Anthropic-Cybersecurity-Skills/skills/implementing-siem-use-cases-for-detection/references/api-reference.md

API Reference: Implementing SIEM Use Cases for Detection

Libraries

attackcti (MITRE ATT&CK)

• Install: pip install attackcti
• attack_client() -- Initialize ATT&CK data client
• get_techniques() -- All techniques for coverage calculation
• get_groups() -- Threat groups for threat-informed use cases

splunk-sdk (Splunk Integration)

• Install: pip install splunk-sdk
• splunklib.client.connect() -- Connect to Splunk instance
• service.jobs.create(query) -- Execute detection rule SPL

Use Case Lifecycle

Phase	Activities
Design	Map to ATT&CK, define data sources, write detection logic
Test	Validate with Atomic Red Team, measure FP/TP rates
Deploy	Push to SIEM with alerting and SLA configuration
Tune	Refine based on FP feedback, add exclusions
Retire	Deprecate when superseded or no longer relevant

Key ATT&CK Techniques for Use Cases

ID	Name	Tactic
T1110	Brute Force	Credential Access
T1021.002	SMB/Windows Admin Shares	Lateral Movement
T1059.001	PowerShell	Execution
T1048.003	Exfiltration over DNS	Exfiltration
T1003.001	LSASS Memory	Credential Access
T1098	Account Manipulation	Persistence
T1486	Data Encrypted for Impact	Impact

Sigma Rule Format

• Spec: https://sigmahq.io/docs/basics/rules.html
• Fields: title, logsource, detection, level, tags
• Tools: sigma-cli for converting to Splunk SPL, Elastic EQL, Sentinel KQL
• Repository: https://github.com/SigmaHQ/sigma

Detection Quality Metrics

• True Positive Rate: Target >70%
• False Positive Rate: Target <30%
• Mean Time to Detect (MTTD): Varies by severity
• Coverage: Percentage of ATT&CK techniques with detections

External References

• ATT&CK Techniques: https://attack.mitre.org/techniques/enterprise/
• Sigma Rules: https://github.com/SigmaHQ/sigma
• Atomic Red Team: https://github.com/redcanaryco/atomic-red-team
• Splunk ES Detections: https://research.splunk.com/detections/
• Elastic Detection Rules: https://github.com/elastic/detection-rules