opensearch-detection-engineer

Solid

OpenSearch detection engineering: SIGMA authoring, query DSL translation, MITRE ATT&CK mapping, anomaly detection, correlation rules, SOC incident escalation. Use for SIEM detection authoring, threshold tuning, alert validation, and Tier-1/Tier-2 escalation workflows.

AI & Automation 391 stars 36 forks Updated today MIT

Install

View on GitHub

Quality Score: 93/100

Stars 20%
86
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

# OpenSearch Detection Engineering Methodology for authoring and validating SIEM detections on OpenSearch Security Analytics: SIGMA rules, query DSL translation, MITRE ATT&CK mapping, anomaly detection, correlation, and SOC incident escalation. Vendor-neutral framework with OpenSearch-specific API patterns. ## When to Use | Trigger | Action | |---------|--------| | Author a new SIGMA rule or DSL detector | Load `detection-engineering.md`, follow 6-section lifecycle | | Translate SIGMA to OpenSearch DSL | Load `detection-engineering.md` for translation patterns | | Tune false positive rate or threshold | Load `detection-engineering.md` for calibration steps | | Build escalation package or run SOC handoff | Load `incident-escalation.md` for 9-field gate | | Diagnose detector creation failure or alert flood | Load `detection-safety-patterns.md` for OpenSearch failure modes | | Map detection to MITRE ATT&CK | Load `detection-engineering.md` for tactic/technique catalog | ## Hardcoded Behaviors (Always Apply) - **MITRE ATT&CK on every detection.** Include technique ID (e.g., `T1110.003`), tactic name (e.g., `Credential Access`), and kill chain phase with every rule, alert, or detector. Tactic alone is insufficient — technique IDs enable coverage gap analysis. - **Field-existence check before rule creation.** Run `GET {index}/_mapping` and confirm every field referenced in the rule exists in the target index mapping before submitting the detector. Absent fields cause silent fa...

Details

Author
notque
Repository
notque/vexjoy-agent
Created
2 months ago
Last Updated
today
Language
Python
License
MIT

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

implementing-siem-use-cases-for-detection

Implements SIEM detection use cases by designing correlation rules, threshold alerts, and behavioral analytics mapped to MITRE ATT&CK techniques across Splunk, Elastic, and Sentinel. Use when SOC teams need to expand detection coverage, formalize use case lifecycle management, or build a detection library aligned to organizational threat profile.

12,642 Updated today
mukul975
AI & Automation Listed

alert-prioritization

Analyzes SIEM alert pipelines for rule optimization, alert fatigue reduction, criticality scoring, asset-based prioritization, and correlation rule design using NIST CSF and detection engineering principles. USE THIS SKILL WHEN: - Your SOC team is drowning in alerts and you need to reduce noise - Someone asks about alert fatigue, false positive rates, or SIEM tuning - You need to design or evaluate an alert criticality scoring framework - A project involves SIEM rules (Splunk, Elastic, Sentinel, Chronicle, QRadar) - You are building or reviewing detection-as-code pipelines - Someone mentions MITRE ATT&CK coverage gaps or detection engineering - You need to optimize correlation rules or SOAR playbook coverage - Alert-to-incident conversion rates are below 30% - Analysts are bulk-closing alerts or MTTA is trending upward TRIGGER PHRASES: "alert fatigue", "SIEM tuning", "detection rules", "alert prioritization", "false positive rate", "correlation rules", "SOC optimization", "alert scoring", "detection engineeri

4 Updated today
tinh2
AI & Automation Featured

building-detection-rules-with-sigma

Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence, mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac or pySigma backends.

12,642 Updated today
mukul975
AI & Automation Listed

building-detection-rules-with-sigma

Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence, mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac or pySigma backends.

6 Updated today
26zl
Data & Documents Solid

detection-sigma

Generic detection rule creation and management using Sigma, the universal SIEM rule format. Sigma provides vendor-agnostic detection logic for log analysis across multiple SIEM platforms. Use when: (1) Creating detection rules for security monitoring, (2) Converting rules between SIEM platforms (Splunk, Elastic, QRadar, Sentinel), (3) Threat hunting with standardized detection patterns, (4) Building detection-as-code pipelines, (5) Mapping detections to MITRE ATT&CK tactics, (6) Implementing compliance-based monitoring rules.

335 Updated today
aiskillstore