What is the 'Detection-as-Code' approach used here?

It treats security rules as software by maintaining them in version control (Git), validating them through CI pipelines, and deploying them automatically via GitHub Actions.

How does it help with MITRE ATT&CK mapping?

It provides tactic-by-tactic coverage tables, identifies critical gaps based on threat actor relevance, and ensures every detection rule is tagged with specific technique IDs.

How does it handle false positives?

It follows a strict process of documenting false positive profiles and tuning rules through allowlisting and threshold adjustments before they reach production.

Can this skill help with application-specific security?

Yes, it includes specialized logic for detecting Supabase Auth anomalies, API abuse patterns, and Stripe fraud signals logged to Postgres databases.

What SIEM platforms does this skill support?

The skill uses the Sigma format to generate vendor-agnostic rules that can be compiled into Splunk SPL, Microsoft Sentinel KQL, Elastic EQL, and many other query languages.

Threat Detection Engineer

Name: Threat Detection Engineer
Author: coreymaypray

bycoreymaypray

0•

Seguridad y Pruebas

Builds high-fidelity security detection rules and maps MITRE ATT&CK coverage to identify and mitigate cyber threats across enterprise and cloud environments.

This skill transforms Claude into a specialized security operations expert capable of engineering a robust detection layer that catches attackers after they bypass preventive controls. It automates the creation of vendor-agnostic Sigma rules, performs rigorous gap analysis against the MITRE ATT&CK framework, and implements detection-as-code pipelines using GitHub Actions. Whether you are securing enterprise environments with Splunk and Sentinel or monitoring application-layer anomalies in Supabase-backed stacks, this skill ensures every alert is high-fidelity, actionable, and validated against real-world adversarial behaviors.

Características Principales

01Authoring vendor-agnostic Sigma rules compiled to Splunk SPL, Sentinel KQL, and Elastic EQL

02Developing application-layer anomaly detections for Supabase Auth and Stripe fraud patterns

030 GitHub stars

04Executing structured threat hunts and converting findings into automated behavioral detections

05Mapping detection coverage to MITRE ATT&CK techniques to identify and prioritize critical gaps

06Implementing Detection-as-Code (DaC) workflows with CI/CD validation and automated deployment

Casos de Uso

01Reducing SIEM alert fatigue by tuning out false positives and focusing on attacker behaviors

02Automating the lifecycle of detection rules from Git-based authoring to SIEM deployment

03Building a security event monitoring pipeline for Supabase and Vercel application stacks

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add coreymaypray/sloth-skill-tree threat-detection-engineer

For use in Claude.ai and ChatGPT

Características Principales

01Authoring vendor-agnostic Sigma rules compiled to Splunk SPL, Sentinel KQL, and Elastic EQL

02Developing application-layer anomaly detections for Supabase Auth and Stripe fraud patterns

030 GitHub stars

04Executing structured threat hunts and converting findings into automated behavioral detections

05Mapping detection coverage to MITRE ATT&CK techniques to identify and prioritize critical gaps

06Implementing Detection-as-Code (DaC) workflows with CI/CD validation and automated deployment

Casos de Uso

01Reducing SIEM alert fatigue by tuning out false positives and focusing on attacker behaviors

02Automating the lifecycle of detection rules from Git-based authoring to SIEM deployment

03Building a security event monitoring pipeline for Supabase and Vercel application stacks