Security specialty

Endpoint Security

Browse every cataloged workflow for endpoint security, with source context, tags, and security framework mappings intact.

Complete collection

Skills in this domain

17 skills

cybersecuritySkill

Configuring Host-Based Intrusion Detection

Configures host-based intrusion detection systems (HIDS) to monitor endpoint file integrity, system calls, and configuration changes for security violations. Use when deploying OSSEC, Wazuh, or AIDE for endpoint monitoring, building file integrity monitoring (FIM) policies, or meeting compliance requirements for change detection. Activates for requests involving HIDS configuration, file integrity monitoring, OSSEC/Wazuh deployment, or host-based detection.

Endpoint Security
endpointfile-integrity-monitoringhidsintrusion-detection+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Configuring Windows Defender Advanced Settings

Configures Microsoft Defender for Endpoint (MDE) advanced protection settings including attack surface reduction rules, controlled folder access, network protection, and exploit protection. Use when hardening Windows endpoints beyond default Defender settings, deploying enterprise-grade endpoint protection, or meeting compliance requirements for advanced malware defense. Activates for requests involving Windows Defender configuration, ASR rules, MDE tuning, or Microsoft endpoint security.

Endpoint Security
asrendpointexploit-protectionmde+2
ATT&CK, 10 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Configuring Windows Event Logging for Detection

Configures Windows Event Logging with advanced audit policies to generate high-fidelity security events for threat detection and forensic investigation. Use when enabling audit policies for logon events, process creation, privilege use, and object access to feed SIEM detection rules. Activates for requests involving Windows audit policy, event log configuration, security logging, or detection-oriented logging.

Endpoint Security
audit-policydetection-engineeringendpointevent-logging+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Deploying EDR Agent with CrowdStrike

Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable real-time threat detection, behavioral analysis, and automated response. Use when onboarding endpoints to EDR coverage, configuring detection policies, or integrating Falcon telemetry with SIEM platforms. Activates for requests involving CrowdStrike deployment, Falcon sensor installation, EDR policy configuration, or endpoint detection and response.

Endpoint Security
crowdstrikeedrendpointfalcon+2
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 5 mappings
cybersecuritySkill

Deploying Osquery for Endpoint Monitoring

Deploys and configures osquery for real-time endpoint monitoring using SQL-based queries to inspect running processes, open ports, installed software, and system configuration. Use when building visibility into endpoint state, threat hunting across fleet, or implementing compliance monitoring. Activates for requests involving osquery deployment, endpoint visibility, fleet management, or SQL-based endpoint querying.

Endpoint Security
endpointendpoint-monitoringfleet-managementosquery+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Evasion Techniques in Endpoint Logs

Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping, process injection, and security tool disabling. Use when investigating suspicious endpoint behavior, building detection rules for evasion tactics, or conducting threat hunting for stealthy adversary activity. Activates for requests involving evasion detection, defense evasion analysis, log tampering detection, or MITRE ATT&CK TA0005.

Endpoint Security
defense-evasiondetection-engineeringedrendpoint+2
ATT&CK, 12 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Fileless Attacks on Endpoints

Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files to disk, evading traditional antivirus. Use when building detections for PowerShell-based attacks, reflective DLL injection, WMI persistence, and registry-resident malware. Activates for requests involving fileless malware detection, in-memory attacks, PowerShell exploitation, or living-off-the-land techniques.

Endpoint Security
detection-engineeringendpointfileless-malwarememory-attacks+1
ATT&CK, 8 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Hardening Linux Endpoint with CIS Benchmark

Hardens Linux endpoints using CIS Benchmark recommendations for Ubuntu, RHEL, and CentOS to reduce attack surface, enforce security baselines, and meet compliance requirements. Use when deploying new Linux servers, remediating audit findings, or establishing security baselines for Linux infrastructure. Activates for requests involving Linux hardening, CIS benchmarks for Linux, server security baselines, or Linux configuration compliance.

