Skill UI

Automates SIEM rule generation within advanced security workflows, guiding through industry best practices, compliance checks, and threat modeling to deliver production-ready configurations verified against common standards.

This skill guides users on querying Azure Monitor activity and sign-in logs using KQL to detect sophisticated security threats. It covers identifying suspicious administrative activities, impossible travel scenarios, privilege escalation attempts, and unauthorized resource modifications. Ideal for Security Operations Center (SOC) analysts building advanced threat hunting rules or developing cloud SIEM detections.

This skill analyzes DNS query logs to detect sophisticated threats such as data exfiltration via DNS tunneling, Domain Generation Algorithm (DGA) usage, and covert Command and Control (C2) channels. It utilizes advanced techniques like entropy analysis, query volume anomaly detection, and subdomain length analysis within SIEM platforms, helping SOC teams identify threats that bypass traditional network security controls.

This tool parses Kubernetes API server audit logs (JSON lines) to detect critical security events. It specifically targets unauthorized access, secret enumeration, RBAC escalation, privileged pod creation, and shell access (exec/attach). Use it for incident response, threat hunting, or building SIEM detection rules.

This skill provides a comprehensive framework for ingesting, normalizing, and enriching threat intelligence (CTI) from multiple structured and unstructured sources. It guides users through scoring feeds, converting heterogeneous IOC formats (like OpenIOC, YARA) into the standardized STIX 2.1 format, and enriching indicators using external services (e.g., VirusTotal, PassiveTotal). Ideal for building robust, automated threat detection pipelines for SIEM and EDR systems.

This skill details the implementation of a cloud-native SIEM and SOAR platform using Microsoft Sentinel. It covers ingesting multi-cloud logs (AWS, Azure, GCP), writing advanced KQL detection queries for threat hunting, and automating incident response workflows using Logic Apps. Ideal for centralized security operations in complex, multi-cloud environments.

This guide details how to write advanced correlation searches using Splunk's Search Processing Language (SPL). It covers techniques like threshold-based detection, sequence analysis, and anomaly detection to identify sophisticated security threats (e.g., brute force, data exfiltration, lateral movement) in a Security Operations Center (SOC) environment. Mastery of SPL is essential for closing SIEM detection gaps and ensuring compliance.

This skill provides a comprehensive workflow for building vendor-agnostic detection rules using the Sigma format. It empowers security operations center (SOC) engineers to translate raw threat intelligence and MITRE ATT&CK techniques into standardized, portable detection logic. The process guides users through rule validation and conversion into specific queries for major SIEM platforms, including Splunk, Elastic, and Microsoft Sentinel, ensuring robust detection coverage.

This skill facilitates the creation of real-time incident response dashboards across major SIEM platforms (Splunk, Elastic, Grafana). It provides SOC analysts and leadership with unified situational awareness by tracking affected systems, containment status, Indicators of Compromise (IOC) spread, and the entire incident response timeline, crucial for coordination and post-incident reporting.

This skill provides comprehensive tracking and visualization for Security Operations Center (SOC) performance. It calculates critical metrics such as Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), and alert quality ratios using SIEM data. Ideal for SOC leadership, compliance auditing, and continuous process improvement initiatives needing quantifiable security posture reporting.

A comprehensive, structured playbook for Security Operations Centers (SOCs) detailing the entire lifecycle of ransomware incidents. It guides analysts through detection (SIEM queries), triage decision trees, containment (EDR/Firewall), evidence collection, and recovery phases, adhering to NIST CSF and MITRE ATT&CK frameworks.

This guide details the deployment and usage of MISP (Malware Information Sharing Platform) to centralize, correlate, and distribute threat intelligence. It covers architectural concepts, integrating diverse OSINT and commercial feeds (like abuse.ch, AlienVault OTX), and automating the flow of Indicators of Compromise (IOCs) into SIEM and SOAR systems via Docker and Python APIs.