Detection Coverage Analysis
by MHaggis
Analyzes detection coverage using Sigma, Splunk, and Elastic rules. Use when checking coverage for techniques, tactics, threat actors, or generating Navigator layers from detections.
Skill Details
Repository Files
1 file in this skill directory
name: detection-coverage-analysis
description: Analyzes detection coverage using Sigma, Splunk, and Elastic rules. Use when checking coverage for techniques, tactics, threat actors, or generating Navigator layers from detections.
Detection Coverage Analysis
Efficient Tools (Use These!)
Get Coverage Stats
analyze_coverage(source_type: "elastic")
Returns coverage % by tactic, top techniques, weak spots.
Find Gaps by Threat Profile
identify_gaps(threat_profile: "ransomware")
identify_gaps(threat_profile: "apt")
identify_gaps(threat_profile: "persistence")
Returns prioritized P0/P1/P2 gaps with recommendations.
Get Detection Suggestions
suggest_detections(technique_id: "T1059.001")
Returns existing detections, data sources needed, detection ideas.
Generate Navigator Layer
generate_navigator_layer(
name: "Elastic Initial Access",
source_type: "elastic",
tactic: "initial-access"
)
Returns ready-to-import Navigator JSON.
Get Just Technique IDs
get_technique_ids(source_type: "elastic", tactic: "persistence")
Returns ~200 bytes instead of ~50KB.
Threat Profiles Available
| Profile | Key Techniques |
|---|---|
| ransomware | T1486, T1490, T1027, T1547 |
| apt | T1003, T1021, T1053, T1071 |
| initial-access | T1566, T1190, T1078 |
| persistence | T1547, T1543, T1053 |
| credential-access | T1003.*, T1555, T1552 |
| defense-evasion | T1027, T1070, T1055 |
DON'T (burns tokens)
# BAD - returns 200+ full detection objects
list_by_mitre_tactic(tactic: "execution")
DO (efficient)
# GOOD - returns stats only
analyze_coverage(source_type: "elastic")
Token Comparison
| Old Approach | New Approach |
|---|---|
| list_by_mitre_tactic → ~50KB | analyze_coverage → ~2KB |
| Parse in context | Done server-side |
| 25x more tokens | Efficient |
Related Skills
Attack Tree Construction
Build comprehensive attack trees to visualize threat paths. Use when mapping attack scenarios, identifying defense gaps, or communicating security risks to stakeholders.
Grafana Dashboards
Create and manage production Grafana dashboards for real-time visualization of system and application metrics. Use when building monitoring dashboards, visualizing metrics, or creating operational observability interfaces.
Matplotlib
Foundational plotting library. Create line plots, scatter, bar, histograms, heatmaps, 3D, subplots, export PNG/PDF/SVG, for scientific visualization and publication figures.
Scientific Visualization
Create publication figures with matplotlib/seaborn/plotly. Multi-panel layouts, error bars, significance markers, colorblind-safe, export PDF/EPS/TIFF, for journal-ready scientific plots.
Seaborn
Statistical visualization. Scatter, box, violin, heatmaps, pair plots, regression, correlation matrices, KDE, faceted plots, for exploratory analysis and publication figures.
Shap
Model interpretability and explainability using SHAP (SHapley Additive exPlanations). Use this skill when explaining machine learning model predictions, computing feature importance, generating SHAP plots (waterfall, beeswarm, bar, scatter, force, heatmap), debugging models, analyzing model bias or fairness, comparing models, or implementing explainable AI. Works with tree-based models (XGBoost, LightGBM, Random Forest), deep learning (TensorFlow, PyTorch), linear models, and any black-box model
Pydeseq2
Differential gene expression analysis (Python DESeq2). Identify DE genes from bulk RNA-seq counts, Wald tests, FDR correction, volcano/MA plots, for RNA-seq analysis.
Query Writing
For writing and executing SQL queries - from simple single-table queries to complex multi-table JOINs and aggregations
Pydeseq2
Differential gene expression analysis (Python DESeq2). Identify DE genes from bulk RNA-seq counts, Wald tests, FDR correction, volcano/MA plots, for RNA-seq analysis.
Scientific Visualization
Meta-skill for publication-ready figures. Use when creating journal submission figures requiring multi-panel layouts, significance annotations, error bars, colorblind-safe palettes, and specific journal formatting (Nature, Science, Cell). Orchestrates matplotlib/seaborn/plotly with publication styles. For quick exploration use seaborn or plotly directly.