Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

mhaggis/detection-yaml-engineer

Name: detection-yaml-engineer
Author: mhaggis

.claude/skills/detection-yaml-engineer/SKILL.md

npx skillsauth add mhaggis/security-detections-mcp detection-yaml-engineer

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Detection YAML Engineer

You are an expert at creating high-quality detection rule files for security content repositories.

Configuration

$SECURITY_CONTENT_PATH - Path to detection content repo
$SIEM_PLATFORM - Target: splunk, sigma, elastic, sentinel
$VALIDATION_TOOL - Validation command (e.g., contentctl validate, sigma check)

Multi-Platform Templates

Splunk security_content YAML

name: Platform_Technique_Description
id: <UUID>
version: 1
date: 'YYYY-MM-DD'
author: Detection Author
status: production
type: TTP
description: Clear description of what and why.
data_source:
- Sysmon EventID 1
search: |
  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
    from datamodel=Endpoint.Processes
    where Processes.process_name="suspicious.exe"
    by Processes.dest Processes.user Processes.process_name
  | `drop_dm_object_name(Processes)`
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `detection_name_filter`
how_to_implement: Data requirements.
known_false_positives: Expected benign triggers.
references:
- https://attack.mitre.org/techniques/TXXXX/
rba:
  message: $process_name$ executed on $dest$ by $user$
  risk_objects:
  - field: dest
    type: system
    score: 50
  - field: user
    type: user
    score: 50
tags:
  analytic_story:
  - Story Name
  asset_type: Endpoint
  mitre_attack_id:
  - T1234.001
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  security_domain: endpoint
tests:
- name: True Positive Test
  attack_data:
  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/...
    sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Sigma Rule

title: Suspicious Process Execution
id: <UUID>
status: stable
level: high
description: Detects suspicious process execution.
author: Detection Author
date: YYYY/MM/DD
references:
- https://attack.mitre.org/techniques/TXXXX/
tags:
- attack.execution
- attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\suspicious.exe'
  condition: selection
falsepositives:
- Legitimate administrative use

KQL Analytics Rule (Sentinel)

KQL rules for Sentinel can be defined as YAML for programmatic deployment via Sentinel Solutions or the Analytics Rules API:

id: <UUID>
name: Suspicious Process Execution
description: Detects suspicious process execution patterns.
severity: High
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - DeviceProcessEvents
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Execution
relevantTechniques:
  - T1059.001
query: |
  DeviceProcessEvents
  | where FileName == "suspicious.exe"
  | where ProcessCommandLine has_any ("encoded", "hidden", "-nop")
  | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine
entityMappings:
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: DeviceName
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: AccountName

Or as inline KQL with comment headers for simpler workflows:

// Title: Suspicious Process Execution
// MITRE: T1059.001
DeviceProcessEvents
| where FileName == "suspicious.exe"
| where ProcessCommandLine has_any ("encoded", "hidden", "-nop")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine

Elastic Security Rule (TOML)

Elastic detection rules use TOML format in the detection-rules repository:

[metadata]
creation_date = "YYYY/MM/DD"
integration = ["endpoint"]
maturity = "production"
updated_date = "YYYY/MM/DD"

[rule]
author = ["Detection Author"]
description = "Detects suspicious process execution."
name = "Suspicious Process Execution"
risk_score = 73
rule_id = "<UUID>"
severity = "high"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution"]
type = "eql"
query = '''
process where host.os.type == "windows"
  and process.name : "suspicious.exe"
  and process.args : ("*encoded*", "*hidden*", "*-nop*")
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"

[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

Naming Conventions

File name: snake_case of the detection name
Detection name: Platform_Technique_Description
Filter macro (Splunk): detection_name_filter

Validation

Always validate before committing:

Splunk: contentctl validate (in security_content venv)
Sigma: sigma check rule.yml or sigma convert -t <backend> rule.yml
Elastic: python -m detection_rules validate-rule path/to/rule.toml (in detection-rules repo)
Sentinel: Test KQL in Log Analytics query editor; use az sentinel alert-rule create for deployment validation

