스킬 detection-sigma
🛡️

detection-sigma

안전 🌐 네트워크 접근⚙️ 외부 명령어

Crear reglas de detección Sigma para SIEM

Los equipos de seguridad necesitan reglas de detección independientes del proveedor que funcionen en múltiples plataformas SIEM. Esta habilidad proporciona plantillas, flujos de trabajo y referencias para crear, validar y convertir reglas Sigma a Splunk, Elastic, Sentinel, QRadar y otras plataformas.

지원: Claude Codex Code(CC)
🥉 76 브론즈
1

스킬 ZIP 다운로드

2

Claude에서 업로드

설정 → 기능 → 스킬 → 스킬 업로드로 이동

3

토글을 켜고 사용 시작

테스트해 보기

"detection-sigma" 사용 중입니다. Crear una regla Sigma para detectar comandos codificados en PowerShell

예상 결과:

  • Regla: Ejecución sospechosa de PowerShell
  • Fuente de日志: Windows process_creation (Sysmon Event ID 1)
  • Detección: Image termina con powershell.exe Y CommandLine contiene -enc o FromBase64String
  • MITRE ATT&CK: T1059.001 (PowerShell) - táctica de ejecución
  • Backends soportados: Splunk SPL, Elastic Query DSL, Sentinel KQL, QRadar AQL
  • Severidad: Media con notas de falsos positivos para scripts de administrador

"detection-sigma" 사용 중입니다. Convertir esta regla a formato Splunk

예상 결과:

  • Sigma original: Detecta robo de credenciales vía acceso a memoria lsass.exe
  • Splunk SPL: index=windows EventID=4656 Image=*\lsass.exe GrantedAccess IN (0x1010, 0x1410)
  • Mapeos de campos verificados para Sysmon Event ID 10
  • Detección lista para Splunk Enterprise Security

"detection-sigma" 사용 중입니다. Crear detección de cumplimiento ISO 27001

예상 결과:

  • ISO 27001 A.12.4.1: Regla de monitoreo de actividad de usuario creada
  • Event IDs: 4624, 4625, 4634 para seguimiento de inicio/fin de sesión
  • Detección de actividad para cuentas admin, Administrator, root
  • Regla etiquetada: iso27001.a.12.4.1 para evidencia de cumplimiento

보안 감사

안전
v5 • 1/16/2026

Documentation-only skill containing YAML templates and reference guides for defensive security detection engineering. All static findings are FALSE POSITIVES - the flagged patterns are detection rules designed to identify malicious activity, not perform it. This skill does not contain executable code, network access, or file system operations. Previous Claude audit correctly identified this as safe.

