detecting-attacks-on-historian-servers

by mukul975

detecting-attacks-on-historian-servers helps detect suspicious activity on OT historian servers like OSIsoft PI, Ignition, and Wonderware at the IT/OT boundary. Use this detecting-attacks-on-historian-servers guide for Incident Response, unauthorized queries, data manipulation, API abuse, and lateral-movement triage.

Stars0

Favorites0

Comments0

AddedMay 9, 2026

CategoryIncident Response

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-attacks-on-historian-servers

Curation Score

This skill scores 68/100, which means it is listable but best presented with caution: it offers a real OT-specific workflow for detecting attacks on historian servers, yet users should expect some setup and execution details to still require interpretation. The repository gives enough signal for an install decision page because it defines when to use it, includes a detection reference, and ships a supporting script, but it is not fully turnkey.

68/100

Strengths

Clearly scoped to historian-server attack detection at the IT/OT boundary, with explicit use cases and non-use cases in SKILL.md.
Includes operational detail beyond marketing copy, including an API reference with platform endpoints and attack indicators.
Ships a Python detection script and reference material, which suggests reusable leverage for agents rather than a placeholder skill.

Cautions

No install command in SKILL.md, so users may need to figure out dependencies and setup manually.
The excerpt shows some breadth across historian platforms and indicators, but the exact end-to-end workflow is only partially visible, so agents may still need clarification for stepwise execution.

Cybersecurity Ot Security Ics Industrial Control Network Monitoring Threat Hunting Lateral Movement

Overview

Overview of detecting-attacks-on-historian-servers skill

What this skill does

The detecting-attacks-on-historian-servers skill helps you detect suspicious activity against OT historian servers such as OSIsoft PI, Ignition, Wonderware, and similar systems that sit between enterprise IT and control networks. It is aimed at Incident Response, OT security monitoring, and triage workflows where the real job is to decide whether historian access is normal operations, unauthorized data access, or a pivot point for lateral movement.

Who should install it

Install the detecting-attacks-on-historian-servers skill if you investigate historian exposure, validate data integrity after an OT incident, or need faster detection logic for historian-specific abuse. It is most useful for defenders who already know their historian environment and want structured guidance, not for teams looking for generic database hardening or historian deployment advice.

Why it is different

This skill is more decision-oriented than a generic prompt: it focuses on historian attack indicators, authentication and access anomalies, exposed management endpoints, and abuse of historian APIs. The repository also includes a small detection script and a compact API reference, which makes the skill more practical than a pure narrative playbook.

How to Use detecting-attacks-on-historian-servers skill

Install and load it

Use the install path shown by the directory workflow: npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-attacks-on-historian-servers. After install, open the skill content in the repo and treat it as an operating guide for historian-focused detection, especially if you are using the skill for Incident Response and need quick triage prompts.

Start with the right inputs

The skill works best when you provide the historian platform, the asset role, and the suspicious behavior. Strong inputs look like: “Investigate possible unauthorized PI Web API access from an external IP,” “Triage repeated failed logins on Ignition Gateway,” or “Check whether historian reads indicate bulk export before an incident.” Weak inputs like “analyze historian security” force the model to guess the platform, the threat path, and the urgency.

Read these files first

For setup and usage, read SKILL.md first, then references/api-reference.md for platform endpoints and indicators, and scripts/agent.py to understand the kind of checks the skill can drive. If you are deciding whether the skill fits your environment, those three files tell you more than a quick skim of the repo tree.

Use it in a detection workflow

The best detecting-attacks-on-historian-servers usage pattern is: inventory the historian platform, identify the exposure path, check for abnormal reads or admin activity, then validate whether the historian data matches expected process behavior. When prompting, include source IPs, timestamps, platform names, authentication status, and whether the issue is monitoring, investigation, or containment; those details materially improve the output.

detecting-attacks-on-historian-servers skill FAQ

Is this only for OT Incident Response?

No. The detecting-attacks-on-historian-servers skill is useful for continuous monitoring, alert triage, and post-incident validation too. It is strongest when the question involves historian servers as an IT/OT boundary asset or a possible pivot point.

Can I use it like a normal cybersecurity prompt?

You can, but the skill gives better results when you match the historian context. Ordinary prompts often miss platform-specific details like PI Web API exposure, Ignition gateway status endpoints, SQL-backed historian backends, or the difference between read abuse and configuration abuse.

Is it beginner-friendly?

Yes, if you can describe the historian platform and the alert in plain language. You do not need deep OT expertise to use the skill, but you will get better results if you know the vendor, the interface involved, and whether the access was expected.

