security monitoring

仓库: claude-office-skills/skills
安装量: 163
排名: #5297

安装

npx skills add https://github.com/claude-office-skills/skills --skill 'Security Monitoring'

Security Monitoring Comprehensive skill for security monitoring, threat detection, and incident response automation. Core Architecture Security Monitoring Stack SECURITY MONITORING ARCHITECTURE: ┌─────────────────────────────────────────────────────────┐ │ DATA SOURCES │ ├──────────┬──────────┬──────────┬──────────┬────────────┤ │ Firewall │ Endpoint │ Cloud │ Network │ Application│ │ Logs │ Logs │ Logs │ Traffic │ Logs │ └────┬─────┴────┬─────┴────┬─────┴────┬─────┴─────┬──────┘ │ │ │ │ │ └──────────┴──────────┴────┬─────┴───────────┘ ▼ ┌─────────────────────────────────────────────────────────┐ │ LOG AGGREGATION │ │ (SIEM / Security Data Lake) │ └────────────────────────┬────────────────────────────────┘ ▼ ┌─────────────────────────────────────────────────────────┐ │ DETECTION ENGINE │ │ • Rule-based Detection • ML Anomaly Detection │ │ • Correlation Rules • Threat Intelligence │ └────────────────────────┬────────────────────────────────┘ ▼ ┌─────────────────────────────────────────────────────────┐ │ RESPONSE & ACTION │ │ • Alerting • Automated Response │ │ • Ticketing • Containment │ └─────────────────────────────────────────────────────────┘ Detection Rules Rule Categories detection_rules : authentication : - name : brute_force_login description : "Multiple failed login attempts" query : | event.type == "authentication" AND event.outcome == "failure" AND COUNT(*) > 5 WITHIN 5 minutes GROUP BY source.ip severity : high actions : - create_alert - block_ip_temporarily - name : impossible_travel description : "Login from geographically distant locations" query : | event.type == "authentication" AND event.outcome == "success" AND geo_distance(prev_location, current_location) > 500km AND time_diff < 1 hour severity : critical actions : - create_alert - require_mfa_verification - notify_user data_exfiltration : - name : large_data_transfer description : "Unusual data egress volume" query : | event.type == "network" AND direction == "outbound" AND bytes_transferred > 100MB WITHIN 1 hour GROUP BY user.id severity : medium actions : - create_alert - capture_network_session malware : - name : known_malware_hash description : "File matches known malware signature" query : | event.type == "file" AND file.hash.sha256 IN threat_intelligence.malware_hashes severity : critical actions : - quarantine_file - isolate_endpoint - create_incident Correlation Rules correlation_rules : - name : lateral_movement_detection description : "Detect potential lateral movement" events : - type : authentication_success from : internal_network - type : process_execution name : [ "psexec" , "wmic" , "powershell" ] within : 5_minutes - type : network_connection to : different_internal_host within : 10_minutes severity : high - name : privilege_escalation_chain description : "Detect privilege escalation attempts" events : - type : authentication account_type : standard_user - type : process_execution elevated : true within : 30_minutes - type : account_modification action : add_to_admin_group within : 1_hour severity : critical Alert Management Alert Configuration alert_config : severity_levels : critical : response_time : 15_minutes notifications : - pagerduty : security_oncall - slack : "#security-critical" - email : security - team@company.com auto_escalation : 30_minutes high : response_time : 1_hour notifications : - slack : "#security-alerts" - email : security - team@company.com medium : response_time : 4_hours notifications : - slack : "#security-alerts" low : response_time : 24_hours notifications : - ticket_only : true deduplication : enabled : true window : 1_hour key_fields : - rule_id - source.ip - destination.ip Alert Template alert_template : title : "[{{severity}}] {{rule_name}}" body : |

Security Alert

Rule: { { rule_name } } Severity: { { severity } } Time: { { timestamp } }

Details

- Source IP : ** { { source.ip } } - Source User : ** { { user.name } } - Destination: { { destination.ip } } - Action: { { event.action } }

