Logs

analyzing-security-logs-with-splunk helps investigate security events in Splunk by correlating Windows, firewall, proxy, and authentication logs into timelines and evidence. This analyzing-security-logs-with-splunk skill is a practical guide for Security Audit, incident response, and threat hunting.

analyzing-cloud-storage-access-patterns helps security teams detect suspicious cloud storage access in AWS S3, GCS, and Azure Blob Storage. It analyzes audit logs for bulk downloads, new source IPs, unusual API calls, bucket enumeration, after-hours access, and possible exfiltration using baseline and anomaly checks.

analyzing-azure-activity-logs-for-threats skill for querying Azure Monitor activity logs and sign-in logs to spot suspicious admin actions, impossible travel, privilege escalation, and resource tampering. Built for incident triage with KQL patterns, an execution path, and practical Azure log table guidance.

analyzing-api-gateway-access-logs helps parse API Gateway access logs to detect BOLA/IDOR, rate-limit bypass, credential scanning, and injection attempts. Built for SOC triage, threat hunting, and Security Audit workflows across AWS API Gateway, Kong, and Nginx-style logs using pandas-based analysis.

azure-monitor-query-py helps Python developers query Azure Monitor logs and metrics with azure-monitor-query. Use it for Log Analytics workspaces, Azure resource metrics, backend monitoring, diagnostics, and observability automation. It fits the azure-monitor-query-py skill when you already have workspace IDs, resource URIs, and Azure credentials.

Analyze WAF and audit logs to detect SQL injection campaigns with detecting-sql-injection-via-waf-logs. Built for Security Audit and SOC workflows, it parses ModSecurity, AWS WAF, and Cloudflare events, classifies UNION SELECT, OR 1=1, SLEEP(), and BENCHMARK() patterns, correlates sources, and produces incident-oriented findings.

The detecting-evasion-techniques-in-endpoint-logs skill helps hunt defense evasion in Windows endpoint logs, including log clearing, timestomping, process injection, and security tool disabling. Use it for threat hunting, detection engineering, and incident triage with Sysmon, Windows Security, or EDR telemetry.

The analyzing-web-server-logs-for-intrusion skill parses Apache and Nginx access logs to detect SQL injection, local file inclusion, directory traversal, scanner fingerprints, brute-force bursts, and anomalous request patterns. Use it for intrusion triage, threat hunting, and Security Audit workflows with GeoIP enrichment and signature-based detection.

The analyzing-tls-certificate-transparency-logs skill helps security teams query Certificate Transparency data with crt.sh, pycrtsh, and related feeds to find suspicious TLS certificates, lookalike domains, typosquatting, and unauthorized issuance. It supports threat hunting, brand protection, and certificate monitoring with a practical workflow and similarity checks.

analyzing-powershell-script-block-logging skill for parsing Windows PowerShell Script Block Logging Event ID 4104 from EVTX files, reconstructing split script blocks, and flagging obfuscated commands, encoded payloads, Invoke-Expression abuse, download cradles, and AMSI bypass attempts for Security Audit work.

analyzing-linux-audit-logs-for-intrusion is a Linux incident-response skill for auditd review, helping you find suspicious logins, privilege escalation, file tampering, and host intrusion evidence with ausearch, aureport, and auditctl.

analyzing-kubernetes-audit-logs is a Kubernetes security analysis skill for turning API server audit logs into actionable findings. Use it to investigate exec into pods, secret access, RBAC changes, privileged workloads, and anonymous API access, or to build detection rules and triage summaries from JSON lines audit data.

analyzing-docker-container-forensics helps investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and preserve evidence. Use this analyzing-docker-container-forensics skill for a Security Audit, incident review, or container hardening assessment.

analyzing-dns-logs-for-exfiltration helps SOC analysts detect DNS tunneling, DGA-like domains, TXT abuse, and covert C2 patterns from SIEM or Zeek logs. Use it for Security Audit workflows when you need entropy analysis, query-volume anomalies, and practical triage guidance.

The sentry skill is a read-only Observability tool for inspecting Sentry issues, events, and health signals. Use it to investigate recent production errors, summarize impact, and run repeatable CLI-based queries with structured output. It is best when you need a practical sentry guide for triage, not a broad observability overview.

azure-monitor-opentelemetry-exporter-py helps you set up low-level OpenTelemetry export from Python to Azure Monitor and Application Insights. Use it when you need a custom observability pipeline with direct control over traces, metrics, and logs, not a higher-level auto-instrumentation distro.