Security specialty

Security Operations

Browse every cataloged workflow for security operations, with source context, tags, and security framework mappings intact.

Complete collection

Skills in this domain

28 skills

cybersecuritySkill

Analyzing API Gateway Access Logs

Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules.

Security Operations
access-log-analysisapi-securityaws-api-gatewaybola-detection+4
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Azure Activity Logs for Threats

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.

Security Operations
activity-logsazureazure-monitorcloud-security+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Memory Forensics with LiME and Volatility

Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility 3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux memory images. Use when performing incident response on compromised Linux systems.

Security Operations
incident-responsekernel-moduleslimelinux-forensics+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing PowerShell Script Block Logging

Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.

Security Operations
endpoint-securityevent-id-4104obfuscation-detectionpowershell+2
ATT&CK, 7 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing TLS Certificate Transparency Logs

Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate issuance, and shadow IT. Monitors newly issued certificates for typosquatting and brand impersonation using Levenshtein distance. Use for proactive phishing domain detection and certificate monitoring.

Security Operations
certificate-transparencycrt-shct-logsphishing-detection+2
ATT&CK, 4 mappingsNIST CSF, 4 mappingsATLAS, 2 mappings
cybersecuritySkill

Analyzing Web Server Logs for Intrusion

Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.

Security Operations
apache-logsdirectory-traversalintrusion-detectionlfi-detection+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Beaconing Patterns with Zeek

Performs statistical analysis of Zeek conn.log connection intervals to detect C2 beaconing patterns. Uses the ZAT library to load Zeek logs into Pandas DataFrames, calculates inter-arrival time standard deviation, and flags periodic connections with low jitter. Use when hunting for command-and-control callbacks in network data.

Security Operations
c2-beaconingconn-log-analysisnetwork-securitystatistical-analysis+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Insider Data Exfiltration via DLP

Detects insider data exfiltration by analyzing DLP policy violations, file access patterns, upload volume anomalies, and off-hours activity in endpoint and cloud logs. Uses pandas for behavioral analytics and statistical baselines. Use when investigating insider threats or building user behavior analytics for data loss prevention.

Security Operations
data-loss-preventiondlpexfiltration-detectioninsider-threat+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting SQL Injection via WAF Logs

Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity audit logs and JSON WAF event logs to identify SQLi patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks attack sources, correlates multi-stage injection attempts, and generates incident reports with OWASP classification.

Security Operations
aws-wafcloudflare-wafmodsecuritysql-injection-detection+2
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Supply Chain Attacks in CI/CD

Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain attack vectors including unpinned actions, script injection via expressions, dependency confusion, and secrets exposure. Uses PyGithub and YAML parsing for automated audit. Use when hardening CI/CD pipelines or investigating compromised build systems.

Security Operations
ci-cd-securitydependency-pinningdevsecopsgithub-actions+2
ATT&CK, 4 mappingsNIST CSF, 4 mappingsATLAS, 2 mappingsAI RMF, 3 mappings
cybersecuritySkill

Extracting Memory Artifacts with Rekall

Uses Rekall memory forensics framework to analyze memory dumps for process hollowing, injected code via VAD anomalies, hidden processes, and rootkit detection. Applies plugins like pslist, psscan, vadinfo, malfind, and dlllist to extract forensic artifacts from Windows memory images. Use during incident response memory analysis.

Security Operations
code-injectionincident-responsememory-forensicsprocess-hollowing+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Hunting Credential Stuffing Attacks

Detects credential stuffing attacks by analyzing authentication logs for login velocity anomalies, ASN diversity, password spray patterns, and geographic distribution of failed logins. Uses statistical analysis on Splunk or raw log data. Use when investigating account takeover campaigns or building detection rules for auth abuse.

Security Operations
account-takeoverasn-analysisauthentication-logscredential-stuffing+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Canary Tokens for Network Intrusion Detection

Deploys DNS, HTTP, and AWS API key canary tokens across network infrastructure to detect unauthorized access and lateral movement. Integrates with webhook alerting (Slack, Teams, email, generic HTTP) for real-time intrusion notifications. Provides automated token generation, placement strategies, and monitoring for enterprise network environments. Use when building deception-based network intrusion detection with Canarytokens.org and Thinkst Canary platforms.

Security Operations
breach-detectioncanary-tokensdeceptionhoneytokens+2
ATT&CK, 11 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing eBPF Security Monitoring

Implements eBPF-based security monitoring using Cilium Tetragon for real-time process execution tracking, network connection observability, file access auditing, and runtime enforcement. Covers TracingPolicy CRD authoring with kprobe/tracepoint hooks, in-kernel filtering via matchArgs/matchBinaries selectors, JSON event export, and integration with SIEM pipelines. Use when building kernel-level runtime security observability for Linux hosts or Kubernetes clusters.

Security Operations
ciliumebpfkernel-securitykubernetes-security+3
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 3 mappings
cybersecuritySkill

Implementing Endpoint Detection with Wazuh

Deploy and configure Wazuh SIEM/XDR for endpoint detection including agent management, custom decoder and rule XML creation, alert querying via the Wazuh REST API, and automated response actions.

