Skill UI

This script performs statistical analysis on Zeek connection logs (conn.log) to detect Command and Control (C2) beaconing patterns. It leverages the ZAT library to load data into Pandas DataFrames, calculates inter-arrival time statistics, and flags connections with low standard deviation relative to the mean. This technique is crucial for network threat hunting and security incident investigation when identifying malicious, periodic callbacks.

This skill provides structured procedures and Python examples for detecting internal data exfiltration. It analyzes endpoint, cloud, and email logs by establishing behavioral baselines and performing statistical anomaly detection. Use cases include investigating insider threats, monitoring DLP policy violations, and building robust User and Entity Behavior Analytics (UEBA) rules for SOC teams.

This skill provides a comprehensive framework for detecting Living Off the Land Binaries (LOLBAS) abuse, such as misuse of certutil, regsvr32, and mshta. It leverages process telemetry from Sysmon and Windows Event Logs, combined with advanced Sigma rule-based detection and parent-child process anomaly analysis. Ideal for SOC analysts and threat hunters investigating sophisticated adversaries aiming to evade traditional security controls.

This skill analyzes Windows Security Event Logs (EVTX) to detect RDP brute force attacks. It parses failed logon events (ID 4625) and correlates them with successful logons (ID 4624), performing source IP frequency analysis to identify attack patterns, username spraying, and potential account compromises. This is critical for SOC analysts and threat hunters investigating lateral movement or credential stuffing attempts.

A comprehensive workflow for extracting, parsing, and analyzing Windows Event Logs (EVTX). It guides security professionals in using advanced tools like Chainsaw and Hayabusa, combined with Sigma rules, to detect critical security incidents such as lateral movement, privilege escalation, and persistence mechanisms during incident response and digital forensic investigations.

This skill provides a structured methodology for mitigating alert fatigue within Security Operations Centers (SOCs). It guides users through advanced techniques, including implementing Risk-Based Alerting (RBA) to replace high-volume, low-fidelity alerts with consolidated risk scores. It emphasizes quantifying alert quality by analyzing True Positive (TP) and False Positive (FP) rates, and systematically tuning detection rules to maintain analyst effectiveness.

A comprehensive guide on implementing AWS CloudTrail log analysis for robust security monitoring, threat detection, and forensic investigation. Learn how to configure CloudTrail, use Amazon Athena for SQL querying, and leverage CloudWatch Logs Insights and SIEM integration to identify unauthorized access, privilege escalation, and suspicious API activity across AWS services.

This guide demonstrates how to build comprehensive forensic super-timelines using Plaso (log2timeline) to correlate events across diverse sources. It covers the entire workflow, from processing disk images and various logs (MFT, registry, browser history) to generating standardized CSV, JSONL exports, and visualizing the results in tools like Timesketch for deep investigative analysis.

This is an advanced, structured workflow designed to conduct deep, multi-source investigations. It synthesizes current public evidence with user-provided context to generate highly structured reports. The workflow explicitly differentiates between verifiable facts, user-supplied evidence, logical inferences, and actionable recommendations, making it ideal for complex comparative analysis or continuous monitoring tasks.

An autonomous research agent that plans complex investigations using Directed Acyclic Graphs (DAGs). It executes sub-questions in parallel, performs gap analysis, and iteratively refines findings before synthesizing a comprehensive, structured report. Ideal for deep market analysis, academic literature reviews, or complex problem-solving requiring multiple data sources.

This tool collects comprehensive diagnostic data from ClickHouse system tables. It gathers crucial metrics, query logs, merge statuses, and disk usage information. It is essential for troubleshooting performance bottlenecks, preparing detailed support tickets, or investigating complex database infrastructure issues.

A comprehensive, structured framework for conducting sophisticated Open Source Intelligence (OSINT) and cryptocurrency forensic investigations. This guide covers operational security (OpSec), target profiling, advanced transaction tracing across multiple blockchain layers (L1/L2), wallet analysis, and identifying linked digital assets. Use this methodology to guide systematic, multi-dimensional intelligence collection campaigns.