Elastic

detecting-service-account-abuse is a threat-hunting skill for finding service account misuse across Windows, AD, SIEM, and EDR telemetry. It focuses on suspicious interactive logons, privilege escalation, lateral movement, and access anomalies, with a hunt template, event IDs, and workflow references for repeatable investigation.

detecting-pass-the-ticket-attacks helps detect Kerberos Pass-the-Ticket activity by correlating Windows Security Event IDs 4768, 4769, and 4771. Use it for threat hunting in Splunk or Elastic to spot ticket reuse, RC4 downgrades, and unusual TGS volume with practical queries and field guidance.

deploying-edr-agent-with-crowdstrike helps plan, install, and verify CrowdStrike Falcon sensor rollout across Windows, macOS, and Linux endpoints. Use this deploying-edr-agent-with-crowdstrike skill for install guidance, policy setup, telemetry-to-SIEM integration, and Incident Response readiness.

building-incident-response-dashboard helps teams build real-time incident response dashboards in Splunk, Elastic, or Grafana for active incident tracking, containment status, affected assets, IOC spread, and response timelines. Use this building-incident-response-dashboard skill when you need a focused dashboard for SOC analysts, incident commanders, and leadership.

building-detection-rules-with-sigma helps analysts build portable Sigma detection rules from threat intel or vendor rules, map them to MITRE ATT&CK, and convert them for SIEMs like Splunk, Elastic, and Microsoft Sentinel. Use this building-detection-rules-with-sigma guide for Security Audit workflows, standardization, and detection-as-code.