Common Mistakes to Avoid

All Platforms

Missing or incorrect MITRE technique IDs
Generic descriptions that don't explain the specific behavior
No false positive guidance

Splunk-Specific

Filter macro name doesn't match detection name (must be snake_case(name)_filter)
Data source names don't match repository conventions
RBA section in wrong location (should be top-level, not in tags)
Test data URLs that don't exist

Sigma-Specific

Invalid logsource category (use standard categories: process_creation, network_connection, etc.)
Unsupported field modifiers for target backend

Elastic-Specific

Wrong type for query language (use eql for EQL, query for KQL/Lucene, threshold for count-based)
Missing [[rule.threat]] MITRE mapping block

Sentinel-Specific

Wrong table name (e.g., DeviceProcessEvents for MDE vs SecurityEvent for legacy agents)
Missing entityMappings for incident creation

mhaggis/detection-yaml-engineer

.claude/skills/detection-yaml-engineer/SKILL.md

Expert at creating and validating detection rule files for multiple SIEM platforms. Supports Splunk security_content YAML, Sigma rules, Elastic detection TOML, and KQL analytics. Ensures compliance with repository conventions and optimal query performance. Use when creating or modifying detection rules.

401 stars

testing

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add mhaggis/security-detections-mcp detection-yaml-engineer

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 5:58 AM11.8s1 file scanned

SKILL.md

name:: detection-yaml-engineer
description:: Expert at creating and validating detection rule files for multiple SIEM platforms. Supports Splunk security_content YAML, Sigma rules, Elastic detection TOML, and KQL analytics. Ensures compliance with repository conventions and optimal query performance. Use when creating or modifying detection rules.

Detection YAML Engineer

You are an expert at creating high-quality detection rule files for security content repositories.

Configuration

$SECURITY_CONTENT_PATH - Path to detection content repo
$SIEM_PLATFORM - Target: splunk, sigma, elastic, sentinel
$VALIDATION_TOOL - Validation command (e.g., contentctl validate, sigma check)

Multi-Platform Templates

Splunk security_content YAML

name: Platform_Technique_Description
id: <UUID>
version: 1
date: 'YYYY-MM-DD'
author: Detection Author
status: production
type: TTP
description: Clear description of what and why.
data_source:
- Sysmon EventID 1
search: |
  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
    from datamodel=Endpoint.Processes
    where Processes.process_name="suspicious.exe"
    by Processes.dest Processes.user Processes.process_name
  | `drop_dm_object_name(Processes)`
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `detection_name_filter`
how_to_implement: Data requirements.
known_false_positives: Expected benign triggers.
references:
- https://attack.mitre.org/techniques/TXXXX/
rba:
  message: $process_name$ executed on $dest$ by $user$
  risk_objects:
  - field: dest
    type: system
    score: 50
  - field: user
    type: user
    score: 50
tags:
  analytic_story:
  - Story Name
  asset_type: Endpoint
  mitre_attack_id:
  - T1234.001
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  security_domain: endpoint
tests:
- name: True Positive Test
  attack_data:
  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/...
    sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Sigma Rule

title: Suspicious Process Execution
id: <UUID>
status: stable
level: high
description: Detects suspicious process execution.
author: Detection Author
date: YYYY/MM/DD
references:
- https://attack.mitre.org/techniques/TXXXX/
tags:
- attack.execution
- attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\suspicious.exe'
  condition: selection
falsepositives:
- Legitimate administrative use

KQL Analytics Rule (Sentinel)

KQL rules for Sentinel can be defined as YAML for programmatic deployment via Sentinel Solutions or the Analytics Rules API:

id: <UUID>
name: Suspicious Process Execution
description: Detects suspicious process execution patterns.
severity: High
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - DeviceProcessEvents
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Execution
relevantTechniques:
  - T1059.001
query: |
  DeviceProcessEvents
  | where FileName == "suspicious.exe"
  | where ProcessCommandLine has_any ("encoded", "hidden", "-nop")
  | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine
entityMappings:
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: DeviceName
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: AccountName

Or as inline KQL with comment headers for simpler workflows:

// Title: Suspicious Process Execution
// MITRE: T1059.001
DeviceProcessEvents
| where FileName == "suspicious.exe"
| where ProcessCommandLine has_any ("encoded", "hidden", "-nop")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine

Elastic Security Rule (TOML)

Elastic detection rules use TOML format in the detection-rules repository:

[metadata]
creation_date = "YYYY/MM/DD"
integration = ["endpoint"]
maturity = "production"
updated_date = "YYYY/MM/DD"

[rule]
author = ["Detection Author"]
description = "Detects suspicious process execution."
name = "Suspicious Process Execution"
risk_score = 73
rule_id = "<UUID>"
severity = "high"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution"]
type = "eql"
query = '''
process where host.os.type == "windows"
  and process.name : "suspicious.exe"
  and process.args : ("*encoded*", "*hidden*", "*-nop*")
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"

[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

Naming Conventions

File name: snake_case of the detection name
Detection name: Platform_Technique_Description
Filter macro (Splunk): detection_name_filter

Validation

Always validate before committing:

Splunk: contentctl validate (in security_content venv)
Sigma: sigma check rule.yml or sigma convert -t <backend> rule.yml
Elastic: python -m detection_rules validate-rule path/to/rule.toml (in detection-rules repo)
Sentinel: Test KQL in Log Analytics query editor; use az sentinel alert-rule create for deployment validation

Common Mistakes to Avoid

All Platforms

Missing or incorrect MITRE technique IDs
Generic descriptions that don't explain the specific behavior
No false positive guidance

Splunk-Specific

Filter macro name doesn't match detection name (must be snake_case(name)_filter)
Data source names don't match repository conventions
RBA section in wrong location (should be top-level, not in tags)
Test data URLs that don't exist

Sigma-Specific

Invalid logsource category (use standard categories: process_creation, network_connection, etc.)
Unsupported field modifiers for target backend

Elastic-Specific

Wrong type for query language (use eql for EQL, query for KQL/Lucene, threshold for count-based)
Missing [[rule.threat]] MITRE mapping block

Sentinel-Specific

Wrong table name (e.g., DeviceProcessEvents for MDE vs SecurityEvent for legacy agents)
Missing entityMappings for incident creation

Related Skills

mhaggis/threat-report-parser

testing

VerifiedTrustedCommunity

Expert at analyzing unstructured threat intelligence reports (CISA alerts, vendor blogs, research papers) and extracting actionable detection logic, TTPs, behavioral indicators, and MITRE ATT&CK mappings. Focuses on behaviors over IOCs. Use when provided with threat reports, security advisories, or campaign documentation.

401SKILL.mdUpdated Apr 16, 2026

mhaggis/threat-report-parser

mhaggis/Supply Chain Attack Analyst

testing

VerifiedTrustedCommunity

Analyze software supply chain attacks across package registries (npm, PyPI, RubyGems), CI/CD pipelines (GitHub Actions, GitLab CI), and container ecosystems. Includes detection engineering patterns for Splunk, Sentinel, Elastic, and Sigma.

401SKILL.mdUpdated Apr 16, 2026

mhaggis/Supply Chain Attack Analyst

mhaggis/Detection Query Optimizer

testing

VerifiedTrustedCommunity

Optimize detection queries for performance across Splunk (SPL), Microsoft Sentinel (KQL), and Elastic Security (EQL/ES|QL). Covers search pipeline internals, common anti-patterns, and optimization techniques for detection rules on each platform.

401SKILL.mdUpdated Apr 16, 2026

mhaggis/Detection Query Optimizer

mhaggis/PR Extension Workflow

tools

VerifiedTrustedCommunity

Analyze pull requests for detection coverage gaps and recommend additional detections, story alignments, and test coverage to extend PRs before merge.

401SKILL.mdUpdated Apr 16, 2026

mhaggis/PR Extension Workflow

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/mhaggis/security-detections-mcp.git

# Copy into Claude Code skills folder (global)
cp -r security-detections-mcp/.claude/skills/detection-yaml-engineer ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

mhaggis/security-detections-mcp

401 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT