SIEM Detection — Detection Engineering

Build, audit, and maintain SIEM detection content — the rules that fire alerts. Distinct from incident-triage (responds when alerts fire) and from soc-operations (runs the SOC that triages alerts). This skill is the engineering layer: log coverage, rule authoring, tuning, and detection-as-code workflows.

Cross-references: incident-triage for what happens after the alert, threat-hunting for proactive hypothesis-driven hunts that often graduate into detection rules, breach-patterns for detection ideas pulled from public breach disclosures, soc-operations for the alert-triage operations on top of the detections engineered here.

Scope

This skill covers:

• Log source coverage assessment ("are we even collecting the events we'd need to detect X?")
• Rule authoring across major SIEM query languages (Sigma, KQL, SPL, Elastic ES|QL, Chronicle YARA-L)
• MITRE ATT&CK mapping — every rule tagged with technique IDs for coverage analysis
• Detection-as-code workflows (rules in Git, CI tests, deployment automation)
• Alert tuning workflow — reducing false positives without losing true positives
• Coverage gap analysis using ATT&CK Navigator