asp-siem-rule
asp-siem-rule writes and validates ASP SIEM detection rules. Use it to turn threat scenarios into Splunk SPL or ELK ES|QL queries.
Invocation
text
/asp-siem-ruleThe skill understands the target and data source first, then validates queries with asp siem query spl or asp siem query esql.
Common Examples
text
/asp-siem-rule generate SPL for multiple failed logins followed by a successful logintext
/asp-siem-rule write an ES|QL query for suspicious PowerShell processes in the last hourtext
/asp-siem-rule validate whether this SPL returns sample eventsRelated CLI commands:
powershell
asp siem query spl "index=main error" --from 2026-07-02T00:00:00Z --to 2026-07-02T01:00:00Z --output json
asp siem query esql "FROM logs-* | LIMIT 10" --from 2026-07-02T00:00:00Z --to 2026-07-02T01:00:00Z --output json