14
스캔된 파일
3,140
분석된 줄 수
2
발견 사항
5
총 감사 수

위험 요인

🌐 네트워크 접근 (39)
assets/compliance-rules/iso27001-logging.yml:9 assets/compliance-rules/nist-800-53-audit.yml:9 assets/compliance-rules/pci-dss-monitoring.yml:8 assets/rule-templates/credential-access.yml:6 assets/rule-templates/lateral-movement.yml:6 assets/rule-templates/persistence.yml:6 assets/rule-templates/privilege-escalation.yml:6 references/backend-support.md:277 references/backend-support.md:265 references/backend-support.md:285 references/backend-support.md:387 references/backend-support.md:388 references/backend-support.md:389 references/backend-support.md:390 references/compliance-mappings.md:358 references/compliance-mappings.md:359 references/compliance-mappings.md:360 references/compliance-mappings.md:361 references/field-modifiers.md:424 references/field-modifiers.md:425 references/field-modifiers.md:426 references/log-source-guide.md:259 references/log-source-guide.md:260 references/log-source-guide.md:261 references/log-source-guide.md:140 references/mitre-attack-mapping.md:360 references/mitre-attack-mapping.md:361 references/mitre-attack-mapping.md:362 skill-report.json:6 SKILL.md:19 SKILL.md:20 SKILL.md:21 SKILL.md:54 SKILL.md:206 SKILL.md:501 SKILL.md:502 SKILL.md:503 SKILL.md:504 SKILL.md:505
⚙️ 외부 명령어 (478)
assets/rule-templates/credential-access.yml:71 references/backend-support.md:7 references/backend-support.md:12-14 references/backend-support.md:14-17 references/backend-support.md:17-19 references/backend-support.md:19-22 references/backend-support.md:22-24 references/backend-support.md:24-28 references/backend-support.md:28-32 references/backend-support.md:32 references/backend-support.md:32-33 references/backend-support.md:33 references/backend-support.md:33-34 references/backend-support.md:34 references/backend-support.md:34-38 references/backend-support.md:38 references/backend-support.md:38-43 references/backend-support.md:43-45 references/backend-support.md:45-48 references/backend-support.md:48-50 references/backend-support.md:50-53 references/backend-support.md:53-64 references/backend-support.md:64-72 references/backend-support.md:72 references/backend-support.md:72-73 references/backend-support.md:73 references/backend-support.md:73-74 references/backend-support.md:74 references/backend-support.md:74-78 references/backend-support.md:78 references/backend-support.md:78-83 references/backend-support.md:83-85 references/backend-support.md:85-88 references/backend-support.md:88-90 references/backend-support.md:90-93 references/backend-support.md:93-98 references/backend-support.md:98-106 references/backend-support.md:106 references/backend-support.md:106-107 references/backend-support.md:107 references/backend-support.md:107-108 references/backend-support.md:108 references/backend-support.md:108-112 references/backend-support.md:112 references/backend-support.md:112-117 references/backend-support.md:117-119 references/backend-support.md:119-122 references/backend-support.md:122-124 references/backend-support.md:124-127 references/backend-support.md:127-131 references/backend-support.md:131-140 references/backend-support.md:140-145 references/backend-support.md:145-147 references/backend-support.md:147-150 references/backend-support.md:150-154 references/backend-support.md:154-162 references/backend-support.md:162-167 references/backend-support.md:167-169 references/backend-support.md:169-189 references/backend-support.md:189-191 references/backend-support.md:191-195 references/backend-support.md:195-210 references/backend-support.md:210-218 references/backend-support.md:218-221 references/backend-support.md:221 references/backend-support.md:221-247 references/backend-support.md:247-255 references/backend-support.md:255-261 references/backend-support.md:261-278 references/backend-support.md:278-282 references/backend-support.md:282-297 references/backend-support.md:297-301 references/backend-support.md:301-310 references/backend-support.md:310-316 references/backend-support.md:316-324 references/backend-support.md:324-328 references/backend-support.md:328-340 references/backend-support.md:340-344 references/backend-support.md:344-350 references/backend-support.md:350-356 references/backend-support.md:356-359 references/backend-support.md:359-362 references/backend-support.md:362-364 references/backend-support.md:23 references/backend-support.md:58 references/backend-support.md:96 references/backend-support.md:130 references/backend-support.md:151 references/backend-support.md:269 references/backend-support.md:306 references/backend-support.md:320 references/backend-support.md:334 references/backend-support.md:348 references/compliance-mappings.md:11 references/compliance-mappings.md:18-26 references/compliance-mappings.md:26-30 references/compliance-mappings.md:30-37 references/compliance-mappings.md:37-45 references/compliance-mappings.md:45-49 references/compliance-mappings.md:49-56 references/compliance-mappings.md:56-64 references/compliance-mappings.md:64-68 references/compliance-mappings.md:68-75 references/compliance-mappings.md:75-85 references/compliance-mappings.md:85-89 references/compliance-mappings.md:89-96 references/compliance-mappings.md:96-105 references/compliance-mappings.md:105-113 references/compliance-mappings.md:113-124 references/compliance-mappings.md:124-135 references/compliance-mappings.md:135-146 references/compliance-mappings.md:146-157 references/compliance-mappings.md:157-164 references/compliance-mappings.md:164-173 references/compliance-mappings.md:173-179 references/compliance-mappings.md:179-190 references/compliance-mappings.md:190-203 references/compliance-mappings.md:203-212 references/compliance-mappings.md:212-222 references/compliance-mappings.md:222-228 references/compliance-mappings.md:228-239 references/compliance-mappings.md:239-246 references/compliance-mappings.md:246-256 references/compliance-mappings.md:256-262 references/compliance-mappings.md:262-273 references/compliance-mappings.md:273-313 references/compliance-mappings.md:313-316 references/compliance-mappings.md:316-319 references/compliance-mappings.md:319-324 references/compliance-mappings.md:324-330 references/compliance-mappings.md:330-342 references/compliance-mappings.md:342-346 references/compliance-mappings.md:346-348 references/compliance-mappings.md:348-354 references/field-modifiers.md:5 references/field-modifiers.md:7 references/field-modifiers.md:16-20 references/field-modifiers.md:20-23 references/field-modifiers.md:23-24 references/field-modifiers.md:24-25 references/field-modifiers.md:25-34 references/field-modifiers.md:34-38 references/field-modifiers.md:38-41 references/field-modifiers.md:41-42 references/field-modifiers.md:42-45 references/field-modifiers.md:45-54 references/field-modifiers.md:54-58 references/field-modifiers.md:58-61 references/field-modifiers.md:61-62 references/field-modifiers.md:62-71 references/field-modifiers.md:71-78 references/field-modifiers.md:78-91 references/field-modifiers.md:91-95 references/field-modifiers.md:95-98 references/field-modifiers.md:98-99 references/field-modifiers.md:99-108 references/field-modifiers.md:108-112 references/field-modifiers.md:112-121 references/field-modifiers.md:121-125 references/field-modifiers.md:125-129 references/field-modifiers.md:129-138 references/field-modifiers.md:138-142 references/field-modifiers.md:142-147 references/field-modifiers.md:147-148 references/field-modifiers.md:148-149 references/field-modifiers.md:149-158 references/field-modifiers.md:158-162 references/field-modifiers.md:162-164 references/field-modifiers.md:164-173 references/field-modifiers.md:173-177 references/field-modifiers.md:177-186 references/field-modifiers.md:186-191 references/field-modifiers.md:191-202 references/field-modifiers.md:202-207 references/field-modifiers.md:207-218 references/field-modifiers.md:218-220 references/field-modifiers.md:220-230 references/field-modifiers.md:230-235 references/field-modifiers.md:235-239 references/field-modifiers.md:239-245 references/field-modifiers.md:245-255 references/field-modifiers.md:255-259 references/field-modifiers.md:259-267 references/field-modifiers.md:267-271 references/field-modifiers.md:271-279 references/field-modifiers.md:279-283 references/field-modifiers.md:283-290 references/field-modifiers.md:290-316 references/field-modifiers.md:316-318 references/field-modifiers.md:318-321 references/field-modifiers.md:321-323 references/field-modifiers.md:323-327 references/field-modifiers.md:327-330 references/field-modifiers.md:330-333 references/field-modifiers.md:333-336 references/field-modifiers.md:336-340 references/field-modifiers.md:340-347 references/field-modifiers.md:347-349 references/field-modifiers.md:349-352 references/field-modifiers.md:352-356 references/field-modifiers.md:356-364 references/field-modifiers.md:364-370 references/field-modifiers.md:370-374 references/field-modifiers.md:374 references/field-modifiers.md:374-376 references/field-modifiers.md:376-384 references/field-modifiers.md:384-390 references/field-modifiers.md:390-393 references/field-modifiers.md:393 references/field-modifiers.md:393-405 references/field-modifiers.md:405-411 references/field-modifiers.md:411-415 references/field-modifiers.md:415-418 references/field-modifiers.md:418 references/field-modifiers.md:418 references/field-modifiers.md:19 references/field-modifiers.md:23 references/field-modifiers.md:23 references/field-modifiers.md:24 references/field-modifiers.md:25 references/field-modifiers.md:37 references/field-modifiers.md:41 references/field-modifiers.md:42 references/field-modifiers.md:45 references/field-modifiers.md:57 references/field-modifiers.md:61 references/field-modifiers.md:61 references/field-modifiers.md:62 references/field-modifiers.md:75 references/field-modifiers.md:94 references/field-modifiers.md:98 references/field-modifiers.md:99 references/field-modifiers.md:111 references/field-modifiers.md:176 references/field-modifiers.md:176 references/field-modifiers.md:176 references/field-modifiers.md:234 references/field-modifiers.md:243 references/field-modifiers.md:249 references/field-modifiers.md:250 references/field-modifiers.md:264 references/field-modifiers.md:317 references/field-modifiers.md:322 references/field-modifiers.md:331 references/field-modifiers.md:338 references/field-modifiers.md:348 references/field-modifiers.md:354 references/field-modifiers.md:377 references/field-modifiers.md:379 references/field-modifiers.md:265 references/log-source-guide.md:12 references/log-source-guide.md:13 references/log-source-guide.md:14 references/log-source-guide.md:15 references/log-source-guide.md:16 references/log-source-guide.md:17 references/log-source-guide.md:18 references/log-source-guide.md:21-29 references/log-source-guide.md:29-38 references/log-source-guide.md:38-39 references/log-source-guide.md:39-40 references/log-source-guide.md:40-41 references/log-source-guide.md:41-42 references/log-source-guide.md:42-43 references/log-source-guide.md:43-44 references/log-source-guide.md:44-47 references/log-source-guide.md:47-55 references/log-source-guide.md:55-64 references/log-source-guide.md:64-65 references/log-source-guide.md:65-66 references/log-source-guide.md:66-69 references/log-source-guide.md:69-77 references/log-source-guide.md:77-86 references/log-source-guide.md:86-87 references/log-source-guide.md:87-88 references/log-source-guide.md:88-91 references/log-source-guide.md:91-98 references/log-source-guide.md:98-107 references/log-source-guide.md:107-108 references/log-source-guide.md:108-109 references/log-source-guide.md:109-112 references/log-source-guide.md:112-120 references/log-source-guide.md:120-129 references/log-source-guide.md:129-130 references/log-source-guide.md:130-131 references/log-source-guide.md:131-134 references/log-source-guide.md:134-141 references/log-source-guide.md:141-150 references/log-source-guide.md:150-151 references/log-source-guide.md:151-152 references/log-source-guide.md:152-153 references/log-source-guide.md:153-162 references/log-source-guide.md:162-163 references/log-source-guide.md:163-164 references/log-source-guide.md:164-165 references/log-source-guide.md:165-166 references/log-source-guide.md:166-169 references/log-source-guide.md:169-176 references/log-source-guide.md:176-182 references/log-source-guide.md:182-183 references/log-source-guide.md:183-184 references/log-source-guide.md:184-185 references/log-source-guide.md:185-186 references/log-source-guide.md:186-187 references/log-source-guide.md:187-188 references/log-source-guide.md:188-189 references/log-source-guide.md:189-190 references/log-source-guide.md:190-191 references/log-source-guide.md:191-197 references/log-source-guide.md:197-201 references/log-source-guide.md:201-204 references/log-source-guide.md:204-205 references/log-source-guide.md:205-206 references/log-source-guide.md:206-207 references/log-source-guide.md:207-208 references/log-source-guide.md:208-215 references/log-source-guide.md:215-216 references/log-source-guide.md:216-217 references/log-source-guide.md:217-218 