Security Operations
custom-rulesendpoint-detectionincident-responsesiem+2
ATT&CK, 5 mappingsNIST CSF, 4 mappingsAI RMF, 5 mappings
cybersecuritySkill

Implementing Honeytokens for Breach Detection

Deploys canary tokens and honeytokens (fake AWS credentials, DNS canaries, document beacons, database records) that trigger alerts when accessed by attackers. Uses the Canarytokens API and custom webhook integrations for breach detection. Use when building deception-based early warning systems for intrusion detection.

Security Operations
breach-detectioncanary-tokensdeception-technologydns-canary+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Log Forwarding with Fluentd

Configure Fluentd and Fluent Bit for centralized log aggregation, routing, filtering, and enrichment across distributed infrastructure

Security Operations
centralized-loggingfluent-bitfluentdlog-aggregation+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Log Integrity with Blockchain

Build an append-only log integrity chain using SHA-256 hash chaining for tamper detection. Each log entry is hashed with the previous entry's hash to create a blockchain-like structure where modifying any entry invalidates all subsequent hashes. Implements log ingestion, chain verification, tamper detection with pinpoint identification, and periodic checkpoint anchoring to external timestamping services.

Security Operations
audit-logginghash-chaininglog-integritysecurity-operations+2
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing mTLS for Zero Trust Services

Configures mutual TLS (mTLS) authentication between microservices using Python cryptography library for certificate generation and ssl module for TLS verification. Validates certificate chains, checks expiration, and audits mTLS deployment status. Use when implementing zero-trust service-to-service authentication.

Security Operations
certificate-managementmicroservices-securitymtlsmutual-tls+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Security Chaos Engineering

Implements security chaos engineering experiments that deliberately disable or degrade security controls to verify detection and response capabilities. Tests WAF bypass, firewall rule removal, log pipeline disruption, and EDR disablement scenarios using boto3 and subprocess. Use when validating SOC detection coverage and resilience.

Security Operations
control-validationdetection-validationresilience-testingsecurity-chaos-engineering+1
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 3 mappings
cybersecuritySkill

Implementing Security Monitoring with Datadog

Implements security monitoring using Datadog Cloud SIEM, Cloud Security Management (CSM), and Workload Protection to detect threats, enforce compliance, and respond to security events across cloud and hybrid infrastructure. Covers Agent deployment, log source ingestion, detection rule creation, security dashboards, and automated notification workflows. Activates for requests involving Datadog security setup, Cloud SIEM configuration, CSM threat detection, or security monitoring dashboards.

Security Operations
cloud-securitycsmdatadogdetection-rules+4
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappingsAI RMF, 5 mappings
cybersecuritySkill

Implementing SIEM Correlation Rules for APT

Write multi-event correlation rules that detect APT lateral movement by chaining Windows authentication events, process execution telemetry, and network connection logs across hosts. Uses Splunk SPL and Sigma rule format to correlate Event IDs 4624, 4648, 4688, and Sysmon Events 1/3 within sliding time windows to surface attack sequences invisible to single-event detections.

Security Operations
apt-detectioncorrelation-ruleslateral-movementsecurity-operations+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing SIEM Use Case Tuning

Tune SIEM detection rules to reduce false positives by analyzing alert volumes, creating whitelists, adjusting thresholds, and measuring detection efficacy metrics in Splunk and Elastic

Security Operations
alert-tuningdetection-engineeringelasticfalse-positive-reduction+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing SOAR Playbook for Phishing

Automate phishing incident response using Splunk SOAR REST API to create containers, add artifacts, and trigger playbooks

Security Operations
incident-responsephishingsoarsplunk-phantom
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Syslog Centralization with Rsyslog

Configure rsyslog for centralized log collection with TLS encryption, custom templates, and log rotation. Generates server and client configuration files with GnuTLS stream drivers, x509 certificate authentication, per-host log segregation, and reliable queue settings for high-availability syslog infrastructure.

Security Operations
log-centralizationlog-managementrsyslogsecurity-operations+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing DNS Tunneling Detection

Detects DNS tunneling by computing Shannon entropy of DNS query names, analyzing query length distributions, inspecting TXT record payloads, and identifying high subdomain cardinality. Uses scapy for packet capture analysis and statistical methods to distinguish legitimate DNS from covert channels. Use when hunting for data exfiltration.

Security Operations
dns-analysisdns-tunnelingexfiltration-detectionsecurity-operations+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Red Team Phishing With Gophish

Automate GoPhish phishing simulation campaigns using the Python gophish library. Creates email templates with tracking pixels, configures SMTP sending profiles, builds target groups from CSV, launches campaigns, and analyzes results including open rates, click rates, and credential submission statistics for security awareness assessment.

Security Operations
campaign-automationgophishphishing-simulationred-teaming+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Ssrf Vulnerability Exploitation

Test for Server-Side Request Forgery vulnerabilities by probing cloud metadata endpoints, internal network services, and protocol handlers through user-controllable URL parameters. Tests AWS/GCP/Azure metadata APIs (169.254.169.254), internal port scanning via HTTP, URL scheme bypass techniques, and DNS rebinding detection.

Security Operations
cloud-metadata-abusepenetration-testingssrfvulnerability-exploitation+1
ATT&CK, 6 mappingsNIST CSF, 4 mappings