Skip to content

asp-siem-rule

asp-siem-rule writes and validates ASP SIEM detection rules. Use it to turn threat scenarios into Splunk SPL or ELK ES|QL queries.

Invocation

text
/asp-siem-rule

The skill understands the target and data source first, then validates queries with asp siem query spl or asp siem query esql.

Common Examples

text
/asp-siem-rule generate SPL for multiple failed logins followed by a successful login
text
/asp-siem-rule write an ES|QL query for suspicious PowerShell processes in the last hour
text
/asp-siem-rule validate whether this SPL returns sample events

Related CLI commands:

powershell
asp siem query spl "index=main error" --from 2026-07-02T00:00:00Z --to 2026-07-02T01:00:00Z --output json
asp siem query esql "FROM logs-* | LIMIT 10" --from 2026-07-02T00:00:00Z --to 2026-07-02T01:00:00Z --output json