Guided sigma detection rule writing from a natural language threat description. Use when the user asks to write a sigma rule, SIEM detection rule, EDR alert logic, or any "detect when X happens" question. Asks clarifying questions (logsource, MITRE ATT&CK TTP, severity), drafts YAML via mcp__plugin_wrg-sigma-rules_wrg-sigma-rules__draft_rule, validates via mcp__plugin_wrg-sigma-rules_wrg-sigma-rules__validate_rule, and offers backend conversion.
Review an existing sigma rule for spec compliance, detection quality, and improvement opportunities. Use when the user pastes a sigma YAML rule, asks "is this rule any good", asks for a code review on a detection, or wants to harden a rule against false positives. Runs pySigma validation, best-practices linter, and produces a structured findings report with concrete fix suggestions.
Analyze a sigma rule corpus against the MITRE ATT&CK matrix and produce a coverage gap report. Use when the user asks "what TTPs am I missing", asks for a coverage report, wants to compare their detections against a threat actor profile (e.g. APT29, Scattered Spider), or wants a prioritized list of detection rules to write next. Reads a directory of sigma rules, cross-references against the ATT&CK matrix resource, and outputs gap analysis with priority ranking.