siem AI Agent Skills

Browse 61 skills related to siem

siem-rule-generator

1.5k
jeremylongshorejeremylongshore

Siem Rule Generator - Auto-activating skill for Security Advanced. Triggers on: siem rule generator, siem rule generator Part of the Security Advanced skill category.

132 days ago

siem-logging

296
ancolemanancoleman

Configure security information and event management (SIEM) systems for threat detection, log aggregation, and compliance. Use when implementing centralized security logging, writing detection rules, or meeting audit requirements across cloud and on-premise infrastructure.

132 days ago

security-audit-logging

95
aj-geddesaj-geddes

Implement comprehensive security audit logging for compliance, forensics, and SIEM integration. Use when building audit trails, compliance logging, or security monitoring systems.

132 days ago

correlate-ioc

87
dandyedandye

Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases.

132 days ago

enrich-ioc

87
dandyedandye

Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status.

132 days ago

triage-alert

87
dandyedandye

Triage a security alert or case. Use when given an ALERT_ID or CASE_ID to assess if it's a real threat. Enriches IOCs, searches SIEM for context, and determines if the alert should be closed (false positive) or escalated for investigation.

132 days ago

hunt-ioc

87
dandyedandye

Hunt for specific IOCs across your environment. Use when you have a list of IPs, domains, hashes, or URLs from threat intel and want to check if they appear in your SIEM. Systematic searching with enrichment and documentation.

132 days ago

hunt-apt

87
dandyedandye

Hunt for a specific APT/threat actor in your environment. Use when you have a threat actor name or GTI collection ID and want to search for their TTPs and IOCs. Gathers intelligence from GTI, searches SIEM for IOCs and TTP-based indicators, and documents findings.

132 days ago

deep-dive-ioc

87
dandyedandye

Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation.

132 days ago

hunt-credential-access

87
dandyedandye

Hunt for credential access techniques like LSASS dumping or browser credential theft. Use when searching for evidence of credential harvesting. Takes MITRE technique IDs and searches for behavioral indicators in SIEM.

132 days ago

detection-sigma

64
AgentSecOpsAgentSecOps

Generic detection rule creation and management using Sigma, the universal SIEM rule format. Sigma provides vendor-agnostic detection logic for log analysis across multiple SIEM platforms. Use when: (1) Creating detection rules for security monitoring, (2) Converting rules between SIEM platforms (Splunk, Elastic, QRadar, Sentinel), (3) Threat hunting with standardized detection patterns, (4) Building detection-as-code pipelines, (5) Mapping detections to MITRE ATT&CK tactics, (6) Implementing compliance-based monitoring rules.

sigmadetectionsiem+4
132 days ago

Alma Linux Remote Plugin

45
NeverSightNeverSight

Remote Linux management for Alma via SSH/SFTP with persistent stateful SSH sessions, thread-session binding, an NL-to-command bridge, an xterm.js WebSocket terminal bridge, dangerous-command approval flows, a strict command policy option, host-key verification modes, RBAC allowlists, and SIEM-friendly redacted audit fields.

131 days ago

security-operations

13
williamzujkowskiwilliamzujkowski

Security Operations Center (SOC) practices, incident response, SIEM management, and threat hunting following NIST 800-61

131 days ago

detection-engineer

11
gl0bal01gl0bal01

Create detection rules and hunting queries from malware analysis findings. Use when you need to write Sigma rules for SIEM, Suricata rules for network IDS, defang IOCs for safe sharing, or convert analysis findings into actionable detection content for SOC teams and threat hunters.

131 days ago

audit-logging

10
BagelHoleBagelHole

Implement centralized audit logging and SIEM integration. Configure log retention and security monitoring. Use when implementing audit trail requirements.

131 days ago

performing-user-behavior-analytics

2
mukul975mukul975

Performs User and Entity Behavior Analytics (UEBA) to detect anomalous user activities including impossible travel, unusual access patterns, privilege abuse, and insider threats using SIEM-based behavioral baselines and statistical analysis. Use when SOC teams need to identify compromised accounts or insider threats through deviation from established behavioral norms.

socuebauser-behavior+4
131 days ago

triaging-security-alerts-in-splunk

2
mukul975mukul975

Triages security alerts in Splunk Enterprise Security by classifying severity, investigating notable events, correlating related telemetry, and making escalation or closure decisions using SPL queries and the Incident Review dashboard. Use when SOC analysts face queued alerts from correlation searches, need to prioritize investigation order, or must document triage decisions for handoff to Tier 2/3 analysts.

socsplunkalert-triage+4
132 days ago

building-vulnerability-scanning-workflow

2
mukul975mukul975

Builds a structured vulnerability scanning workflow using tools like Nessus, Qualys, and OpenVAS to discover, prioritize, and track remediation of security vulnerabilities across infrastructure. Use when SOC teams need to establish recurring vulnerability assessment processes, integrate scan results with SIEM alerting, and build remediation tracking dashboards.

socvulnerability-scanningnessus+5
131 days ago

building-threat-intelligence-enrichment-in-splunk

2
mukul975mukul975

Build automated threat intelligence enrichment pipelines in Splunk Enterprise Security using lookup tables, modular inputs, and the Threat Intelligence Framework.

splunkthreat-intelligenceenrichment+5
131 days ago

performing-lateral-movement-detection

2
mukul975mukul975

Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB-based spreading using SIEM correlation of Windows event logs, network flow data, and endpoint telemetry mapped to MITRE ATT&CK Lateral Movement (TA0008) techniques.

soclateral-movementmitre-attack+6
131 days ago

performing-log-source-onboarding-in-siem

2
mukul975mukul975

Perform structured log source onboarding into SIEM platforms by configuring collectors, parsers, normalization, and validation for complete security visibility.

siemlog-onboardinglog-management+4
131 days ago

mapping-mitre-attack-techniques

2
mukul975mukul975

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

MITRE-ATT&CKATT&CK-NavigatorSigma+4
131 days ago

correlating-security-events-in-qradar

2
mukul975mukul975

Correlates security events in IBM QRadar SIEM using AQL (Ariel Query Language), custom rules, building blocks, and offense management to detect multi-stage attacks across network, endpoint, and application log sources. Use when SOC analysts need to investigate QRadar offenses, build correlation rules, or tune detection logic for reducing false positives.

socqradarsiem+4
131 days ago

hunting-for-persistence-mechanisms-in-windows

2
mukul975mukul975

Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, startup folders, and WMI subscriptions.

threat-huntingmitre-attackpersistence+4
131 days ago

performing-threat-hunting-with-elastic-siem

2
mukul975mukul975

Performs proactive threat hunting in Elastic Security SIEM using KQL/EQL queries, detection rules, and Timeline investigation to identify threats that evade automated detection. Use when SOC teams need to hunt for specific ATT&CK techniques, investigate anomalous behaviors, or validate detection coverage gaps using Elasticsearch and Kibana Security.

socelasticsiem+5
131 days ago

analyzing-dns-logs-for-exfiltration

2
mukul975mukul975

Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass traditional network security controls.

socdnsexfiltration+5
131 days ago

performing-log-analysis-for-forensic-investigation

2
mukul975mukul975

Collect, parse, and correlate system, application, and security logs to reconstruct events and establish timelines during forensic investigations.

forensicslog-analysissiem+3
131 days ago

building-detection-rule-with-splunk-spl

2
mukul975mukul975

Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments.

splunkspldetection-engineering+5
131 days ago

implementing-alert-fatigue-reduction

2
mukul975mukul975

Implements strategies to reduce SOC alert fatigue by tuning detection rules, consolidating duplicate alerts, implementing risk-based alerting, and measuring alert quality metrics to maintain analyst effectiveness and prevent critical alert dismissal. Use when SOC teams face overwhelming alert volumes, high false positive rates, or declining analyst performance.

socalert-fatiguetuning+4
131 days ago

performing-false-positive-reduction-in-siem

2
mukul975mukul975

Perform systematic SIEM false positive reduction through rule tuning, threshold adjustment, correlation refinement, and threat intelligence enrichment to combat alert fatigue.

siemfalse-positivealert-tuning+4
131 days ago

detecting-ransomware-precursors-in-network

2
mukul975mukul975

Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access broker activity, command-and-control beaconing, credential harvesting, reconnaissance scanning, and staging behavior. Uses network detection tools (Zeek, Suricata, Arkime), SIEM correlation rules, and threat intelligence feeds to identify ransomware precursor patterns such as Cobalt Strike beacons, Mimikatz network signatures, and RDP brute-force attempts. Activates for requests involving pre-ransomware detection, network-based ransomware indicators, or early warning ransomware monitoring.

ransomwaredetectionnetwork-security+2
131 days ago

building-soc-playbook-for-ransomware

2
mukul975mukul975

Builds a structured SOC incident response playbook for ransomware attacks covering detection, containment, eradication, and recovery phases with specific SIEM queries, isolation procedures, and decision trees. Use when SOC teams need formalized response procedures for ransomware incidents aligned to NIST SP 800-61 and MITRE ATT&CK ransomware techniques.

socransomwareincident-response+4
131 days ago

building-cloud-siem-with-sentinel

2
mukul975mukul975

This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR platform for centralized security operations. It details configuring data connectors for multi-cloud log ingestion, writing KQL detection queries, building automated response playbooks with Logic Apps, and leveraging the Sentinel data lake for petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry.

microsoft-sentinelcloud-siemkql-queries+2
131 days ago

deploying-edr-agent-with-crowdstrike

2
mukul975mukul975

Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable real-time threat detection, behavioral analysis, and automated response. Use when onboarding endpoints to EDR coverage, configuring detection policies, or integrating Falcon telemetry with SIEM platforms. Activates for requests involving CrowdStrike deployment, Falcon sensor installation, EDR policy configuration, or endpoint detection and response.

endpointedrCrowdStrike+3
131 days ago

configuring-suricata-for-network-monitoring

2
mukul975mukul975

Deploys and configures Suricata IDS/IPS with Emerging Threats rulesets, EVE JSON logging, and custom rules for real-time network traffic inspection, threat detection, and integration with SIEM platforms for centralized security monitoring.

network-securitysuricataids+2
131 days ago

automating-ioc-enrichment

2
mukul975mukul975

Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or automated IOC processing.