When should I not use it?

Do not use it for generic database security, routine historian deployment planning, or pure IT-only warehouse issues. If your problem is not about detecting attacks on historian servers or validating suspicious access paths, a broader database or OT network skill will be a better fit.

How to Improve detecting-attacks-on-historian-servers skill

Provide evidence, not just concern

The best improvements come from stronger incident context: platform, hostname, network zone, alert type, authentication result, and the exact action you saw. For example, “PI Web API returned data without auth from 203.0.113.10” is far more actionable than “possible compromise.”

Ask for the output you actually need

If you want better detecting-attacks-on-historian-servers usage, specify whether you need triage, hunting hypotheses, containment steps, or a verification checklist. The skill can support different deliverables, but vague requests usually produce generic advice instead of a focused Incident Response artifact.

Watch for common failure modes

The most common miss is treating all historian activity as suspicious without baseline context. Another is overlooking the backend model: some historians expose web APIs, while others rely on SQL Server or gateway endpoints, so the detection path changes by platform. If the first answer is too broad, refine with vendor, endpoint, and time window.

Iterate with follow-up prompts

After the first pass, ask the skill to narrow the analysis: “now separate likely admin activity from attacker behavior,” “map this to the PI Web API endpoints in references/api-reference.md,” or “turn this into an IR checklist for historian server triage.” That kind of iteration usually produces more useful detecting-attacks-on-historian-servers skill output than asking for a single all-purpose summary.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

conducting-malware-incident-response

by mukul975

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

Incident Response

Favorites 0GitHub 0

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

analyzing-usb-device-connection-history

by mukul975

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

Digital Forensics

Favorites 0GitHub 6.2k

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

extracting-browser-history-artifacts

by mukul975

extracting-browser-history-artifacts is a Digital Forensics skill for extracting browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge. Use it to turn browser profile files into timeline-ready evidence with repeatable, case-focused workflow guidance.

Digital Forensics

Favorites 0GitHub 0

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

detecting-privilege-escalation-attempts

by mukul975

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

Threat Hunting

Favorites 0GitHub 0

detecting-evasion-techniques-in-endpoint-logs

by mukul975

The detecting-evasion-techniques-in-endpoint-logs skill helps hunt defense evasion in Windows endpoint logs, including log clearing, timestomping, process injection, and security tool disabling. Use it for threat hunting, detection engineering, and incident triage with Sysmon, Windows Security, or EDR telemetry.

Threat Hunting

Favorites 0GitHub 0

analyzing-network-traffic-for-incidents

by mukul975

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.

Incident Response

Favorites 0GitHub 0

detecting-credential-dumping-techniques

by mukul975

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

Security Audit

Favorites 0GitHub 0

correlating-security-events-in-qradar

by mukul975

correlating-security-events-in-qradar helps SOC and detection teams correlate IBM QRadar offenses with AQL, offense context, custom rules, and reference data. Use this guide to investigate incidents, reduce false positives, and build stronger correlation logic for Incident Response.

Incident Response

Favorites 0GitHub 0

containing-active-breach

by mukul975

containing-active-breach is an incident-response skill for live breach containment. It helps isolate hosts, block suspicious traffic, disable compromised accounts, and slow lateral movement using a structured containing-active-breach guide with practical API and script references.

Incident Response

Favorites 0GitHub 0

configuring-suricata-for-network-monitoring

by mukul975

The configuring-suricata-for-network-monitoring skill helps deploy and tune Suricata for IDS/IPS monitoring, EVE JSON logging, rules management, and SIEM-ready output. It suits the configuring-suricata-for-network-monitoring for Security Audit workflow when you need practical setup, validation, and false-positive reduction.

Security Audit

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-business-email-compromise

by mukul975

The detecting-business-email-compromise skill helps analysts, SOC teams, and incident responders identify BEC attempts using email-header checks, social-engineering clues, detection logic, and response-oriented workflows. Use it as a practical detecting-business-email-compromise guide for triage, validation, and containment.

Incident Response

Favorites 0GitHub 6.1k

detecting-email-forwarding-rules-attack

by mukul975

The detecting-email-forwarding-rules-attack skill helps Security Audit, threat hunting, and incident response teams find malicious mailbox forwarding rules used for persistence and email collection. It guides analysts through Microsoft 365 and Exchange evidence, suspicious rule patterns, and practical triage for forwarding, redirect, delete, and hide behaviors.

Security Audit

Favorites 0GitHub 0