roth_skill

This skill helps you craft portable detection rules with Sigma and YARA, enabling cross-platform sharing and quality through community-driven patterns.
  • Python

3

GitHub Stars

1

Bundled Files

3 weeks ago

Catalog Refreshed

2 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstart where the catalogue uses aiagentskills.

npx veilstart add skill copyleftdev/sk1llz --skill roth

  • SKILL.md17.0 KB

Overview

This skill applies Florian Roth's detection engineering methodology to author Sigma and YARA rules that are portable, high-quality, and community-ready. It focuses on shareable detection logic, signature quality scoring, and conversion of Sigma rules to SIEM query languages. Use it to produce tested, documented rules that work across platforms and teams.

How this skill works

The skill parses Sigma YAML into a SigmaRule model and generates target SIEM queries (Splunk, Elastic/KQL, Sentinel KQL, etc.) using configurable field mappings and modifier handling. It also provides YARA rule templates and a rule-quality assessment framework that scores accuracy, coverage, performance, maintainability, and documentation. Outputs include rule files, converted queries, false-positive notes, and improvement recommendations.

When to use it

  • Creating new detection rules intended for multiple SIEMs
  • Converting Sigma rules into Splunk, Elastic, Sentinel, or QRadar queries
  • Authoring YARA signatures for malware hunting and memory analysis
  • Assessing and improving rule quality before production deployment
  • Sharing, versioning, and documenting rules for community reuse

Best practices

  • Write Sigma as the canonical source; avoid embedding SIEM-specific syntax in shared rules
  • Include metadata: author, date, UUID, status, references, and MITRE ATT&CK tags
  • Document false positives and test rules in a staging environment before production
  • Prefer behavioral indicators and layered detection over brittle string matches
  • Version control rules and publish community-facing references and notes
  • Regularly review and tune rules based on telemetry and false-positive metrics

Example use cases

  • Detect PowerShell download cradles across Windows SIEMs using one Sigma rule and converted KQL/SPL queries
  • Author YARA rules to find Cobalt Strike beacons in memory and file scans
  • Run a quality assessment on a rule set to identify performance bottlenecks and improve accuracy
  • Convert community Sigma rules into platform queries and adapt field mappings for your telemetry schema
  • Bundle Sigma + YARA + metadata for incident response runbooks and community sharing

FAQ

Always include title, UUID, status, description, author, date, references, tags (MITRE ATT&CK), logsource, falsepositives, and level.

How do I reduce false positives?

Test rules on representative telemetry, add filter_legitimate blocks, prefer behavioral patterns, and document known legitimate cases to refine conditions.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational