Monitoring

The security-scan skill audits your Claude Code .claude/ configuration for secrets, risky MCP setup, injection-prone instructions, dangerous bypass flags, and weak agent or hook definitions using AgentShield. Use it for repeatable security checks before committing or onboarding.

canary-watch is a post-deploy monitoring skill for checking a live URL for regressions after releases, merges, or dependency updates across staging or production.

canary is a post-deploy monitoring skill that watches live apps for console errors, page failures, and performance regressions. It compares current behavior against a pre-deploy baseline so you can verify a release, catch broken pages, and spot visible anomalies with less guesswork than a generic prompt.

python-observability helps you instrument Python services with structured logging, metrics, traces, correlation IDs, and bounded-cardinality patterns for production debugging and safer observability rollouts.

grafana-dashboards helps agents design production Grafana dashboards for observability. Use it to plan RED and USE-based layouts, choose panel hierarchy, and draft dashboard structure for Prometheus-style metrics.

prometheus-configuration helps you install and use Prometheus for scraping, retention, alerting, and recording rules across Kubernetes, Docker Compose, and server setups.

Use the slo-implementation skill to define SLIs, SLOs, error budgets, and burn-rate alerts for Reliability work. It helps teams turn service goals into measurable targets with PromQL-style examples and practical guidance from SKILL.md.

Use the distributed-tracing skill to design and explain request tracing across microservices with Jaeger and Tempo. Covers install basics, trace and span concepts, Kubernetes setup patterns, context propagation, and practical usage for observability and latency debugging.

appinsights-instrumentation helps instrument Azure-hosted web apps with Application Insights. It guides App Service auto-instrumentation or manual ASP.NET Core and Node.js setup, including connection string and IaC updates.

detecting-shadow-it-cloud-usage helps identify unauthorized SaaS and cloud usage from proxy logs, DNS queries, and netflow. It classifies domains, compares them with approved lists, and supports security audit workflows with structured evidence from the detecting-shadow-it-cloud-usage skill guide.

detecting-rdp-brute-force-attacks helps analyze Windows Security Event Logs for RDP brute force patterns, including repeated 4625 failures, 4624 success after failures, NLA-related logons, and source-IP concentration. Use it for Security Audit, threat hunting, and repeatable EVTX-based investigations.

The detecting-network-anomalies-with-zeek skill helps deploy Zeek for passive network monitoring, review structured logs, and build custom detections for beaconing, DNS tunneling, and unusual protocol activity. It is suited for threat hunting, incident response, SIEM-ready network metadata, and Security Audit workflows—not inline prevention.

detecting-beaconing-patterns-with-zeek helps analyze Zeek conn.log intervals to detect C2-style beaconing. It uses ZAT, groups flows by source, destination, and port, and scores low-jitter patterns with statistical checks. Ideal for SOC, threat hunting, incident response, and detecting-beaconing-patterns-with-zeek for Security Audit workflows.

configuring-host-based-intrusion-detection guide for setting up HIDS with Wazuh, OSSEC, or AIDE to monitor file integrity, system changes, and compliance-focused endpoint security for Security Audit workflows.

analyzing-azure-activity-logs-for-threats skill for querying Azure Monitor activity logs and sign-in logs to spot suspicious admin actions, impossible travel, privilege escalation, and resource tampering. Built for incident triage with KQL patterns, an execution path, and practical Azure log table guidance.

azure-monitor-opentelemetry-ts helps instrument Node.js apps with Azure Monitor and OpenTelemetry for distributed traces, metrics, and logs. Use this azure-monitor-opentelemetry-ts skill to install the package, set APPLICATIONINSIGHTS_CONNECTION_STRING, and follow the correct startup order for auto-instrumentation.

azure-monitor-opentelemetry-py is the Azure Monitor OpenTelemetry distro for Python. Use it for one-line Application Insights setup, auto-instrumentation, and practical Azure Monitor telemetry with minimal app code changes.

The alert-manager skill helps teams design SEO and GEO alert frameworks for ranking drops, traffic anomalies, technical issues, competitor changes, and AI visibility shifts using threshold guides and reusable templates.

detecting-container-escape-with-falco-rules helps detect container escape attempts with Falco runtime security rules. It focuses on syscall signals, privileged containers, host-path abuse, validation, and incident response workflows for Kubernetes and Linux container environments.

The detecting-wmi-persistence skill helps threat hunters and DFIR analysts detect WMI event subscription persistence in Windows telemetry using Sysmon Event IDs 19, 20, and 21. Use it to identify malicious EventFilter, EventConsumer, and FilterToConsumerBinding activity, validate findings, and separate attacker persistence from benign admin automation.

detecting-arp-poisoning-in-network-traffic helps detect ARP spoofing in live traffic or PCAPs using ARPWatch, Dynamic ARP Inspection, Wireshark, and Python checks. Built for incident response, SOC triage, and repeatable analysis of IP-to-MAC changes, gratuitous ARPs, and MITM indicators.

detecting-cryptomining-in-cloud helps security teams detect unauthorized cryptomining in cloud workloads by correlating cost spikes, mining-port traffic, GuardDuty crypto findings, and runtime process evidence. Use it for triage, detection engineering, and detecting-cryptomining-in-cloud for Security Audit workflows.

detecting-container-escape-attempts helps investigate, detect, and triage container escape signals in Docker and Kubernetes. Use this detecting-container-escape-attempts guide for incident triage, escape vectors, alert interpretation, and response workflows based on Falco, Sysdig, auditd, and container inspection evidence.

detecting-attacks-on-historian-servers helps detect suspicious activity on OT historian servers like OSIsoft PI, Ignition, and Wonderware at the IT/OT boundary. Use this detecting-attacks-on-historian-servers guide for Incident Response, unauthorized queries, data manipulation, API abuse, and lateral-movement triage.