Context

{ { event_context } }

{ {

each recommended_actions}}

- { { this } } { { /each } }

{
{
related_events_link
}
}
Incident Response
Incident Workflow
INCIDENT RESPONSE WORKFLOW:
┌─────────────────┐
│ Detection │
│ (Alert Fired) │
└────────┬────────┘
┌─────────────────┐
│ Triage │
│ - Validate │
│ - Classify │
│ - Prioritize │
└────────┬────────┘
┌─────────────────┐
│ Containment │
│ - Isolate │
│ - Block │
│ - Preserve │
└────────┬────────┘
┌─────────────────┐
│ Investigation │
│ - Collect │
│ - Analyze │
│ - Correlate │
└────────┬────────┘
┌─────────────────┐
│ Eradication │
│ - Remove │
│ - Patch │
│ - Harden │
└────────┬────────┘
┌─────────────────┐
│ Recovery │
│ - Restore │
│ - Verify │
│ - Monitor │
└────────┬────────┘
┌─────────────────┐
│ Post-Incident │
│ - Document │
│ - Review │
│ - Improve │
└─────────────────┘
Playbook Automation
playbooks
:
-
name
:
ransomware_response
trigger
:
alert_type
:
ransomware_detected
steps
:
-
name
:
isolate_endpoint
action
:
network_isolate
target
:
"{{affected_host}}"
-
name
:
disable_account
action
:
disable_ad_account
target
:
"{{user.name}}"
-
name
:
preserve_evidence
action
:
capture_memory_image
target
:
"{{affected_host}}"
-
name
:
notify_stakeholders
action
:
send_notification
channels
:
-
security_team
-
it_leadership
-
legal_if_needed
-
name
:
create_incident
action
:
create_ticket
priority
:
critical
template
:
ransomware_incident
-
name
:
phishing_response
trigger
:
alert_type
:
phishing_reported
steps
:
-
name
:
analyze_email
action
:
extract_iocs
extract
:
-
sender_address
-
urls
-
attachments
-
name
:
check_recipients
action
:
query_email_logs
find
:
all_recipients
-
name
:
block_sender
action
:
add_to_blocklist
target
:
"{{sender_address}}"
-
name
:
remove_emails
action
:
delete_from_mailboxes
target
:
all_recipients
Compliance Monitoring
Compliance Frameworks
compliance_checks
:
pci_dss
:
-
requirement
:
"10.2.1"
description
:
"Log all access to cardholder data"
query
:
|
SELECT * FROM audit_logs
WHERE data_classification = 'cardholder'
AND timestamp > NOW() - INTERVAL '24 hours'
expected
:
all_access_logged
-
requirement
:
"10.6.1"
description
:
"Review logs daily"
check
:
daily_log_review_completed
hipaa
:
-
requirement
:
"164.312(b)"
description
:
"Audit controls"
checks
:
-
audit_logging_enabled
-
log_retention_6_years
-
tamper_protection
soc2
:
-
control
:
"CC6.1"
description
:
"Logical access security"
checks
:
-
mfa_enabled
-
password_policy_enforced
-
access_reviews_quarterly
Compliance Dashboard
COMPLIANCE STATUS DASHBOARD
═══════════════════════════════════════
PCI-DSS: ████████████░░░░ 92% ✓
HIPAA: ██████████████░░ 98% ✓
SOC 2: █████████████░░░ 95% ✓
GDPR: ████████████████ 100% ✓
FINDINGS BY SEVERITY:
Critical ░░░░░░░░░░░░░░░░ 0
High ██░░░░░░░░░░░░░░ 3
Medium ████░░░░░░░░░░░░ 8
Low ██████░░░░░░░░░░ 15
UPCOMING DEADLINES:
• Jan 30: Quarterly access review
• Feb 15: Penetration test scheduled
• Feb 28: Annual audit prep
Security Metrics
KPI Dashboard
SECURITY OPERATIONS METRICS
═══════════════════════════════════════
DETECTION:
MTTD (Mean Time to Detect): 4.2 hours
Alert Volume: 1,234/day
True Positive Rate: 78%
RESPONSE:
MTTR (Mean Time to Respond): 1.8 hours
Incidents Resolved: 23/week
SLA Compliance: 96%
COVERAGE:
Assets Monitored: 2,456/2,500 (98%)
Log Sources: 45 active
Detection Rules: 234 active
THREAT LANDSCAPE:
Blocked Attacks: 12,456/month
Vulnerabilities: 89 open
Patch Compliance: 94%
Reporting
reports
:
-
name
:
daily_security_briefing
schedule
:
"0 8 * * *"
recipients
:
security_team
sections
:
-
overnight_alerts
-
active_incidents
-
threat_intelligence_updates
-
name
:
weekly_executive_summary
schedule
:
"0 9 * * 1"
recipients
:
leadership
sections
:
-
key_metrics
-
significant_incidents
-
risk_posture
-
recommendations
-
name
:
monthly_compliance_report
schedule
:
"0 9 1 * *"
recipients
:
compliance_team
sections
:
-
control_status
-
audit_findings
-
remediation_progress
Best Practices
Defense in Depth
Multiple detection layers
Least Privilege
Minimize access rights
Log Everything
Comprehensive audit trails
Automate Response
Reduce MTTR
Regular Testing
Validate controls
Threat Intelligence
Stay informed
Incident Drills
Practice response
Continuous Improvement
Learn from incidents
返回排行榜