Security Monitoring
Included with Lifetime
$97 forever
Automate security monitoring, threat detection, incident response, and compliance workflows
securitysecuritymonitoringsiemincident-responsecompliance
What this skill does
# Security Monitoring
Comprehensive skill for security monitoring, threat detection, and incident response automation.
## Core Architecture
### Security Monitoring Stack
```
SECURITY MONITORING ARCHITECTURE:
┌─────────────────────────────────────────────────────────┐
│ DATA SOURCES │
├──────────┬──────────┬──────────┬──────────┬────────────┤
│ Firewall │ Endpoint │ Cloud │ Network │ Application│
│ Logs │ Logs │ Logs │ Traffic │ Logs │
└────┬─────┴────┬─────┴────┬─────┴────┬─────┴─────┬──────┘
│ │ │ │ │
└──────────┴──────────┴────┬─────┴───────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ LOG AGGREGATION │
│ (SIEM / Security Data Lake) │
└────────────────────────┬────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ DETECTION ENGINE │
│ • Rule-based Detection • ML Anomaly Detection │
│ • Correlation Rules • Threat Intelligence │
└────────────────────────┬────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ RESPONSE & ACTION │
│ • Alerting • Automated Response │
│ • Ticketing • Containment │
└─────────────────────────────────────────────────────────┘
```
## Detection Rules
### Rule Categories
```yaml
detection_rules:
authentication:
- name: brute_force_login
description: "Multiple failed login attempts"
query: |
event.type == "authentication" AND
event.outcome == "failure" AND
COUNT(*) > 5 WITHIN 5 minutes
GROUP BY source.ip
severity: high
actions:
- create_alert
- block_ip_temporarily
- name: impossible_travel
description: "Login from geographically distant locations"
query: |
event.type == "authentication" AND
event.outcome == "success" AND
geo_distance(prev_location, current_location) > 500km AND
time_diff < 1 hour
severity: critical
actions:
- create_alert
- require_mfa_verification
- notify_user
data_exfiltration:
- name: large_data_transfer
description: "Unusual data egress volume"
query: |
event.type == "network" AND
direction == "outbound" AND
bytes_transferred > 100MB WITHIN 1 hour
GROUP BY user.id
severity: medium
actions:
- create_alert
- capture_network_session
malware:
- name: known_malware_hash
description: "File matches known malware signature"
query: |
event.type == "file" AND
file.hash.sha256 IN threat_intelligence.malware_hashes
severity: critical
actions:
- quarantine_file
- isolate_endpoint
- create_incident
```
### Correlation Rules
```yaml
correlation_rules:
- name: lateral_movement_detection
description: "Detect potential lateral movement"
events:
- type: authentication_success
from: internal_network
- type: process_execution
name: ["psexec", "wmic", "powershell"]
within: 5_minutes
- type: network_connection
to: different_internal_host
within: 10_minutes
severity: high
- name: privilege_escalation_chain
description: "Detect privilege escalation attempts"
events:
- type: authentication
account_type: standard_user
- type: process_execution
elevated: true
within: 30_minutes
- type: account_modification
action: add_to_admin_group
within: 1_hour
severity: critical
```
## Alert Management
### Alert Configuration
```yaml
alert_config:
severity_levels:
critical:
response_time: 15_minutes
notifications:
- pagerduty: security_oncall
- slack: "#security-critical"
- email: [email protected]
auto_escalation: 30_minutes
high:
response_time: 1_hour
notifications:
- slack: "#security-alerts"
- email: [email protected]
medium:
response_time: 4_hours
notifications:
- slack: "#security-alerts"
low:
response_time: 24_hours
notifications:
- ticket_only: true
deduplication:
enabled: true
window: 1_hour
key_fields:
- rule_id
- source.ip
- destination.ip
```
### Alert Template
```yaml
alert_template:
title: "[{{severity}}] {{rule_name}}"
body: |
## Security Alert
**Rule:** {{rule_name}}
**Severity:** {{severity}}
**Time:** {{timestamp}}
### Details
- **Source IP:** {{source.ip}}
- **Source User:** {{user.name}}
- **Destination:** {{destination.ip}}
- **Action:** {{event.action}}
### Context
{{event_context}}
### Recommended Actions
{{#each recommended_actions}}
- {{this}}
{{/each}}
### Related Events
{{related_events_link}}
```
## Incident Response
### Incident Workflow
```
INCIDENT RESPONSE WORKFLOW:
┌─────────────────┐
│ Detection │
│ (Alert Fired) │
└────────┬────────┘
▼
┌─────────────────┐
│ Triage │
│ - Validate │
│ - Classify │
│ - Prioritize │
└────────┬────────┘
▼
┌─────────────────┐
│ Containment │
│ - Isolate │
│ - Block │
│ - Preserve │
└────────┬────────┘
▼
┌─────────────────┐
│ Investigation │
│ - Collect │
│ - Analyze │
│ - Correlate │
└────────┬────────┘
▼
┌─────────────────┐
│ Eradication │
│ - Remove │
│ - Patch │
│ - Harden │
└────────┬────────┘
▼
┌─────────────────┐
│ Recovery │
│ - Restore │
│ - Verify │
│ - Monitor │
└────────┬────────┘
▼
┌─────────────────┐
│ Post-Incident │
│ - Document │
│ - Review │
│ - Improve │
└─────────────────┘
```
### Playbook Automation
```yaml
playbooks:
- name: ransomware_response
trigger:
alert_type: ransomware_detected
steps:
- name: isolate_endpoint
action: network_isolate
target: "{{affected_host}}"
- name: disable_account
action: disable_ad_account
target: "{{user.name}}"
- name: preserve_evidence
action: capture_memory_image
target: "{{affected_host}}"
- name: notify_stakeholders
action: send_notification
channels:
- security_team
- it_leadership
- legal_if_needed
- name: create_incident
action: create_ticket
priority: critical
template: ransomware_incident
- name: phishing_response
trigger:
alert_type: phishing_reported
steps:
- name: analyze_email
action: extract_iocs
extract:
- sender_address
- urls
- attachments
- name: check_recipients
action: query_email_logs
find: all_recipients
- name: block_sender
action: add_to_blocklist
target: "{{sender_address}}"
- name: remove_emails
action: delete_from_mailboxes
target: all_recipients
```
## Compliance Monitoring
### Compliance Frameworks
```yaml
compliance_checks:
pci_dss:
- requirement: "10.2.1"
description: "Log all access to cardholder data"
query: |
SELECT * FROM audit_logs
WHERE data_classification = 'cardholder'
AND timestamp > NOW() - INTERVAL '24 hours'
expected: all_access_logged
- requiremeRelated in security
web-pentest
IncludedAuthorized web application penetration testing — reconnaissance, vulnerability analysis, proof-based exploitation, and professional reporting. Adapts Shannon's "No Exploit, No Report" methodology with hard guardrails for scope, authorization, and aux-client leakage. Active testing against running applications you own or have written authorization to test.
securityscripts
oss-forensics
IncludedSupply chain investigation, evidence recovery, and forensic analysis for GitHub repositories. Covers deleted commit recovery, force-push detection, IOC extraction, multi-source evidence collection, hypothesis formation/validation, and structured forensic reporting. Inspired by RAPTOR's 1800+ line OSS Forensics system.
securityscripts
agent-skill-trust-check
IncludedStatic pre-install trust review for SKILL.md, OpenClaw, Hermes, MCP, and agent-skill marketplace packages before they request local, account, payment, or external access.
security
container-security-hardening
IncludedHarden Docker/container images and runtime deployments with secure base images, non-root users, CVE scanning, SBOM/signing, seccomp/AppArmor, and Kubernetes pod security controls. Use for Dockerfile security reviews, container CVEs, image scanning, distroless images, or production hardening.
security
bumblebee
IncludedRun Bumblebee supply-chain inventory and exposure scans on macOS/Linux to detect compromised packages, extensions, and MCP host configs.
securityscripts
harden
IncludedApplies NIST/CWE security hardening to Python and Rust code. Use when auditing code for vulnerabilities or proposing concrete security remediations.
security