Skill UI

This skill provides a structured approach to detecting Pass-the-Ticket (PtT) attacks, a severe credential theft technique utilizing stolen Kerberos tickets (TGT/TGS). It involves analyzing Windows Security Event IDs (4768, 4769, 4771) within SIEM platforms like Splunk or Elastic. Use cases include incident response, building advanced threat hunting queries, and validating security monitoring coverage against MITRE ATT&CK techniques.

A comprehensive guide for threat hunting designed to detect various forms of privilege escalation abuse, including UAC bypass, setuid/setgid manipulation, and exploiting auto-elevating processes on Windows and Linux. It provides specific monitoring workflows, detection queries (Splunk, KQL, Sigma), and key indicators related to MITRE ATT&CK T1548.

This guide details proactive threat hunting techniques focused on detecting supply chain compromises. Use it when investigating trojanized software updates, compromised dependencies (npm/PyPI), or tampered build artifacts. It outlines a structured workflow using EDR/SIEM data (CrowdStrike, Splunk) to identify hidden threats and scope the impact of sophisticated attacks.

This skill provides comprehensive guidance on configuring Fluentd and Fluent Bit for centralized log collection, routing, filtering, and enrichment. It covers setting up lightweight log forwarders on endpoints and designing central aggregators that route data to SIEM tools, Elasticsearch, or Splunk. Essential for achieving observability and meeting strict security compliance requirements.

This guide details how to implement advanced SIEM correlation rules to detect sophisticated Advanced Persistent Threats (APTs). By chaining multiple event types—including Windows authentication events, process execution telemetry, and network connection logs—across hosts, users can surface complex attack sequences that are invisible to single-event detections. It utilizes Splunk SPL and Sigma rule formats for robust security posture enhancement.

Systematically optimizes Security Information and Event Management (SIEM) detection rules in platforms like Splunk and Elastic. This process involves analyzing historical alert volumes, establishing environmental baselines, creating context-aware whitelists, and statistically adjusting detection thresholds to significantly reduce false positives, improving overall security efficacy.

This skill guides the process of designing, implementing, and validating advanced security detection use cases for Security Information and Event Management (SIEM) platforms like Splunk, Elastic, and Microsoft Sentinel. It focuses on mapping organizational threat profiles to the MITRE ATT&CK framework to build formal, high-fidelity detection rules, thereby strengthening Security Operations Center (SOC) coverage and reducing blind spots.

This skill guides the implementation of Security Orchestration, Automation, and Response (SOAR) workflows using platforms like Splunk Phantom. It automates the entire incident lifecycle, including alert triage, IOC enrichment (via VirusTotal, CrowdStrike), containment actions, and ticket creation (ServiceNow). Ideal for SOC teams needing to reduce Mean Time To Respond (MTTR) and standardize complex security procedures across multiple tools.

This skill automates the entire phishing incident response lifecycle using the Splunk SOAR REST API. It processes reported emails, extracts indicators of compromise (IOCs) like URLs and IPs, creates incident containers, attaches artifacts, and triggers automated playbooks for deep analysis and reporting. It is essential for security operations teams needing robust, programmatic incident handling and compliance alignment.

This guide details the comprehensive process of onboarding new log sources into Security Information and Event Management (SIEM) platforms. It covers critical steps including data source discovery, configuring collectors (e.g., Syslog, Splunk UF, CloudTrail), building parsers, normalizing fields to a common schema, and validating data quality. This systematic approach is essential for achieving complete security visibility and effective threat detection across the enterprise.

A structured guide for SOC Tier 1 analysts to triage security alerts within Splunk Enterprise Security (ES). It provides a systematic workflow for classifying severity, investigating notable events, correlating evidence across diverse data sources (proxy, firewall, logs), and making clear disposition decisions (True Positive, False Positive) required for escalation or closure.