Threat Detection

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

detecting-rdp-brute-force-attacks helps analyze Windows Security Event Logs for RDP brute force patterns, including repeated 4625 failures, 4624 success after failures, NLA-related logons, and source-IP concentration. Use it for Security Audit, threat hunting, and repeatable EVTX-based investigations.

detecting-modbus-command-injection-attacks helps security analysts spot suspicious Modbus TCP/RTU write activity, anomalous function codes, malformed frames, and baseline deviations in ICS and SCADA environments. Use it for incident triage, OT monitoring, and a Security Audit when you need Modbus-aware detection guidance, not a generic anomaly prompt.

detecting-living-off-the-land-with-lolbas helps detect LOLBAS abuse with Sysmon and Windows Event Logs, using process telemetry, parent-child context, Sigma rules, and a practical guide for triage, hunting, and rule drafting. It supports detecting-living-off-the-land-with-lolbas for Threat Modeling and analyst workflows with certutil, regsvr32, mshta, and rundll32.

detecting-living-off-the-land-attacks skill for Security Audit, threat hunting, and incident response. Detect abuse of legitimate Windows binaries like certutil, mshta, rundll32, and regsvr32 using process creation, command-line, and parent-child telemetry. The guide focuses on actionable LOLBin detection patterns, not broad Windows hardening.

detecting-lateral-movement-in-network helps detect post-compromise lateral movement in enterprise networks using Windows event logs, Zeek telemetry, SMB, RDP, and SIEM correlation. It is useful for threat hunting, incident response, and detecting-lateral-movement-in-network for Security Audit reviews with practical detection workflows.

detecting-insider-threat-with-ueba helps you build UEBA detections in Elasticsearch or OpenSearch for insider threat cases, including behavioral baselines, anomaly scoring, peer group analysis, and correlated alerts for data exfiltration, privilege abuse, and unauthorized access. It fits detecting-insider-threat-with-ueba for Incident Response workflows.