SOARenrichmentIOC+6
132 days ago

detecting-lateral-movement-with-splunk

2
mukul975mukul975

Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.

threat-huntingmitre-attacklateral-movement+4
131 days ago

configuring-windows-event-logging-for-detection

2
mukul975mukul975

Configures Windows Event Logging with advanced audit policies to generate high-fidelity security events for threat detection and forensic investigation. Use when enabling audit policies for logon events, process creation, privilege use, and object access to feed SIEM detection rules. Activates for requests involving Windows audit policy, event log configuration, security logging, or detection-oriented logging.

endpointwindows-securityevent-logging+2
131 days ago

detecting-lateral-movement-in-network

2
mukul975mukul975

Identifies lateral movement techniques in enterprise networks by analyzing authentication logs, network flows, SMB traffic, and RDP sessions using Zeek, Velociraptor, and SIEM correlation rules to detect attackers moving between systems.

network-securitylateral-movementthreat-detection+2
131 days ago

building-automated-malware-submission-pipeline

2
mukul975mukul975

Builds an automated malware submission and analysis pipeline that collects suspicious files from endpoints and email gateways, submits them to sandbox environments and multi-engine scanners, and generates verdicts with IOCs for SIEM integration. Use when SOC teams need to scale malware analysis beyond manual sandbox submissions for high-volume alert triage.

socmalware-analysissandbox+5
131 days ago

analyzing-security-logs-with-splunk

2
mukul975mukul975

Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, security event correlation, or log-based incident investigation.

splunkSPLSIEM+2
131 days ago

building-threat-intelligence-feed-integration

2
mukul975mukul975

Builds automated threat intelligence feed integration pipelines connecting STIX/TAXII feeds, open-source threat intel, and commercial TI platforms into SIEM and security tools for real-time IOC matching and alerting. Use when SOC teams need to operationalize threat intelligence by automating feed ingestion, normalization, scoring, and distribution to detection systems.

socthreat-intelligencestix+5
131 days ago

performing-network-traffic-analysis-with-zeek

2
mukul975mukul975

Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, anomaly identification, and forensic investigation.

zeeknetwork-monitoringtraffic-analysis+6
131 days ago

building-threat-feed-aggregation-with-misp

2
mukul975mukul975

Deploy MISP (Malware Information Sharing Platform) to aggregate, correlate, and distribute threat intelligence feeds from multiple sources for centralized IOC management and automated SIEM integration.

mispthreat-feedaggregation+5
131 days ago

implementing-cloud-trail-log-analysis

2
mukul975mukul975

Implementing AWS CloudTrail log analysis for security monitoring, threat detection, and forensic investigation using Athena, CloudWatch Logs Insights, and SIEM integration to identify unauthorized access, privilege escalation, and suspicious API activity.

cloud-securityawscloudtrail+3
131 days ago

detecting-aws-guardduty-findings-automation

2
mukul975mukul975

Automate AWS GuardDuty threat detection findings processing using EventBridge and Lambda to enable real-time incident response, automatic quarantine of compromised resources, and security notification workflows.

awsguarddutyeventbridge+5
131 days ago

implementing-siem-use-cases-for-detection

2
mukul975mukul975

Implements SIEM detection use cases by designing correlation rules, threshold alerts, and behavioral analytics mapped to MITRE ATT&CK techniques across Splunk, Elastic, and Sentinel. Use when SOC teams need to expand detection coverage, formalize use case lifecycle management, or build a detection library aligned to organizational threat profile.

socsiemuse-cases+5
131 days ago

performing-plc-firmware-security-analysis

2
mukul975mukul975

This skill covers analyzing Programmable Logic Controller (PLC) firmware for security vulnerabilities including hardcoded credentials, insecure update mechanisms, backdoor functions, memory corruption flaws, and undocumented debug interfaces. It addresses firmware extraction from common PLC platforms (Siemens S7, Allen-Bradley, Schneider Modicon), static analysis of firmware images, dynamic analysis in emulated environments, and comparison against known-good baselines to detect tampering.

ot-securityicsscada+4
131 days ago
ClawiskillClawiskill
Network
Building with
?

Join Clawiskill today. The decentralized skill network for AI Agents.

Registry
70K+
Agent Joins
120K+
Explore Network