← ClaudeAtlas

detection-sigmalisted

Generic detection rule creation and management using Sigma, the universal SIEM rule format. Sigma provides vendor-agnostic detection logic for log analysis across multiple SIEM platforms. Use when: (1) Creating detection rules for security monitoring, (2) Converting rules between SIEM platforms (Splunk, Elastic, QRadar, Sentinel), (3) Threat hunting with standardized detection patterns, (4) Building detection-as-code pipelines, (5) Mapping detections to MITRE ATT&CK tactics, (6) Implementing compliance-based monitoring rules.
aiskillstore/marketplace · ★ 329 · Data & Documents · score 85
Install: claude install-skill aiskillstore/marketplace
# Sigma Detection Engineering ## Overview Sigma is to log detection what Snort is to network traffic and YARA is to files - a universal signature format for describing security-relevant log events. This skill helps create, validate, and convert Sigma rules for deployment across multiple SIEM platforms, enabling detection-as-code workflows. **Core capabilities**: - Create detection rules using Sigma format - Convert rules to 25+ SIEM/EDR backends (Splunk, Elastic, QRadar, Sentinel, etc.) - Validate rule syntax and logic - Map detections to MITRE ATT&CK framework - Build threat hunting queries - Implement compliance-based monitoring ## Quick Start ### Install Dependencies ```bash pip install pysigma pysigma-backend-splunk pysigma-backend-elasticsearch pyyaml ``` ### Create a Basic Sigma Rule ```yaml title: Suspicious PowerShell Execution id: 7d6d30b8-5b91-4b90-a71e-4f5a3f5a3c3f status: experimental description: Detects suspicious PowerShell execution with encoded commands references: - https://attack.mitre.org/techniques/T1059/001/ author: Your Name date: YYYY/MM/DD modified: YYYY/MM/DD tags: - attack.execution - attack.t1059.001 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\powershell.exe' CommandLine|contains: - '-enc' - '-EncodedCommand' - 'FromBase64String' condition: selection falsepositives: - Legitimate administrative scripts level: