cybersecuritySkill
Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass traditional network security controls.
Soc Operations
c2-detectiondgadnsdns-tunneling+4
ATT&CK3, 3 mappingsNIST CSF4, 4 mappingsATLAS3, 3 mappings
cybersecuritySkill
Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.
Soc Operations
active-directoryevent-logsmitre-attacksoc+3
ATT&CK12, 12 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Builds an automated malware submission and analysis pipeline that collects suspicious files from endpoints and email gateways, submits them to sandbox environments and multi-engine scanners, and generates verdicts with IOCs for SIEM integration. Use when SOC teams need to scale malware analysis beyond manual sandbox submissions for high-volume alert triage.
Soc Operations
any-runautomationcuckoomalware-analysis+4
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence, mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac or pySigma backends.
Soc Operations
detection-ruleselasticmitre-attacksentinel+4
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments.
Soc Operations
correlation-searchdetection-engineeringenterprise-securitysiem+4
ATT&CK6, 6 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC analysts and leadership with situational awareness during active incidents, tracking affected systems, containment status, IOC spread, and response timeline. Use when IR teams need unified visibility during incident coordination and post-incident reporting.
Soc Operations
dashboardincident-responsemetricssituational-awareness+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Build a structured SOC escalation matrix defining severity tiers, response SLAs, escalation paths, and notification procedures for security incidents.
Soc Operations
escalationincident-managementseveritysla+3
ATT&CK3, 3 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Builds SOC performance metrics and KPI tracking dashboards measuring Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), alert quality ratios, analyst productivity, and detection coverage using SIEM data. Use when SOC leadership needs operational visibility, continuous improvement tracking, or executive-level reporting on security operations effectiveness.
Soc Operations
continuous-improvementdashboardkpimetrics+4
ATT&CK2, 2 mappingsNIST CSF4, 4 mappingsATLAS3, 3 mappingsAI RMF3, 3 mappings
cybersecuritySkill
Builds a structured SOC incident response playbook for ransomware attacks covering detection, containment, eradication, and recovery phases with specific SIEM queries, isolation procedures, and decision trees. Use when SOC teams need formalized response procedures for ransomware incidents aligned to NIST SP 800-61 and MITRE ATT&CK ransomware techniques.
Soc Operations
containmentincident-responsemitre-attacknist+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Build automated threat intelligence enrichment pipelines in Splunk Enterprise Security using lookup tables, modular inputs, and the Threat Intelligence Framework.
Soc Operations
enrichmententerprise-securityioclookup+4
ATT&CK3, 3 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Builds automated threat intelligence feed integration pipelines connecting STIX/TAXII feeds, open-source threat intel, and commercial TI platforms into SIEM and security tools for real-time IOC matching and alerting. Use when SOC teams need to operationalize threat intelligence by automating feed ingestion, normalization, scoring, and distribution to detection systems.
Soc Operations
feedsiocmispsiem-integration+4
ATT&CK3, 3 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Builds a structured vulnerability scanning workflow using tools like Nessus, Qualys, and OpenVAS to discover, prioritize, and track remediation of security vulnerabilities across infrastructure. Use when SOC teams need to establish recurring vulnerability assessment processes, integrate scan results with SIEM alerting, and build remediation tracking dashboards.
Soc Operations
cvssnessusopenvaspatch-management+4
ATT&CK3, 3 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Correlates security events in IBM QRadar SIEM using AQL (Ariel Query Language), custom rules, building blocks, and offense management to detect multi-stage attacks across network, endpoint, and application log sources. Use when SOC analysts need to investigate QRadar offenses, build correlation rules, or tune detection logic for reducing false positives.
Soc Operations
aqlcorrelationibmoffense-management+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Hunt AADGraphActivityLogs and MicrosoftGraphActivityLogs in Microsoft Sentinel/Log Analytics for fingerprints of offensive Entra ID tools such as ROADtools, AADInternals, and AzureHound.
Soc Operations
aadinternalsdetection-engineeringentra-idkql+4
ATT&CK5, 5 mappingsNIST CSF1, 1 mapping
cybersecuritySkill
Detect SSO and OAuth token replay and SaaS lateral movement.
Soc Operations
detection-engineeringentra-idoauthokta+4
ATT&CK6, 6 mappingsNIST CSF1, 1 mapping
cybersecuritySkill
Implements strategies to reduce SOC alert fatigue by tuning detection rules, consolidating duplicate alerts, implementing risk-based alerting, and measuring alert quality metrics to maintain analyst effectiveness and prevent critical alert dismissal. Use when SOC teams face overwhelming alert volumes, high false positive rates, or declining analyst performance.
Soc Operations
alert-fatiguedetection-engineeringfalse-positiverisk-based-alerting+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Implement MITRE ATT&CK coverage mapping to identify detection gaps, prioritize rule development, and measure SOC detection maturity against adversary techniques.
Soc Operations
attack-navigatordetection-coveragedetection-engineeringgap-analysis+2
ATT&CK16, 16 mappingsNIST CSF4, 4 mappingsATLAS3, 3 mappingsD3FEND5, 5 mappingsAI RMF3, 3 mappings
cybersecuritySkill
Implements SIEM detection use cases by designing correlation rules, threshold alerts, and behavioral analytics mapped to MITRE ATT&CK techniques across Splunk, Elastic, and Sentinel. Use when SOC teams need to expand detection coverage, formalize use case lifecycle management, or build a detection library aligned to organizational threat profile.
Soc Operations
detection-engineeringelasticmitre-attacksentinel+4
ATT&CK12, 12 mappingsNIST CSF4, 4 mappingsATLAS3, 3 mappingsD3FEND5, 5 mappingsAI RMF3, 3 mappings
cybersecuritySkill
Implements Security Orchestration, Automation, and Response (SOAR) workflows using Splunk SOAR (formerly Phantom) to automate alert triage, IOC enrichment, containment actions, and incident response playbooks. Use when SOC teams need to reduce manual analyst work, standardize response procedures, or integrate multiple security tools into automated workflows.
Soc Operations
automationincident-responseorchestrationphantom+4
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Implement automated incident response playbooks in Cortex XSOAR to orchestrate security workflows across SOC tools and reduce manual response time.
Soc Operations
automationcortexincident-responseorchestration+4
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Implements threat modeling using the MITRE ATT&CK framework to map adversary TTPs against organizational assets, assess detection coverage gaps, and prioritize defensive investments. Use when SOC teams need to align detection engineering with threat landscape, conduct threat assessments for new environments, or justify security tool procurement.
Soc Operations
attack-navigatordetection-coveragemitre-attackrisk-assessment+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsATLAS3, 3 mappingsD3FEND5, 5 mappingsAI RMF3, 3 mappings
cybersecuritySkill
Implements an integrated incident ticketing system connecting SIEM alerts to ServiceNow, Jira, or TheHive for structured incident tracking, SLA management, escalation workflows, and compliance documentation. Use when SOC teams need formalized incident lifecycle management with automated ticket creation, assignment routing, and resolution tracking.
Soc Operations
incident-managementjiraservicenowsla+4
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Investigates insider threat indicators including data exfiltration attempts, unauthorized access patterns, policy violations, and pre-departure behaviors using SIEM analytics, DLP alerts, and HR data correlation. Use when SOC teams receive insider threat referrals from HR, detect anomalous data movement by employees, or need to build investigation timelines for potential insider threats.
Soc Operations
data-exfiltrationdlphr-correlationinsider-threat+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Investigates phishing email incidents from initial user report through header analysis, URL/attachment detonation, impacted user identification, and containment actions using SOC tools like Splunk, Microsoft Defender, and sandbox analysis platforms. Use when a reported phishing email requires full incident investigation to determine scope and impact.
Soc Operations
defenderemail-securityincident-responsephishing+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Perform systematic alert triage in Elastic Security SIEM to rapidly classify, prioritize, and investigate security alerts for SOC operations.
Soc Operations
alert-triagedetectionelasticelastic-security+4
ATT&CK4, 4 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Deploys deception technology including honeypots, honeytokens, and decoy systems to detect attackers who have bypassed perimeter defenses, providing high-fidelity alerts with near-zero false positive rates. Use when SOC teams need early warning of lateral movement, credential abuse, or internal reconnaissance by deploying convincing traps across the network.
Soc Operations
canarydeceptiondetectionhoneypot+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Perform systematic SIEM false positive reduction through rule tuning, threshold adjustment, correlation refinement, and threat intelligence enrichment to combat alert fatigue.
Soc Operations
alert-fatiguealert-tuningcorrelationdetection-engineering+3
ATT&CK4, 4 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Automates Indicator of Compromise (IOC) enrichment by orchestrating lookups across VirusTotal, AbuseIPDB, Shodan, MISP, and other intelligence sources to provide contextual scoring and disposition recommendations. Use when SOC analysts need rapid multi-source enrichment of IPs, domains, URLs, and file hashes during alert triage or incident investigation.
Soc Operations
abuseipdbautomationenrichmentioc+4
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB-based spreading using SIEM correlation of Windows event logs, network flow data, and endpoint telemetry mapped to MITRE ATT&CK Lateral Movement (TA0008) techniques.
Soc Operations
detectionlateral-movementmitre-attackpass-the-hash+5
ATT&CK9, 9 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Perform structured log source onboarding into SIEM platforms by configuring collectors, parsers, normalization, and validation for complete security visibility.
Soc Operations
data-ingestionlog-managementlog-onboardingnormalization+3
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Performs purple team exercises by coordinating red team adversary emulation with blue team detection validation using MITRE ATT&CK-mapped attack scenarios, real-time detection testing, and collaborative gap remediation. Use when SOC teams need to validate detection capabilities, improve analyst skills, and close detection gaps through structured offensive-defensive collaboration.
Soc Operations
adversary-emulationblue-teamdetection-validationmitre-attack+3
ATT&CK10, 10 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Performs tabletop exercises for SOC teams simulating security incidents through discussion-based scenarios to test incident response procedures, communication workflows, and decision-making under pressure without impacting production systems. Use when organizations need to validate IR playbooks, train analysts, or meet compliance requirements for incident response testing.
Soc Operations
exerciseincident-responsenistplaybook-validation+3
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Performs proactive threat hunting in Elastic Security SIEM using KQL/EQL queries, detection rules, and Timeline investigation to identify threats that evade automated detection. Use when SOC teams need to hunt for specific ATT&CK techniques, investigate anomalous behaviors, or validate detection coverage gaps using Elasticsearch and Kibana Security.
Soc Operations
elasticeqlkibanakql+4
ATT&CK11, 11 mappingsNIST CSF4, 4 mappingsATLAS3, 3 mappingsD3FEND5, 5 mappingsAI RMF3, 3 mappings
cybersecuritySkill
Performs User and Entity Behavior Analytics (UEBA) to detect anomalous user activities including impossible travel, unusual access patterns, privilege abuse, and insider threats using SIEM-based behavioral baselines and statistical analysis. Use when SOC teams need to identify compromised accounts or insider threats through deviation from established behavioral norms.
Soc Operations
anomaly-detectionbaselineinsider-threatsoc+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Triages security alerts in Splunk Enterprise Security by classifying severity, investigating notable events, correlating related telemetry, and making escalation or closure decisions using SPL queries and the Incident Review dashboard. Use when SOC analysts face queued alerts from correlation searches, need to prioritize investigation order, or must document triage decisions for handoff to Tier 2/3 analysts.
Soc Operations
alert-triagecorrelation-searchincident-reviewnotable-events+3
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings