creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 16:03:17 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/building-detection-rule-with-splunk-spl/assets/template.md
T

1.9 KiB
Raw Blame History

Splunk SPL Detection Rule Template

Rule Metadata

Field Value
Rule Name
Rule ID
Description
Author
Date Created
Last Modified
Severity
MITRE ATT&CK
Data Sources
Status Draft / Testing / Production / Retired

SPL Query

| tstats summariesonly=true count
    from datamodel=<DataModel>
    where <conditions>
    by <fields>, _time span=<interval>
| rename "<DataModel>.*" as *
| stats <aggregation> by <grouping_fields>
| where <threshold_condition>
| lookup asset_lookup ip as src OUTPUT asset_name, asset_priority
| lookup identity_lookup identity as user OUTPUT department, manager
| eval severity=case(<critical_condition>, "critical", <high_condition>, "high", true(), "medium")
| eval description="<dynamic description string>"
| eval mitre_technique="<T-number>"

Detection Logic

What This Rule Detects

Data Sources Required

Source Sourcetype Index Required Fields

Threshold Justification

Enrichment Details

Testing Plan

True Positive Test

Step 1:
Step 2:
Step 3:
Expected Result:

False Positive Analysis

Scenario Source Mitigation

Tuning History

Date Change Reason Impact

Correlation Search Configuration

Schedule: */15 * * * *
Time Window: earliest=-20m latest=now
Suppress: 1h by src_ip
Notable Event Security Domain: threat
Adaptive Response: <actions>

Analyst Guidance

Triage Steps

Escalation Criteria

Related Rules

Reference in New Issue View Git Blame Copy Permalink