siem-detection
CommunityEngineer and audit high-signal SIEM detections
System Documentation
What problem does it solve?
It helps teams build reliable SIEM detection rules by ensuring the right log sources exist, mapping detections to MITRE ATT&CK, authoring queries in common SIEM formats, and tuning to reduce false positives.
Core Features & Use Cases
- Log source coverage assessment: identify blind spots before writing detections.
- Rule authoring and format translation: author in Sigma and convert to SIEM-specific query languages (Sigma -> KQL/SPL/Elastic/other backends).
- MITRE ATT&CK mapping and detection-as-code workflow: tag techniques for coverage analysis and manage rules in Git with CI/deployment checks.
- False-positive tuning lifecycle: deploy experimentally, measure fires, narrow logic, and promote only when FP rates are acceptable.
Use it when you need to convert an attack idea into actionable detection logic, improve existing alerts that are too noisy, or report detector coverage to stakeholders/auditors.
Quick Start
Ask the AI agent: “Assess our SIEM log coverage for MITRE ATT&CK techniques relevant to account takeover, then draft Sigma rules with MITRE tags and explain how to tune false positives for my environment.”
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: siem-detection Download link: https://github.com/briiirussell/cybersecurity-skills/archive/main.zip#siem-detection Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.