creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 19:54:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
768ca51c8d331ab0bdcea8ffb31c9b99bb2c1839
Anthropic-Cybersecurity-Skills/skills/implementing-siem-use-case-tuning/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1 
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

2.3 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license, nist_csf, mitre_attack
name description domain subdomain tags version author license nist_csf mitre_attack
implementing-siem-use-case-tuning Tune SIEM detection rules to reduce false positives by analyzing alert volumes, creating whitelists, adjusting thresholds, and measuring detection efficacy metrics in Splunk and Elastic cybersecurity security-operations
siem
detection-engineering
false-positive-reduction
splunk
elastic
alert-tuning
soc
1.0 mahipal Apache-2.0
DE.CM-01
RS.MA-01
GV.OV-01
DE.AE-02
T1078
T1190
T1059
T1685.002
T1685.005

Implementing SIEM Use Case Tuning

Overview

SIEM use case tuning reduces alert fatigue by systematically analyzing detection rules for false positive rates, adjusting thresholds based on environmental baselines, creating context-aware whitelists, and measuring detection efficacy through precision/recall metrics. This skill covers tuning workflows for Splunk correlation searches and Elastic detection rules, including statistical baselining, exclusion list management, and alert-to-incident conversion tracking.

When to Use

  • When deploying or configuring implementing siem use case tuning capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Splunk Enterprise/Cloud with ES or Elastic SIEM with detection rules enabled
  • Historical alert data (minimum 30 days) for baseline analysis
  • Python 3.8+ with requests library
  • SIEM admin credentials or API tokens

Steps

  1. Export current alert volumes per detection rule from SIEM
  2. Calculate false positive rate per rule using analyst disposition data
  3. Identify top noise-generating rules by volume and FP rate
  4. Build environmental baselines for thresholds (e.g., login counts, process spawns)
  5. Create whitelist entries for known-good entities (service accounts, scanners)
  6. Adjust rule thresholds using statistical analysis (mean + N standard deviations)
  7. Measure tuning impact via before/after precision and alert-to-incident ratio

Expected Output

JSON report with per-rule tuning recommendations including current FP rate, suggested threshold adjustments, whitelist entries, and projected alert reduction percentages.

Reference in New Issue View Git Blame Copy Permalink