implementing-siem-use-cases-for-detection

Featured

Implements SIEM detection use cases by designing correlation rules, threshold alerts, and behavioral analytics mapped to MITRE ATT&CK techniques across Splunk, Elastic, and Sentinel. Use when SOC teams need to expand detection coverage, formalize use case lifecycle management, or build a detection library aligned to organizational threat profile.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing SIEM Use Cases for Detection ## When to Use Use this skill when: - SOC teams need to build or expand their SIEM detection library from scratch - Threat assessments identify ATT&CK technique gaps requiring new detection rules - Detection engineers need a structured process for use case design, testing, and deployment - Compliance requirements mandate specific detection capabilities (PCI DSS, HIPAA, SOX) **Do not use** for ad-hoc hunting queries — use cases are formalized, tested, and maintained detection rules, not exploratory searches. ## Prerequisites - SIEM platform (Splunk ES, Elastic Security, or Microsoft Sentinel) with production data - ATT&CK Navigator for coverage gap analysis - Log sources normalized to CIM/ECS field standards - Use case documentation framework (wiki, Git repo, or detection engineering platform) - Testing environment with attack simulation tools (Atomic Red Team, MITRE Caldera) ## Workflow ### Step 1: Assess Detection Coverage Gaps Map current detection rules to ATT&CK and identify gaps: ```python import json # Load current detection rules mapped to ATT&CK current_rules = [ {"name": "Brute Force Detection", "techniques": ["T1110.001", "T1110.003"]}, {"name": "Malware Hash Match", "techniques": ["T1204.002"]}, {"name": "Suspicious PowerShell", "techniques": ["T1059.001"]}, ] # Load ATT&CK Enterprise techniques with open("enterprise-attack.json") as f: attack = json.load(f) all_techniques = set() for obj in at...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

implementing-siem-use-case-tuning

Tune SIEM detection rules to reduce false positives by analyzing alert volumes, creating whitelists, adjusting thresholds, and measuring detection efficacy metrics in Splunk and Elastic

12,642 Updated today
mukul975
AI & Automation Featured

implementing-mitre-attack-coverage-mapping

Implement MITRE ATT&CK coverage mapping to identify detection gaps, prioritize rule development, and measure SOC detection maturity against adversary techniques.

12,642 Updated today
mukul975
AI & Automation Listed

alert-prioritization

Analyzes SIEM alert pipelines for rule optimization, alert fatigue reduction, criticality scoring, asset-based prioritization, and correlation rule design using NIST CSF and detection engineering principles. USE THIS SKILL WHEN: - Your SOC team is drowning in alerts and you need to reduce noise - Someone asks about alert fatigue, false positive rates, or SIEM tuning - You need to design or evaluate an alert criticality scoring framework - A project involves SIEM rules (Splunk, Elastic, Sentinel, Chronicle, QRadar) - You are building or reviewing detection-as-code pipelines - Someone mentions MITRE ATT&CK coverage gaps or detection engineering - You need to optimize correlation rules or SOAR playbook coverage - Alert-to-incident conversion rates are below 30% - Analysts are bulk-closing alerts or MTTA is trending upward TRIGGER PHRASES: "alert fatigue", "SIEM tuning", "detection rules", "alert prioritization", "false positive rate", "correlation rules", "SOC optimization", "alert scoring", "detection engineeri

4 Updated today
tinh2
AI & Automation Featured

performing-threat-hunting-with-elastic-siem

Performs proactive threat hunting in Elastic Security SIEM using KQL/EQL queries, detection rules, and Timeline investigation to identify threats that evade automated detection. Use when SOC teams need to hunt for specific ATT&CK techniques, investigate anomalous behaviors, or validate detection coverage gaps using Elasticsearch and Kibana Security.

12,642 Updated today
mukul975
AI & Automation Featured

building-detection-rule-with-splunk-spl

Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments.

12,642 Updated today
mukul975