Endpoint Security
cis-benchmarkendpointhardeninglinux-security+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Hardening Windows Endpoint with CIS Benchmark

Hardens Windows endpoints using CIS (Center for Internet Security) Benchmark recommendations to reduce attack surface, enforce security baselines, and meet compliance requirements. Use when deploying new Windows workstations or servers, remediating audit findings, or establishing organization-wide security baselines. Activates for requests involving Windows hardening, CIS benchmarks, GPO security baselines, or endpoint configuration compliance.

Endpoint Security
baseline-configurationcis-benchmarkendpointgpo+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Application Whitelisting with AppLocker

Implements application whitelisting using Windows AppLocker to restrict unauthorized software execution on endpoints, reducing attack surface from malware, unauthorized tools, and shadow IT. Use when enforcing application control policies, meeting compliance requirements for software restriction, or preventing execution of unsigned or untrusted binaries. Activates for requests involving AppLocker, application whitelisting, software restriction, or executable control.

Endpoint Security
application-whitelistingapplockerendpointsoftware-restriction+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Disk Encryption with BitLocker

Implements full disk encryption using Microsoft BitLocker on Windows endpoints to protect data at rest from unauthorized access in case of device loss or theft. Use when deploying encryption for compliance requirements, securing mobile workstations, or implementing data protection controls across the enterprise. Activates for requests involving BitLocker encryption, disk encryption, TPM configuration, or data-at-rest protection.

Endpoint Security
bitlockerdata-protectionencryptionendpoint+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Endpoint DLP Controls

Implements endpoint Data Loss Prevention (DLP) controls to detect and prevent sensitive data exfiltration through email, USB, cloud storage, and printing. Use when deploying DLP agents, creating content inspection policies, or preventing unauthorized data movement from endpoints. Activates for requests involving DLP, data exfiltration prevention, content inspection, or sensitive data protection on endpoints.

Endpoint Security
content-inspectiondata-loss-preventiondata-protectiondlp+1
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 2 mappingsAI RMF, 5 mappings
cybersecuritySkill

Implementing File Integrity Monitoring with AIDE

Configure AIDE (Advanced Intrusion Detection Environment) for file integrity monitoring including baseline creation, scheduled integrity checks, change detection, and alerting

Endpoint Security
aidebaselinecompliancefile-integrity+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Memory Protection with DEP and ASLR

Implements memory protection mechanisms including DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), CFG (Control Flow Guard), and other exploit mitigations to prevent memory corruption attacks. Use when hardening endpoints against buffer overflow exploits, ROP chains, and code injection. Activates for requests involving memory protection, exploit mitigation, DEP, ASLR, or CFG configuration.

Endpoint Security
aslrcfgdependpoint+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing USB Device Control Policy

Implements USB device control policies to restrict unauthorized removable media access on endpoints, preventing data exfiltration and malware introduction via USB devices. Use when deploying device control via Group Policy, Intune, or EDR platforms to enforce USB restrictions. Activates for requests involving USB control, removable media policy, device control, or data loss prevention via USB.

Endpoint Security
data-loss-preventiondevice-controlendpointremovable-media+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Endpoint Forensics Investigation

Performs digital forensics investigation on compromised endpoints including memory acquisition, disk imaging, artifact analysis, and timeline reconstruction. Use when investigating security incidents, collecting evidence for legal proceedings, or analyzing endpoint compromise scope. Activates for requests involving endpoint forensics, memory analysis, disk forensics, or incident investigation.

Endpoint Security
disk-imagingendpointforensicsincident-investigation+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Endpoint Vulnerability Remediation

Performs vulnerability remediation on endpoints by prioritizing CVEs based on risk scoring, deploying patches, applying configuration changes, and validating fixes. Use when remediating findings from vulnerability scans, responding to critical CVE advisories, or maintaining endpoint compliance with patch management SLAs. Activates for requests involving vulnerability remediation, CVE patching, endpoint vulnerability management, or security fix deployment.

Endpoint Security
cvecvssendpointpatching+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings