siem-querylisted

SIEM query-builder workflow — Splunk SPL, Microsoft Sentinel/Defender KQL, Elastic EQL/KQL, with cross-translation patterns, performance tuning (data models, summary indexes, CCS), and query-by-detection-need. Source layer for detection-engineer, log-triage, and threat-hunt.
roodlicht/accans-sec-skills · ★ 4 · AI & Automation · score 65

Install: claude install-skill roodlicht/accans-sec-skills

# SIEM Query Builder > **Performance discipline**: a correct query that does not return in reasonable time is operationally unusable. A lot of SOC time is lost in queries that scan unnecessarily much data. The second half of this skill is performance discipline, not just syntax. ## When to use This skill is the tooling substrate underneath `detection-engineer` (rules), `log-triage` (incident investigation), `threat-hunt` (proactive), and `ioc-hunter` (enrichment queries). Triggers on: - A question like "write an SPL for X", "translate this KQL into EQL", "why is my query slow", "which index for this data", "set up a summary index". - Cross-platform migration or a multi-platform organization where the same detection logic must exist in both. - Performance tuning of existing queries that are too slow for real-time alerting. - Setting up data models (Splunk CIM, Sentinel ASIM/Watchlist, Elastic ECS) for a consistent schema across sources. ### When NOT (handoff) - Detection-rule design and lifecycle → `detection-engineer`, `alert-tuning`. This skill provides query building blocks; those skills handle the lifecycle. - Triage of live alerts/events → `log-triage`. This skill provides the query; that one analyses the result. - IOC-feed management and threat-intel enrichment → `ioc-hunter`. - Threat-hunt hypothesis design → `threat-hunt` (command). - Forensic depth → `forensics-assist`. - Log-pipeline engineering (collection, parsing, enrichment) → ops team. This skill works wi