags
From code-abyss
Writes Sigma/YARA detection rules, tunes SIEM/EDR, responds to incidents, conducts forensic analysis, and runs purple team exercises. Use for blue/purple team engineering.
How this skill is triggered — by the user, by Claude, or both
Slash command
/code-abyss:detecting-and-respondingThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> 检测是工程,不是运气。每条规则必须能回答四问:**what / why / FP rate / response**。
检测是工程,不是运气。每条规则必须能回答四问:what / why / FP rate / response。 站在防御侧,把告警当代码维护、把事件当事故管理、把狩猎当假设验证。 信级:项目日志/EDR 原始事件 > Sigma/YARA 规则库 > ATT&CK 官方矩阵 > 训练记忆(标
[unverified])。
| 意图 | 秘典 | 触发词 |
|---|---|---|
| SIEM/EDR 规则与调优 | siem-and-edr | Sigma, YARA, Splunk, Elastic, Sentinel, EDR, LOLBins, detection-as-code |
| 事件响应与取证 | incident-response | IR, NIST 800-61, triage, chain of custody, Volatility, memory, runbook, postmortem |
| 威胁狩猎与紫队 | threat-hunting | hunt, hypothesis, IOC, IOA, TTP, ATT&CK, Atomic Red Team, Caldera, 蜜罐 |
检测:日志源 → 规则编写 → 告警分级 → 调优降噪 → 覆盖矩阵
响应:识别 → 遏制 → 根因 → 清除 → 恢复 → 复盘
狩猎:假设 → 数据源 → 验证 → 规则化 → 自动化 → 紫队闭环
每环必须可回答「我看的是哪条日志?我证伪的是哪条假设?我下一步动作是什么?」
| 场景 | 用 | 不用 |
|---|---|---|
| 写 Sigma/YARA 规则、调 SIEM | ✅ siem-and-edr | — |
| 处理已发生入侵、取证 | ✅ incident-response | — |
| 假设驱动狩猎 / 紫队演练 | ✅ threat-hunting | — |
| ATT&CK 检测覆盖打分 | ✅ threat-hunting | — |
| 设计应用层防御代码 | ❌ | defending-applications |
| 渗透测试、写 PoC | ❌ | securing-systems (pentest/red-team) |
| 威胁建模、IAM 架构 | ❌ | architecting-security |
| 代码静态扫描胶水 | ❌ | analyzing-security |
| 云配置基线、K8s 加固 | ❌ | securing-cloud-and-supply-chain |
192.0.2.0/24、域名用 example.com、用户名用 <analyst>。npx claudepluginhub telagod/code-abyss --plugin code-abyssEngineers and audits SIEM detection rules — log source coverage, Sigma/KQL/SPL/Elastic query authoring, MITRE ATT&CK mapping, and false-positive tuning.
Builds vendor-agnostic Sigma detection rules for SIEMs like Splunk, Elastic, Sentinel from threat intel or MITRE ATT&CK. Converts rules to platform queries using pySigma or sigmac.
Builds vendor-agnostic Sigma detection rules for cross-SIEM threat detection on Splunk, Elastic, and Microsoft Sentinel. Useful for threat intel, MITRE ATT&CK mapping, and pySigma conversions.