references/log-source-guide.md:218-219 references/log-source-guide.md:219-222 references/log-source-guide.md:222 references/log-source-guide.md:222-223 references/log-source-guide.md:223 references/log-source-guide.md:223-224 references/log-source-guide.md:224-227 references/log-source-guide.md:227-228 references/log-source-guide.md:228-231 references/log-source-guide.md:231-232 references/log-source-guide.md:232-239 references/log-source-guide.md:239 references/log-source-guide.md:239-240 references/log-source-guide.md:240 references/log-source-guide.md:240-241 references/log-source-guide.md:241 references/log-source-guide.md:241-244 references/log-source-guide.md:244 references/log-source-guide.md:244-245 references/log-source-guide.md:245 references/log-source-guide.md:245-246 references/log-source-guide.md:246 references/log-source-guide.md:27 references/mitre-attack-mapping.md:25-35 references/mitre-attack-mapping.md:35-38 references/mitre-attack-mapping.md:38-42 references/mitre-attack-mapping.md:42-49 references/mitre-attack-mapping.md:49-58 references/mitre-attack-mapping.md:58-69 references/mitre-attack-mapping.md:69-76 references/mitre-attack-mapping.md:76-85 references/mitre-attack-mapping.md:85-93 references/mitre-attack-mapping.md:93-102 references/mitre-attack-mapping.md:102-109 references/mitre-attack-mapping.md:109-116 references/mitre-attack-mapping.md:116-123 references/mitre-attack-mapping.md:123-132 references/mitre-attack-mapping.md:132-140 references/mitre-attack-mapping.md:140-147 references/mitre-attack-mapping.md:147-151 references/mitre-attack-mapping.md:151-160 references/mitre-attack-mapping.md:160-168 references/mitre-attack-mapping.md:168-175 references/mitre-attack-mapping.md:175-181 references/mitre-attack-mapping.md:181-190 references/mitre-attack-mapping.md:190-200 references/mitre-attack-mapping.md:200-207 references/mitre-attack-mapping.md:207-216 references/mitre-attack-mapping.md:216-227 references/mitre-attack-mapping.md:227-232 references/mitre-attack-mapping.md:232-239 references/mitre-attack-mapping.md:239-247 references/mitre-attack-mapping.md:247-256 references/mitre-attack-mapping.md:256-265 references/mitre-attack-mapping.md:265-276 references/mitre-attack-mapping.md:276-289 references/mitre-attack-mapping.md:289-298 references/mitre-attack-mapping.md:298-306 references/mitre-attack-mapping.md:306-315 references/mitre-attack-mapping.md:315-324 references/mitre-attack-mapping.md:324-330 references/mitre-attack-mapping.md:330-334 references/mitre-attack-mapping.md:334-337 references/mitre-attack-mapping.md:337-343 references/mitre-attack-mapping.md:343-349 references/mitre-attack-mapping.md:349-356 references/mitre-attack-mapping.md:18 references/mitre-attack-mapping.md:20 references/mitre-attack-mapping.md:28 references/mitre-attack-mapping.md:352 references/mitre-attack-mapping.md:46 references/mitre-attack-mapping.md:52 skill-report.json:123 skill-report.json:125 skill-report.json:127 skill-report.json:128 SKILL.md:42-44 SKILL.md:44-48 SKILL.md:48-75 SKILL.md:75-79 SKILL.md:79-88 SKILL.md:88-98 SKILL.md:98-126 SKILL.md:126-139 SKILL.md:139-148 SKILL.md:148-166 SKILL.md:166-171 SKILL.md:171-184 SKILL.md:184-200 SKILL.md:200-204 SKILL.md:204-216 SKILL.md:216-220 SKILL.md:220-261 SKILL.md:261-267 SKILL.md:267-268 SKILL.md:268-269 SKILL.md:269-270 SKILL.md:270-271 SKILL.md:271-272 SKILL.md:272-273 SKILL.md:273-276 SKILL.md:276-283 SKILL.md:283-301 SKILL.md:301-302 SKILL.md:302-303 SKILL.md:303-304 SKILL.md:304-308 SKILL.md:308-309 SKILL.md:309-310 SKILL.md:310-311 SKILL.md:311-312 SKILL.md:312-316 SKILL.md:316-317 SKILL.md:317-318 SKILL.md:318-319 SKILL.md:319-320 SKILL.md:320-322 SKILL.md:322-323 SKILL.md:323-324 SKILL.md:324-325 SKILL.md:325-333 SKILL.md:333-346 SKILL.md:346-352 SKILL.md:352-369 SKILL.md:369-375 SKILL.md:375-388 SKILL.md:388-396 SKILL.md:396-412 SKILL.md:412-417 SKILL.md:417-437 SKILL.md:437-438 SKILL.md:438-447 SKILL.md:447 SKILL.md:447-455 SKILL.md:455-464 SKILL.md:464-470 SKILL.md:470-473 SKILL.md:473-474 SKILL.md:474-475 SKILL.md:475-476 SKILL.md:476-477 SKILL.md:477-478 SKILL.md:478-479 SKILL.md:479-480 SKILL.md:480-481 SKILL.md:481-482 SKILL.md:482-483 SKILL.md:483-484 SKILL.md:49 SKILL.md:52 SKILL.md:66 SKILL.md:112 SKILL.md:256 SKILL.md:280 SKILL.md:282 SKILL.md:340 SKILL.md:467 SKILL.md:257 SKILL.md:341
감사자: claude 감사 이력 보기 →

품질 점수

59
아키텍처
100
유지보수성
87
콘텐츠
22
커뮤니티
100
보안
96
사양 준수

만들 수 있는 것

Construir reglas de detección

Crear reglas de detección para seguridad basada en inteligencia de amenazas y patrones de ataque.

Migrar reglas SIEM

Convertir reglas de detección existentes entre plataformas SIEM o construir nuevas reglas desde la especificación Sigma.

Monitoreo de cumplimiento

Implementar reglas de detección para requisitos de auditoría de PCI-DSS, NIST 800-53 e ISO 27001.

이 프롬프트를 사용해 보세요

Regla de detección básica 
Crear una regla de detección Sigma para [process_name] con [indicators] sospechosos en [log_source]. Incluir mapeo MITRE ATT&CK.
Conversión SIEM 
Convertir esta regla Sigma a formato [Splunk|Elasticsearch|Sentinel|QRadar]. Mostrar la consulta convertida y los mapeos de campos.
Mapeo MITRE 
Crear reglas de detección Sigma para la técnica MITRE ATT&CK [T####.###] cubriendo [tactic_name]. Incluir fuentes de日志 y campos clave.
Regla de cumplimiento 
Crear reglas de detección Sigma para el requisito [PCI-DSS|NIST|ISO27001] [control_id]. Incluir etiquetas y documentación.

모범 사례

  • Usar modificadores de campo específicos como endswith en lugar de contains para mejor rendimiento
  • Comenzar reglas en estado experimental y promover después de probar en no producción
  • Etiquetar todas las reglas con técnicas MITRE ATT&CK y controles de marcos de cumplimiento

피하기

  • Usar criterios de detección demasiado amplios que generan falsos positivos excesivos
  • Implementar reglas sin probar primero contra datos históricos de日志
  • Crear reglas sin documentar escenarios de falsos positivos y filtros de mitigación

자주 묻는 질문

¿Qué plataformas SIEM soporta Sigma?
Sigma convierte a más de 25 plataformas incluyendo Splunk, Elastic, QRadar, Microsoft Sentinel, Chronicle, LogPoint, ArcSight y plataformas EDR.
¿Qué paquetes de Python se requieren?
Instala pysigma más los plugins del backend: pip install pysigma pysigma-backend-splunk pysigma-backend-elasticsearch pyyaml.
¿Puedo usar esto con reglas Sigma existentes?
Sí. Importa reglas del repositorio SigmaHQ o usa la habilidad para convertir, validar y personalizar reglas existentes para tu entorno.
¿Cómo se manejan los datos sensibles?
Las reglas Sigma referencian nombres de campos y patrones. Nunca incluyas datos sensibles reales en los valores de las reglas. Almacena reglas con controles de acceso de control de versiones.
¿Por qué mi consulta convertida no funciona en SIEM?
Verifica la disponibilidad de la fuente de日志, verifica los mapeos de nombres de campos, prueba el rango de tiempo y asegúrate de que el backend soporte todos los modificadores usados en la regla.
¿En qué se diferencia esto de escribir consultas SIEM directamente?
Las reglas Sigma son independientes del proveedor. Escribe una vez y convierte a cualquier backend soportado, permitiendo portabilidad entre plataformas SIEM y flujos de trabajo de detección como código.

개발자 세부 정보

작성자

AgentSecOps

라이선스

MIT

리포지토리

https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/incident-response/detection-sigma

참조

main

파일 구조

📁 assets/

📁 compliance-rules/

📄 iso27001-logging.yml

📄 nist-800-53-audit.yml

📄 pci-dss-monitoring.yml

📁 rule-templates/

📄 credential-access.yml

📄 lateral-movement.yml

📄 persistence.yml

📄 privilege-escalation.yml

📁 references/

📄 backend-support.md

📄 compliance-mappings.md

📄 field-modifiers.md

📄 log-source-guide.md

📄 mitre-attack-mapping.md

📄 SKILL.md