Splunk

detecting-service-account-abuse is a threat-hunting skill for finding service account misuse across Windows, AD, SIEM, and EDR telemetry. It focuses on suspicious interactive logons, privilege escalation, lateral movement, and access anomalies, with a hunt template, event IDs, and workflow references for repeatable investigation.

detecting-azure-service-principal-abuse helps detect, investigate, and document suspicious Microsoft Entra ID service principal activity in Azure. Use it for Security Audit, cloud incident response, and threat hunting to review credential changes, admin consent abuse, role assignments, ownership paths, and sign-in anomalies.

analyzing-security-logs-with-splunk helps investigate security events in Splunk by correlating Windows, firewall, proxy, and authentication logs into timelines and evidence. This analyzing-security-logs-with-splunk skill is a practical guide for Security Audit, incident response, and threat hunting.

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

detecting-pass-the-ticket-attacks helps detect Kerberos Pass-the-Ticket activity by correlating Windows Security Event IDs 4768, 4769, and 4771. Use it for threat hunting in Splunk or Elastic to spot ticket reuse, RC4 downgrades, and unusual TGS volume with practical queries and field guidance.

detecting-pass-the-hash-attacks skill for hunting NTLM-based lateral movement, suspicious Type 3 logons, and T1550.002 activity with Windows Security logs, Splunk, and KQL.

detecting-lateral-movement-in-network helps detect post-compromise lateral movement in enterprise networks using Windows event logs, Zeek telemetry, SMB, RDP, and SIEM correlation. It is useful for threat hunting, incident response, and detecting-lateral-movement-in-network for Security Audit reviews with practical detection workflows.

The detecting-kerberoasting-attacks skill helps hunt Kerberoasting by spotting suspicious Kerberos TGS requests, weak ticket encryption, and service-account patterns. Use it for SIEM, EDR, EVTX, and detecting-kerberoasting-attacks for Threat Modeling workflows with practical detection templates and tuning guidance.

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

detecting-golden-ticket-forgery detects Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769, RC4 downgrade use (0x17), abnormal ticket lifetimes, and krbtgt anomalies in Splunk and Elastic. Built for Security Audit, incident investigation, and threat hunting with practical detection guidance.

The detecting-email-forwarding-rules-attack skill helps Security Audit, threat hunting, and incident response teams find malicious mailbox forwarding rules used for persistence and email collection. It guides analysts through Microsoft 365 and Exchange evidence, suspicious rule patterns, and practical triage for forwarding, redirect, delete, and hide behaviors.

detecting-dll-sideloading-attacks helps Security Audit, threat hunting, and incident response teams detect DLL side-loading with Sysmon, EDR, MDE, and Splunk. This detecting-dll-sideloading-attacks guide includes workflow notes, hunt templates, standards mapping, and scripts to turn suspicious DLL loads into repeatable detections.

deploying-edr-agent-with-crowdstrike helps plan, install, and verify CrowdStrike Falcon sensor rollout across Windows, macOS, and Linux endpoints. Use this deploying-edr-agent-with-crowdstrike skill for install guidance, policy setup, telemetry-to-SIEM integration, and Incident Response readiness.

building-threat-hunt-hypothesis-framework helps you build testable threat hunt hypotheses from threat intelligence, ATT&CK mapping, and telemetry. Use this building-threat-hunt-hypothesis-framework skill to plan hunts, map data sources, run queries, and document findings for threat hunting and building-threat-hunt-hypothesis-framework for Threat Modeling.

The building-soc-metrics-and-kpi-tracking skill turns SOC activity data into KPIs like MTTD, MTTR, alert quality, analyst productivity, and detection coverage. It fits SOC leadership, security operations, and observability teams that need repeatable reporting, trend tracking, and executive-friendly metrics backed by Splunk-based workflows.

building-incident-response-dashboard helps teams build real-time incident response dashboards in Splunk, Elastic, or Grafana for active incident tracking, containment status, affected assets, IOC spread, and response timelines. Use this building-incident-response-dashboard skill when you need a focused dashboard for SOC analysts, incident commanders, and leadership.

building-detection-rules-with-sigma helps analysts build portable Sigma detection rules from threat intel or vendor rules, map them to MITRE ATT&CK, and convert them for SIEMs like Splunk, Elastic, and Microsoft Sentinel. Use this building-detection-rules-with-sigma guide for Security Audit workflows, standardization, and detection-as-code.

building-detection-rule-with-splunk-spl helps SOC analysts and detection engineers build Splunk SPL correlation searches for threat detection, tuning, and Security Audit review. Use it to turn a detection brief into a deployable rule with MITRE mapping, enrichment, and validation guidance.

The analyzing-windows-event-logs-in-splunk skill helps SOC analysts investigate Windows Security, System, and Sysmon logs in Splunk for authentication attacks, privilege escalation, persistence, and lateral movement. Use it for incident triage, detection engineering, and timeline analysis with mapped SPL patterns and event ID guidance.

analyzing-dns-logs-for-exfiltration helps SOC analysts detect DNS tunneling, DGA-like domains, TXT abuse, and covert C2 patterns from SIEM or Zeek logs. Use it for Security Audit workflows when you need entropy analysis, query-volume anomalies, and practical triage guidance.