Skill UI

This skill guides the setup of Host-Based Intrusion Detection Systems (HIDS) using industry-standard tools like Wazuh, OSSEC, or AIDE. It covers essential security practices, including File Integrity Monitoring (FIM) for critical directories, monitoring system calls, detecting configuration changes, and identifying rootkits. It is crucial for meeting regulatory compliance requirements (e.g., PCI DSS) and significantly enhancing overall endpoint security posture.

This comprehensive guide details how to implement robust security hardening measures for LDAP directory services. It specifically addresses critical vulnerabilities like LDAP injection, anonymous binding, and channel binding bypass. Key features include mandatory LDAPS enforcement, granular access control list configuration, and integrating advanced monitoring to ensure the infrastructure meets high compliance standards (e.g., NIST 800-53). Essential for security architects and operations teams.

A comprehensive guide to deploying and configuring Suricata, a high-performance IDS/IPS. This skill covers setting up multi-threaded packet capture, integrating Emerging Threats rulesets, generating structured EVE JSON logs, and enabling deep protocol inspection (HTTP, TLS, DNS). It enables real-time threat detection and seamless SIEM integration for centralized security monitoring.

A comprehensive guide to deploying and configuring osquery across diverse endpoints (Windows, macOS, Linux). This tool allows security teams to gather deep, SQL-based insights into endpoint state, including running processes, network connections, system configuration, and installed software. It is essential for threat hunting, compliance auditing, and building centralized fleet visibility.

This tool deploys decoy canary files in critical system directories to provide early warning against ransomware attacks. Utilizing Python's watchdog library, it monitors for any read, modify, rename, or delete operations on these decoy files. Detection triggers immediate alerts via multiple channels (Email, Slack, Syslog), helping security teams identify and respond to malicious activity before full data encryption occurs. It serves as a crucial detection layer in a layered security defense.

A comprehensive guide for security professionals on detecting and preventing ARP spoofing and poisoning attacks. The skill covers multiple layers of defense, including implementing Dynamic ARP Inspection (DAI) on managed switches, utilizing ARPWatch for continuous monitoring, performing deep packet inspection with Wireshark, and developing custom Python scripts for real-time anomaly detection. Essential for mitigating Man-in-the-Middle (MitM) attacks at Layer 2.

This skill provides methods and tools for detecting sophisticated cyber attacks targeting Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS). It focuses on detecting anomalies like unauthorized command injection, Man-in-the-Middle attacks on industrial protocols (Modbus, DNP3), and data manipulation, which traditional IT security tools often miss. Usage involves establishing deterministic communication baselines and monitoring network traffic for deviations.

This guide provides advanced detection methods and threat hunting queries (KQL/SPL) to identify abuse of Azure service principals. It covers techniques such as privilege escalation, credential compromise, unauthorized role assignment, and enumeration, essential for SOC analysts and security teams monitoring Microsoft Entra ID.

This guide teaches security teams how to deploy and operationalize Amazon GuardDuty for continuous, comprehensive threat detection across entire AWS accounts and workloads. It covers enabling protection plans for S3, EKS, EC2 runtime monitoring, and Lambda, interpreting various finding severity levels, and building robust, automated incident response playbooks using EventBridge and AWS Lambda for immediate containment actions.

This skill detects unauthorized modifications (container drift) to running containers by monitoring for deviations from the original image state. It monitors binary execution drift, file system changes, and configuration deviations using tools like Falco and Kubernetes security contexts. Essential for SOC analysts and security teams investigating runtime compromises and enforcing immutable infrastructure.

This guide details methods and rules for detecting container escape attempts, a critical security vulnerability where an adversary breaks out of container isolation to access the host system or other containers. It covers monitoring syscalls, namespace manipulation (e.g., nsenter, unshare), accessing sensitive host paths (/proc), and detecting privileged operations using tools like Falco and eBPF.

A comprehensive guide for security teams on detecting and responding to unauthorized crypto mining operations in cloud environments (AWS, Azure). It details a multi-layered approach, utilizing cost anomaly detection, compute utilization monitoring, GuardDuty findings, and network flow log analysis (VPC/KQL) to identify resource hijacking attempts and suspicious activity across EC2, ECS, and EKS workloads.