Hunt for security threats using Sigma detection rules — log analysis, threat detection, and incident response.
What it does
Sigma rules have a specific syntax and a field-naming convention that varies by log source — Windows event logs, Sysmon, cloud trail events, and network logs each have different field names for the same concepts. Claude generates Sigma rules that look syntactically correct but use wrong field names, miss important condition operators, or produce rules that are too broad and generate thousands of false positives. This skill loads correct Sigma rule syntax, field mappings for common log sources, condition patterns for low-false-positive detection, and threat hunting workflows for moving from an incident to a detection rule. Made by jthack.
Use case
Writing Sigma detection rules for SIEM systems, investigating security incidents and turning findings into detections, or building a detection library for a specific threat model.
"Write a Sigma rule to detect this attacker behaviour from the incident." "Convert this YARA rule to an equivalent Sigma detection." "This Sigma rule has too many false positives — narrow it with additional conditions." "Write a hunt query for this threat pattern across Windows event logs." "Generate a Sigma rule for detecting lateral movement via PsExec."
Describe the attacker behaviour or threat pattern you want to detect.
Specify the log source (Windows events, Sysmon, CloudTrail, etc.) — Claude uses the correct field names.
Claude generates the rule with a false positive assessment and suggested tuning conditions.
Input
A threat behaviour description, an incident finding to convert to a detection, or an existing rule to refine.
Output
A syntactically correct Sigma rule with the right field mappings for your log source, a condition that minimises false positives, and a brief explanation of the detection logic.
npx skillsadd jthack/skills/threat-hunting-sigma
Requires skills.sh CLI
Agent Skills for developers using AI agents with Supabase — database, auth, storage, and edge functions.
Manage local CLI AI agents via tmux — start, stop, monitor, assign tasks, and schedule with cron.
AWS development with CDK best practices, infrastructure patterns, and deployment workflows.