mhaggis/detection-coverage-analysis
.claude/skills/coverage-analysis/SKILL.md
Analyzes detection coverage using Sigma, Splunk, and Elastic rules. Use when checking coverage for techniques, tactics, threat actors, or generating Navigator layers from detections.
$ install --global
skillsauthnpx skillsauth add mhaggis/security-detections-mcp detection-coverage-analysisInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 5:58 AM9.7s1 file scanned
SKILL.md
- name:
- detection-coverage-analysis
- description:
- Analyzes detection coverage using Sigma, Splunk, and Elastic rules. Use when checking coverage for techniques, tactics, threat actors, or generating Navigator layers from detections.
Detection Coverage Analysis
Efficient Tools (Use These!)
Get Coverage Stats
analyze_coverage(source_type: "elastic")
Returns coverage % by tactic, top techniques, weak spots.
Find Gaps by Threat Profile
identify_gaps(threat_profile: "ransomware")
identify_gaps(threat_profile: "apt")
identify_gaps(threat_profile: "persistence")
Returns prioritized P0/P1/P2 gaps with recommendations.
Get Detection Suggestions
suggest_detections(technique_id: "T1059.001")
Returns existing detections, data sources needed, detection ideas.
Generate Navigator Layer
generate_navigator_layer(
name: "Elastic Initial Access",
source_type: "elastic",
tactic: "initial-access"
)
Returns ready-to-import Navigator JSON.
Get Just Technique IDs
get_technique_ids(source_type: "elastic", tactic: "persistence")
Returns ~200 bytes instead of ~50KB.
Threat Profiles Available
| Profile | Key Techniques | |---------|----------------| | ransomware | T1486, T1490, T1027, T1547 | | apt | T1003, T1021, T1053, T1071 | | initial-access | T1566, T1190, T1078 | | persistence | T1547, T1543, T1053 | | credential-access | T1003.*, T1555, T1552 | | defense-evasion | T1027, T1070, T1055 |
DON'T (burns tokens)
# BAD - returns 200+ full detection objects
list_by_mitre_tactic(tactic: "execution")
DO (efficient)
# GOOD - returns stats only
analyze_coverage(source_type: "elastic")
Token Comparison
| Old Approach | New Approach | |--------------|--------------| | list_by_mitre_tactic → ~50KB | analyze_coverage → ~2KB | | Parse in context | Done server-side | | 25x more tokens | Efficient |
Related Skills
mhaggis/threat-report-parser
testing
VerifiedTrustedCommunity
Expert at analyzing unstructured threat intelligence reports (CISA alerts, vendor blogs, research papers) and extracting actionable detection logic, TTPs, behavioral indicators, and MITRE ATT&CK mappings. Focuses on behaviors over IOCs. Use when provided with threat reports, security advisories, or campaign documentation.
401SKILL.mdUpdated Apr 16, 2026
mhaggis/Supply Chain Attack Analyst
testing
VerifiedTrustedCommunity
Analyze software supply chain attacks across package registries (npm, PyPI, RubyGems), CI/CD pipelines (GitHub Actions, GitLab CI), and container ecosystems. Includes detection engineering patterns for Splunk, Sentinel, Elastic, and Sigma.
401SKILL.mdUpdated Apr 16, 2026
mhaggis/Detection Query Optimizer
testing
VerifiedTrustedCommunity
Optimize detection queries for performance across Splunk (SPL), Microsoft Sentinel (KQL), and Elastic Security (EQL/ES|QL). Covers search pipeline internals, common anti-patterns, and optimization techniques for detection rules on each platform.
401SKILL.mdUpdated Apr 16, 2026
mhaggis/PR Extension Workflow
tools
VerifiedTrustedCommunity
Analyze pull requests for detection coverage gaps and recommend additional detections, story alignments, and test coverage to extend PRs before merge.
401SKILL.mdUpdated Apr 16, 2026