cybersecuritySkill
Configures host-based intrusion detection systems (HIDS) to monitor endpoint file integrity, system calls, and configuration changes for security violations. Use when deploying OSSEC, Wazuh, or AIDE for endpoint monitoring, building file integrity monitoring (FIM) policies, or meeting compliance requirements for change detection. Activates for requests involving HIDS configuration, file integrity monitoring, OSSEC/Wazuh deployment, or host-based detection.
Endpoint Security
endpointfile-integrity-monitoringhidsintrusion-detection+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Configures Microsoft Defender for Endpoint (MDE) advanced protection settings including attack surface reduction rules, controlled folder access, network protection, and exploit protection. Use when hardening Windows endpoints beyond default Defender settings, deploying enterprise-grade endpoint protection, or meeting compliance requirements for advanced malware defense. Activates for requests involving Windows Defender configuration, ASR rules, MDE tuning, or Microsoft endpoint security.
Endpoint Security
asrendpointexploit-protectionmde+2
ATT&CK10, 10 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Configures Windows Event Logging with advanced audit policies to generate high-fidelity security events for threat detection and forensic investigation. Use when enabling audit policies for logon events, process creation, privilege use, and object access to feed SIEM detection rules. Activates for requests involving Windows audit policy, event log configuration, security logging, or detection-oriented logging.
Endpoint Security
audit-policydetection-engineeringendpointevent-logging+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable real-time threat detection, behavioral analysis, and automated response. Use when onboarding endpoints to EDR coverage, configuring detection policies, or integrating Falcon telemetry with SIEM platforms. Activates for requests involving CrowdStrike deployment, Falcon sensor installation, EDR policy configuration, or endpoint detection and response.
Endpoint Security
crowdstrikeedrendpointfalcon+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsATLAS3, 3 mappingsAI RMF5, 5 mappings
cybersecuritySkill
Deploys and configures osquery for real-time endpoint monitoring using SQL-based queries to inspect running processes, open ports, installed software, and system configuration. Use when building visibility into endpoint state, threat hunting across fleet, or implementing compliance monitoring. Activates for requests involving osquery deployment, endpoint visibility, fleet management, or SQL-based endpoint querying.
Endpoint Security
endpointendpoint-monitoringfleet-managementosquery+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping, process injection, and security tool disabling. Use when investigating suspicious endpoint behavior, building detection rules for evasion tactics, or conducting threat hunting for stealthy adversary activity. Activates for requests involving evasion detection, defense evasion analysis, log tampering detection, or MITRE ATT&CK TA0005.
Endpoint Security
defense-evasiondetection-engineeringedrendpoint+2
ATT&CK12, 12 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files to disk, evading traditional antivirus. Use when building detections for PowerShell-based attacks, reflective DLL injection, WMI persistence, and registry-resident malware. Activates for requests involving fileless malware detection, in-memory attacks, PowerShell exploitation, or living-off-the-land techniques.
Endpoint Security
detection-engineeringendpointfileless-malwarememory-attacks+1
ATT&CK8, 8 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Hardens Linux endpoints using CIS Benchmark recommendations for Ubuntu, RHEL, and CentOS to reduce attack surface, enforce security baselines, and meet compliance requirements. Use when deploying new Linux servers, remediating audit findings, or establishing security baselines for Linux infrastructure. Activates for requests involving Linux hardening, CIS benchmarks for Linux, server security baselines, or Linux configuration compliance.
Endpoint Security
cis-benchmarkendpointhardeninglinux-security+2
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Hardens Windows endpoints using CIS (Center for Internet Security) Benchmark recommendations to reduce attack surface, enforce security baselines, and meet compliance requirements. Use when deploying new Windows workstations or servers, remediating audit findings, or establishing organization-wide security baselines. Activates for requests involving Windows hardening, CIS benchmarks, GPO security baselines, or endpoint configuration compliance.
Endpoint Security
baseline-configurationcis-benchmarkendpointgpo+2
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Implements application whitelisting using Windows AppLocker to restrict unauthorized software execution on endpoints, reducing attack surface from malware, unauthorized tools, and shadow IT. Use when enforcing application control policies, meeting compliance requirements for software restriction, or preventing execution of unsigned or untrusted binaries. Activates for requests involving AppLocker, application whitelisting, software restriction, or executable control.
Endpoint Security
application-whitelistingapplockerendpointsoftware-restriction+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Implements full disk encryption using Microsoft BitLocker on Windows endpoints to protect data at rest from unauthorized access in case of device loss or theft. Use when deploying encryption for compliance requirements, securing mobile workstations, or implementing data protection controls across the enterprise. Activates for requests involving BitLocker encryption, disk encryption, TPM configuration, or data-at-rest protection.
Endpoint Security
bitlockerdata-protectionencryptionendpoint+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Implements endpoint Data Loss Prevention (DLP) controls to detect and prevent sensitive data exfiltration through email, USB, cloud storage, and printing. Use when deploying DLP agents, creating content inspection policies, or preventing unauthorized data movement from endpoints. Activates for requests involving DLP, data exfiltration prevention, content inspection, or sensitive data protection on endpoints.
Endpoint Security
content-inspectiondata-loss-preventiondata-protectiondlp+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsATLAS2, 2 mappingsAI RMF5, 5 mappings
cybersecuritySkill
Configure AIDE (Advanced Intrusion Detection Environment) for file integrity monitoring including baseline creation, scheduled integrity checks, change detection, and alerting
Endpoint Security
aidebaselinecompliancefile-integrity+3
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Implements memory protection mechanisms including DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), CFG (Control Flow Guard), and other exploit mitigations to prevent memory corruption attacks. Use when hardening endpoints against buffer overflow exploits, ROP chains, and code injection. Activates for requests involving memory protection, exploit mitigation, DEP, ASLR, or CFG configuration.
Endpoint Security
aslrcfgdependpoint+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Implements USB device control policies to restrict unauthorized removable media access on endpoints, preventing data exfiltration and malware introduction via USB devices. Use when deploying device control via Group Policy, Intune, or EDR platforms to enforce USB restrictions. Activates for requests involving USB control, removable media policy, device control, or data loss prevention via USB.
Endpoint Security
data-loss-preventiondevice-controlendpointremovable-media+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Performs digital forensics investigation on compromised endpoints including memory acquisition, disk imaging, artifact analysis, and timeline reconstruction. Use when investigating security incidents, collecting evidence for legal proceedings, or analyzing endpoint compromise scope. Activates for requests involving endpoint forensics, memory analysis, disk forensics, or incident investigation.
Endpoint Security
disk-imagingendpointforensicsincident-investigation+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Performs vulnerability remediation on endpoints by prioritizing CVEs based on risk scoring, deploying patches, applying configuration changes, and validating fixes. Use when remediating findings from vulnerability scans, responding to critical CVE advisories, or maintaining endpoint compliance with patch management SLAs. Activates for requests involving vulnerability remediation, CVE patching, endpoint vulnerability management, or security fix deployment.
Endpoint Security
cvecvssendpointpatching+2
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings