تشغيل أي مهارة في Manus بنقرة واحدة

$pwd:

detection-rule-management

Name: Detection Rule Management
Author: elastic

// Create, tune, and manage Elastic Security detection rules. Use for false positive tuning, adding exceptions, creating new detection coverage, finding noisy rules, enabling/disabling rules, or any detection engineering task. Also trigger for "detection rules", "noisy rules", "false positives", "add exception", "create rule", or "tune rule".

تشغيل في Manus

$ git log --oneline --stat

stars:٩

forks:٨

updated:١٧ أبريل ٢٠٢٦ في ٢٠:٤٠

SKILL.md

readonly

name	detection-rule-management
description	Create, tune, and manage Elastic Security detection rules. Use for false positive tuning, adding exceptions, creating new detection coverage, finding noisy rules, enabling/disabling rules, or any detection engineering task. Also trigger for "detection rules", "noisy rules", "false positives", "add exception", "create rule", or "tune rule".

Detection Rule Management

Manage detection rules using the elastic-security MCP connector. The manage-rules tool renders an interactive rule management dashboard.

Tools (via elastic-security MCP connector)

Tool	Purpose
`manage-rules`	Browse/search rules with interactive dashboard. Params: `filter` (KQL)
`threat-hunt`	Test queries against live data before creating rules

The dashboard supports searching rules, viewing details, enabling/disabling, validating queries, and viewing noisy rules.

Rule Types

Type	Use case	Example
`query` (KQL)	Simple field matching	`process.name: "mimikatz.exe"`
`eql`	Behavioral sequences	Process A spawns B within 5 minutes
`esql`	Analytics/aggregations	Complex joins or transformations
`threshold`	Count/frequency	>10 failed logins in 5 minutes
`threat_match`	IOC correlation	Match against malicious IP indicators
`new_terms`	First-time activity	User logs into host for first time

Tuning Strategy (in order of preference)

Add exception — Known-good process/user/host. Does not modify the rule query.
Tighten the query — Exclude FP pattern from the rule query itself.
Adjust threshold/suppression — Increase threshold or enable alert suppression.
Reduce risk score/severity — Downgrade priority if rule has some value but is noisy.
Disable the rule — Last resort. Only if rule provides no value.

Creating New Rules

Define the threat (MITRE technique, data sources, malicious vs legitimate behavior)
Test the query with threat-hunt against live data
Create via the dashboard or ask Claude to help construct the rule JSON
Monitor alert volume and tune false positives

Common Index Patterns

Data type	Index pattern
Alerts	`.alerts-security.alerts-*`
Processes	`logs-endpoint.events.process-*`
Network	`logs-endpoint.events.network-*`
Windows	`logs-windows.*`
AWS	`logs-aws.*`
Okta	`logs-okta.*`

related-skills.json

نفس المستودع

alert-triage.md

from "elastic/example-mcp-app-security"

Triage Elastic Security alerts — fetch, investigate, classify threats, create cases, and acknowledge. Use when triaging alerts, performing SOC analysis, investigating detections, reviewing security incidents, or when the user mentions ransomware, malware, lateral movement, credential theft, DLL injection, suspicious processes, or any specific threat. Also trigger for "show me alerts", "what's happening on host X", "any critical alerts", or any security operations question.

2026-04-179

attack-discovery-triage.md

from "elastic/example-mcp-app-security"

Triage Elastic Security Attack Discovery findings — fetch correlated attack narratives, assess confidence with entity risk and rule frequency signals, and present an interactive triage dashboard for approval, case creation, and acknowledgment. Use when triaging attack discoveries, reviewing correlated attacks, assessing EASE output, or when the user mentions "attack discovery", "AD findings", "triage attacks", "correlated alerts", or asks to process attack discovery results. Also trigger for "what attacks were discovered", "triage my discoveries", or "any attack discoveries".

2026-04-179

case-management.md

from "elastic/example-mcp-app-security"

Create, search, update, and manage SOC cases for Elastic Security. ALWAYS use this skill when the user mentions cases, incidents, investigations, or asks to see, show, list, open, create, update, or search cases. Trigger for: "show me my cases", "open cases", "list cases", "any open cases", "create a case", "case for this alert", "show me case 42", "incident tracking", "investigation status", or any case-related question.

2026-04-179

generate-sample-data.md

from "elastic/example-mcp-app-security"

Generate sample security events, attack scenarios, and synthetic alerts for Elastic Security. Use when demoing, populating dashboards, testing detection rules, setting up a POC, or when the user asks for test data, demo data, or sample alerts.

2026-04-179

package.json

"author": "elastic"

"repository": "elastic/example-mcp-app-security"

فتح مستودع GitHub عرض مستودعات المنشئ

$ install --global

$ download --local

تشغيل في Manus

$ useful --forSOC

محللو أمن المعلوماتمهن الحاسوب والرياضيات15-1212L4

name	detection-rule-management
description	Create, tune, and manage Elastic Security detection rules. Use for false positive tuning, adding exceptions, creating new detection coverage, finding noisy rules, enabling/disabling rules, or any detection engineering task. Also trigger for "detection rules", "noisy rules", "false positives", "add exception", "create rule", or "tune rule".

Detection Rule Management

Manage detection rules using the elastic-security MCP connector. The manage-rules tool renders an interactive rule management dashboard.

Tools (via elastic-security MCP connector)

Tool	Purpose
`manage-rules`	Browse/search rules with interactive dashboard. Params: `filter` (KQL)
`threat-hunt`	Test queries against live data before creating rules

The dashboard supports searching rules, viewing details, enabling/disabling, validating queries, and viewing noisy rules.

Rule Types

Type	Use case	Example
`query` (KQL)	Simple field matching	`process.name: "mimikatz.exe"`
`eql`	Behavioral sequences	Process A spawns B within 5 minutes
`esql`	Analytics/aggregations	Complex joins or transformations
`threshold`	Count/frequency	>10 failed logins in 5 minutes
`threat_match`	IOC correlation	Match against malicious IP indicators
`new_terms`	First-time activity	User logs into host for first time

Tuning Strategy (in order of preference)

Add exception — Known-good process/user/host. Does not modify the rule query.
Tighten the query — Exclude FP pattern from the rule query itself.
Adjust threshold/suppression — Increase threshold or enable alert suppression.
Reduce risk score/severity — Downgrade priority if rule has some value but is noisy.
Disable the rule — Last resort. Only if rule provides no value.

Creating New Rules

Define the threat (MITRE technique, data sources, malicious vs legitimate behavior)
Test the query with threat-hunt against live data
Create via the dashboard or ask Claude to help construct the rule JSON
Monitor alert volume and tune false positives

Common Index Patterns

Data type	Index pattern
Alerts	`.alerts-security.alerts-*`
Processes	`logs-endpoint.events.process-*`
Network	`logs-endpoint.events.network-*`
Windows	`logs-windows.*`
AWS	`logs-aws.*`
Okta	`logs-okta.*`

detection-rule-management

Detection Rule Management

Tools (via elastic-security MCP connector)

Rule Types

Tuning Strategy (in order of preference)

Creating New Rules

Common Index Patterns

المزيد من هذا المستودع

المزيد من هذا المستودع

Detection Rule Management

Tools (via elastic-security MCP connector)

Rule Types

Tuning Strategy (in order of preference)

Creating New Rules

Common Index Patterns