Siem

detecting-rdp-brute-force-attacks helps analyze Windows Security Event Logs for RDP brute force patterns, including repeated 4625 failures, 4624 success after failures, NLA-related logons, and source-IP concentration. Use it for Security Audit, threat hunting, and repeatable EVTX-based investigations.

configuring-host-based-intrusion-detection guide for setting up HIDS with Wazuh, OSSEC, or AIDE to monitor file integrity, system changes, and compliance-focused endpoint security for Security Audit workflows.

analyzing-security-logs-with-splunk helps investigate security events in Splunk by correlating Windows, firewall, proxy, and authentication logs into timelines and evidence. This analyzing-security-logs-with-splunk skill is a practical guide for Security Audit, incident response, and threat hunting.

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

detecting-living-off-the-land-attacks skill for Security Audit, threat hunting, and incident response. Detect abuse of legitimate Windows binaries like certutil, mshta, rundll32, and regsvr32 using process creation, command-line, and parent-child telemetry. The guide focuses on actionable LOLBin detection patterns, not broad Windows hardening.

detecting-lateral-movement-in-network helps detect post-compromise lateral movement in enterprise networks using Windows event logs, Zeek telemetry, SMB, RDP, and SIEM correlation. It is useful for threat hunting, incident response, and detecting-lateral-movement-in-network for Security Audit reviews with practical detection workflows.

The detecting-kerberoasting-attacks skill helps hunt Kerberoasting by spotting suspicious Kerberos TGS requests, weak ticket encryption, and service-account patterns. Use it for SIEM, EDR, EVTX, and detecting-kerberoasting-attacks for Threat Modeling workflows with practical detection templates and tuning guidance.

detecting-insider-threat-with-ueba helps you build UEBA detections in Elasticsearch or OpenSearch for insider threat cases, including behavioral baselines, anomaly scoring, peer group analysis, and correlated alerts for data exfiltration, privilege abuse, and unauthorized access. It fits detecting-insider-threat-with-ueba for Incident Response workflows.

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

detecting-fileless-attacks-on-endpoints helps build detections for memory-only attacks on Windows endpoints, including PowerShell abuse, WMI persistence, reflective loading, and process injection. Use it for Security Audit, threat hunting, and detection engineering with Sysmon, AMSI, and PowerShell logging.

The detecting-email-forwarding-rules-attack skill helps Security Audit, threat hunting, and incident response teams find malicious mailbox forwarding rules used for persistence and email collection. It guides analysts through Microsoft 365 and Exchange evidence, suspicious rule patterns, and practical triage for forwarding, redirect, delete, and hide behaviors.

detecting-attacks-on-scada-systems is a cybersecurity skill for spotting attacks on SCADA and OT/ICS environments. It helps analyze industrial protocol abuse, unauthorized PLC commands, HMI compromise, historian tampering, and denial-of-service, with practical guidance for incident response and detection validation.

detecting-anomalous-authentication-patterns helps analyze authentication logs for impossible travel, brute force, password spraying, credential stuffing, and compromised-account activity. Built for Security Audit, SOC, IAM, and incident response workflows with baseline-aware detection and evidence-backed sign-in analysis.

deploying-osquery-for-endpoint-monitoring guide for deploying and configuring osquery for endpoint visibility, fleet-wide monitoring, and SQL-driven threat hunting. Use it to plan installation, read the workflow and API references, and operationalize scheduled queries, log collection, and centralized review across Windows, macOS, and Linux endpoints.

deploying-edr-agent-with-crowdstrike helps plan, install, and verify CrowdStrike Falcon sensor rollout across Windows, macOS, and Linux endpoints. Use this deploying-edr-agent-with-crowdstrike skill for install guidance, policy setup, telemetry-to-SIEM integration, and Incident Response readiness.

correlating-security-events-in-qradar helps SOC and detection teams correlate IBM QRadar offenses with AQL, offense context, custom rules, and reference data. Use this guide to investigate incidents, reduce false positives, and build stronger correlation logic for Incident Response.

The configuring-suricata-for-network-monitoring skill helps deploy and tune Suricata for IDS/IPS monitoring, EVE JSON logging, rules management, and SIEM-ready output. It suits the configuring-suricata-for-network-monitoring for Security Audit workflow when you need practical setup, validation, and false-positive reduction.

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

building-vulnerability-scanning-workflow helps SOC teams design a repeatable vulnerability scanning process for discovery, prioritization, remediation tracking, and reporting across assets. It supports Security Audit use cases with scanner orchestration, KEV-aware risk ranking, and workflow guidance beyond a one-off scan.

building-threat-hunt-hypothesis-framework helps you build testable threat hunt hypotheses from threat intelligence, ATT&CK mapping, and telemetry. Use this building-threat-hunt-hypothesis-framework skill to plan hunts, map data sources, run queries, and document findings for threat hunting and building-threat-hunt-hypothesis-framework for Threat Modeling.

building-threat-feed-aggregation-with-misp helps you deploy MISP to aggregate, correlate, and share threat intelligence feeds for centralized IOC management and SIEM integration. This skill guide covers install and usage patterns, feed synchronization, API actions, and practical workflow steps for Threat Intelligence teams.

The building-soc-metrics-and-kpi-tracking skill turns SOC activity data into KPIs like MTTD, MTTR, alert quality, analyst productivity, and detection coverage. It fits SOC leadership, security operations, and observability teams that need repeatable reporting, trend tracking, and executive-friendly metrics backed by Splunk-based workflows.

building-detection-rules-with-sigma helps analysts build portable Sigma detection rules from threat intel or vendor rules, map them to MITRE ATT&CK, and convert them for SIEMs like Splunk, Elastic, and Microsoft Sentinel. Use this building-detection-rules-with-sigma guide for Security Audit workflows, standardization, and detection-as-code.

building-detection-rule-with-splunk-spl helps SOC analysts and detection engineers build Splunk SPL correlation searches for threat detection, tuning, and Security Audit review. Use it to turn a detection brief into a deployable rule with MITRE mapping, enrichment, and validation guidance.