Anomaly Detection

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

detecting-rdp-brute-force-attacks helps analyze Windows Security Event Logs for RDP brute force patterns, including repeated 4625 failures, 4624 success after failures, NLA-related logons, and source-IP concentration. Use it for Security Audit, threat hunting, and repeatable EVTX-based investigations.

The detecting-network-anomalies-with-zeek skill helps deploy Zeek for passive network monitoring, review structured logs, and build custom detections for beaconing, DNS tunneling, and unusual protocol activity. It is suited for threat hunting, incident response, SIEM-ready network metadata, and Security Audit workflows—not inline prevention.

detecting-modbus-protocol-anomalies helps detect suspicious Modbus/TCP and Modbus RTU behavior in OT and ICS networks, including invalid function codes, out-of-range register access, abnormal polling timing, unauthorized writes, and malformed frames. Useful for a Security Audit and evidence-based triage.

detecting-beaconing-patterns-with-zeek helps analyze Zeek conn.log intervals to detect C2-style beaconing. It uses ZAT, groups flows by source, destination, and port, and scores low-jitter patterns with statistical checks. Ideal for SOC, threat hunting, incident response, and detecting-beaconing-patterns-with-zeek for Security Audit workflows.

analyzing-cloud-storage-access-patterns helps security teams detect suspicious cloud storage access in AWS S3, GCS, and Azure Blob Storage. It analyzes audit logs for bulk downloads, new source IPs, unusual API calls, bucket enumeration, after-hours access, and possible exfiltration using baseline and anomaly checks.

analyzing-azure-activity-logs-for-threats skill for querying Azure Monitor activity logs and sign-in logs to spot suspicious admin actions, impossible travel, privilege escalation, and resource tampering. Built for incident triage with KQL patterns, an execution path, and practical Azure log table guidance.

The alert-manager skill helps teams design SEO and GEO alert frameworks for ranking drops, traffic anomalies, technical issues, competitor changes, and AI visibility shifts using threshold guides and reusable templates.

The detecting-stuxnet-style-attacks skill helps defenders detect Stuxnet-like OT and ICS intrusion patterns, including PLC logic tampering, spoofed sensor data, engineering workstation compromise, and IT-to-OT lateral movement. Use it for threat hunting, incident triage, and process-integrity monitoring with protocol, host, and process evidence.

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

detecting-arp-poisoning-in-network-traffic helps detect ARP spoofing in live traffic or PCAPs using ARPWatch, Dynamic ARP Inspection, Wireshark, and Python checks. Built for incident response, SOC triage, and repeatable analysis of IP-to-MAC changes, gratuitous ARPs, and MITM indicators.

detecting-insider-threat-with-ueba helps you build UEBA detections in Elasticsearch or OpenSearch for insider threat cases, including behavioral baselines, anomaly scoring, peer group analysis, and correlated alerts for data exfiltration, privilege abuse, and unauthorized access. It fits detecting-insider-threat-with-ueba for Incident Response workflows.

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

detecting-dnp3-protocol-anomalies helps analyze DNP3 traffic in SCADA environments to flag unauthorized control commands, protocol violations, restart attempts, and deviations from baseline behavior. Use this detecting-dnp3-protocol-anomalies skill for Security Audit, IDS tuning, and reviewing Zeek logs or packet captures.

detecting-cryptomining-in-cloud helps security teams detect unauthorized cryptomining in cloud workloads by correlating cost spikes, mining-port traffic, GuardDuty crypto findings, and runtime process evidence. Use it for triage, detection engineering, and detecting-cryptomining-in-cloud for Security Audit workflows.

detecting-aws-cloudtrail-anomalies helps analyze AWS CloudTrail activity for unusual API sources, first-time actions, high-frequency calls, and suspicious behavior tied to credential compromise or privilege escalation. Use it for structured anomaly detection with boto3, baselining, and event-field analysis.

detecting-anomalous-authentication-patterns helps analyze authentication logs for impossible travel, brute force, password spraying, credential stuffing, and compromised-account activity. Built for Security Audit, SOC, IAM, and incident response workflows with baseline-aware detection and evidence-backed sign-in analysis.

deploying-osquery-for-endpoint-monitoring guide for deploying and configuring osquery for endpoint visibility, fleet-wide monitoring, and SQL-driven threat hunting. Use it to plan installation, read the workflow and API references, and operationalize scheduled queries, log collection, and centralized review across Windows, macOS, and Linux endpoints.

building-detection-rules-with-sigma helps analysts build portable Sigma detection rules from threat intel or vendor rules, map them to MITRE ATT&CK, and convert them for SIEMs like Splunk, Elastic, and Microsoft Sentinel. Use this building-detection-rules-with-sigma guide for Security Audit workflows, standardization, and detection-as-code.

The analyzing-web-server-logs-for-intrusion skill parses Apache and Nginx access logs to detect SQL injection, local file inclusion, directory traversal, scanner fingerprints, brute-force bursts, and anomalous request patterns. Use it for intrusion triage, threat hunting, and Security Audit workflows with GeoIP enrichment and signature-based detection.

analyzing-dns-logs-for-exfiltration helps SOC analysts detect DNS tunneling, DGA-like domains, TXT abuse, and covert C2 patterns from SIEM or Zeek logs. Use it for Security Audit workflows when you need entropy analysis, query-volume anomalies, and practical triage guidance.