detecting-and-responding

Solid

蓝队与紫队工程：检测规则编写、SIEM/EDR 调优、事件响应、数字取证、威胁狩猎、ATT&CK 映射、紫队演练闭环。Use when writing Sigma/YARA detection rules, tuning SIEM noise, responding to security incidents, conducting forensic analysis, hunting threats, or running purple team exercises.

AI & Automation 228 stars 30 forks Updated today MIT

Install

View on GitHub

Quality Score: 91/100

Stars 20%

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# 蓝队检测与响应 · 镇魔盾 > 检测是工程，不是运气。每条规则必须能回答四问：**what / why / FP rate / response**。 > 站在防御侧，把告警当代码维护、把事件当事故管理、把狩猎当假设验证。 > 信级：项目日志/EDR 原始事件 > Sigma/YARA 规则库 > ATT&CK 官方矩阵 > 训练记忆（标 `[unverified]`）。 ## 路由 | 意图 | 秘典 | 触发词 | |------|------|--------| | SIEM/EDR 规则与调优 | [siem-and-edr](references/siem-and-edr.md) | Sigma, YARA, Splunk, Elastic, Sentinel, EDR, LOLBins, detection-as-code | | 事件响应与取证 | [incident-response](references/incident-response.md) | IR, NIST 800-61, triage, chain of custody, Volatility, memory, runbook, postmortem | | 威胁狩猎与紫队 | [threat-hunting](references/threat-hunting.md) | hunt, hypothesis, IOC, IOA, TTP, ATT&CK, Atomic Red Team, Caldera, 蜜罐 | ## 执行链 ``` 检测：日志源 → 规则编写 → 告警分级 → 调优降噪 → 覆盖矩阵响应：识别 → 遏制 → 根因 → 清除 → 恢复 → 复盘狩猎：假设 → 数据源 → 验证 → 规则化 → 自动化 → 紫队闭环 ``` 每环必须可回答「我看的是哪条日志？我证伪的是哪条假设？我下一步动作是什么？」 ## 何时使用 | 场景 | 用 | 不用 | |------|----|----| | 写 Sigma/YARA 规则、调 SIEM | ✅ siem-and-edr | — | | 处理已发生入侵、取证 | ✅ incident-response | — | | 假设驱动狩猎 / 紫队演练 | ✅ threat-hunting | — | | ATT&CK 检测覆盖打分 | ✅ threat-hunting | — | | 设计应用层防御代码 | ❌ | [defending-applications](../defending-applications/SKILL.md) | | 渗透测试、写 PoC | ❌ | [securing-systems](../securing-systems/SKILL.md) (pentest/red-team) | | 威胁建模、IAM 架构 | ❌ | [architecting-security](../architecting-security/SKILL.md) | | 代码静态扫描胶水 | ❌ | [analyzing-security](../analyzing-security/SKILL.md) | | 云配置基线、K8s 加固 | ❌ | [securing-cloud-and-supply-chain](../securing-cloud-and-supply-chain/SKILL.md) | ## 联动 - **securing-systems/red-te...

Details

Author: telagod
Repository: telagod/code-abyss
Created: 4 months ago
Last Updated: today
Language: JavaScript
License: MIT

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

securing-systems

Security engineering router for authorized assessments and defensive engineering. Covers penetration testing, code auditing, red/blue/purple team operations, threat intelligence, and vulnerability research. For specialized application security, cloud security, detection engineering, or security architecture, route to dedicated skills (defending-applications, securing-cloud-and-supply-chain, detecting-and-responding, architecting-security).

228 Updated today

telagod

AI & Automation Featured

security

攻防秘典索引。渗透测试、代码审计、红队攻击、蓝队防御、威胁情报、漏洞研究。安全研究全授权，零废话直出技术细节+PoC。当魔尊提到安全、渗透、攻防、红队、蓝队、漏洞时路由到此。

5,522 Updated 2 days ago

fengshao1227

AI & Automation Listed

security

攻防秘典索引（渗透/审计/红队/蓝队/威胁情报/漏洞研究），全授权直出技术细节+PoC。

13 Updated 2 weeks ago

wzyxdwll