CtrlK
BlogDocsLog inGet started
Tessl Logo

building-detection-rules-with-sigma

Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence, mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac or pySigma backends.

72

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A highly actionable, well-sequenced workflow with strong validation checkpoints and copy-paste code throughout. Its main weaknesses are length from non-essential sections and failure to signal the existing bundle files, leaving reference/script content duplicated inline.

Suggestions

Link the existing bundle files instead of duplicating their content: point to references/api-reference.md for the full pySigma API/backend tables and to scripts/agent.py for batch conversion and ATT&CK coverage generation.

Trim or relocate the Key Concepts, Tools & Systems, Common Scenarios, and Output Format sections into references so the body stays a lean overview-plus-workflow.

Add an explicit post-deploy verification checkpoint in Step 6 (confirm the rule is active and alerting correctly in production) to close the feedback loop for the production deployment.

DimensionReasoningScore

Conciseness

The body is mostly efficient executable code, but at ~300 lines it carries non-essential sections (Key Concepts, Tools & Systems, Common Scenarios, Output Format) and inline API usage that could be tightened or offloaded, fitting the "mostly efficient but could be tightened" anchor rather than lean.

2 / 3

Actionability

Every step ships complete, executable artifacts — Sigma YAML, `sigma check`, pySigma import-and-convert snippets for Splunk/Elastic/Sentinel, ATT&CK Navigator generation, and a CI/CD workflow — copy-paste ready with no pseudocode.

3 / 3

Workflow Clarity

Seven steps are clearly sequenced (Define → Validate → Convert → Map → Test → Deploy → CI/CD) with explicit validation checkpoints in Step 2 (`sigma check`), Step 5 (sample-data testing and a 7-day false-positive check) before production deploy.

3 / 3

Progressive Disclosure

Bundle files references/api-reference.md and scripts/agent.py exist but are never referenced from the body, and their API/conversion/batch logic is duplicated inline rather than split out — matching "references present but not clearly signaled; content that should be separate is inline."

2 / 3

Total

10

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, third-person description that states concrete capabilities and provides an explicit "Use when" trigger clause with domain-natural keywords. It cleanly answers what the skill does and when to invoke it with low conflict risk.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — "Builds vendor-agnostic detection rules", "creating portable detection logic", "mapping rules to MITRE ATT&CK techniques", "converting community Sigma rules into platform-specific queries" — matching the anchor for several specific concrete actions.

3 / 3

Completeness

Explicitly answers both what ("Builds vendor-agnostic detection rules using the Sigma rule format...") and when ("Use when creating portable detection logic... mapping rules... or converting community Sigma rules...") with an explicit trigger clause.

3 / 3

Trigger Term Quality

Covers natural terms a SOC analyst would say — "Sigma", "detection rules", "threat intelligence", "MITRE ATT&CK", "SIEM", "Splunk, Elastic, Sentinel", "sigmac", "pySigma" — giving good coverage of likely user phrasing.

3 / 3

Distinctiveness Conflict Risk

Occupies a clear niche (Sigma detection-as-code for SIEM platforms) with distinct, specific triggers unlikely to collide with other skills.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.