Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From cybersecurity
Parses security logs and builds SIEM queries across Splunk, Elastic, QRadar, and Sentinel. Creates Sigma rules and detects anomalies in Windows Event Logs, syslog, and application logs.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity:12-log-analysisThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Enable Claude to assist with security log analysis across all major platforms. Claude directly parses and analyzes log samples provided by the user, builds SIEM queries for any platform, creates Sigma rules for portable detection, develops correlation rules, and identifies anomalous patterns in log data.
Enable Claude to assist with security log analysis across all major platforms. Claude directly parses and analyzes log samples provided by the user, builds SIEM queries for any platform, creates Sigma rules for portable detection, develops correlation rules, and identifies anomalous patterns in log data.
This skill activates when the user asks about:
pip install pandas pyyaml python-dateutil
Platform tools:
Splunk — Splunk Web, SPL, and SOARElastic Stack — Kibana, KQL, EQLMicrosoft Sentinel — KQL, WorkbooksIBM QRadar — AQL, RulesSigma — Platform-agnostic rule formatpython-evtx — Parse Windows .evtx files without WindowsWhen the user pastes logs or provides log files:
Claude directly reads and analyzes logs to extract security-relevant events.
Windows Event Log — Critical Event IDs:
| Event ID | Log | Description |
|---|---|---|
| 4624 | Security | Successful logon — Logon Type 3 (network) is interesting |
| 4625 | Security | Failed logon — track source IP for brute force |
| 4648 | Security | Logon with explicit credentials (RunAs) |
| 4688 | Security | New process created — needs CommandLine auditing enabled |
| 4698 | Security | Scheduled task created |
| 4702 | Security | Scheduled task updated |
| 4720 | Security | User account created |
| 4728/4732 | Security | Member added to security/local group |
| 4768/4769 | Security | Kerberos TGT/TGS requested |
| 4776 | Security | NTLM authentication |
| 4946 | Security | Windows Firewall rule added |
| 5140 | Security | Network share accessed |
| 5145 | Security | Network share file access |
| 7045 | System | New service installed |
| 1102 | Security | Audit log cleared |
| 4103/4104 | PowerShell | PowerShell module/script block logging |
Linux Log Analysis — Key Patterns:
# Failed SSH logins
grep "Failed password" /var/log/auth.log | awk '{print $1,$2,$3,$11}' | sort | uniq -c | sort -rn
# Successful logins after failures (brute force success)
grep "Accepted password\|Accepted publickey" /var/log/auth.log
# Sudo usage
grep "sudo:" /var/log/auth.log | grep -v "session"
# Cron job execution
grep CRON /var/log/syslog
# New user creation
grep "useradd\|usermod" /var/log/auth.log
# Privilege escalation
grep "su\b" /var/log/auth.log
Log parsing script:
python scripts/log_parser.py --input /var/log/auth.log --format json --output parsed.json
python scripts/log_parser.py --input events.evtx --normalize ecs --output normalized.json
When the user asks to build detection queries:
// Brute force attack detection
index=windows EventCode=4625
| bin _time span=5m
| stats count as FailedLogins, values(Account_Name) as Accounts by src_ip, _time
| where FailedLogins > 20
| sort -FailedLogins
// Pass-the-Hash detection (Logon Type 3 with NTLM)
index=windows EventCode=4624 Logon_Type=3 Authentication_Package=NTLM
| where NOT (Account_Name="ANONYMOUS LOGON" OR Account_Name="*$")
| stats count by Account_Name, Workstation_Name, src_ip
| where count > 1
// Lateral movement via PsExec / admin shares
index=windows EventCode=5145
| where (ShareName="\\\\*\\ADMIN$" OR ShareName="\\\\*\\C$")
AND RelativeTargetName="*PSEXESVC*"
| table _time, SubjectUserName, IpAddress, ShareName
// PowerShell encoded command execution
index=windows (source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104)
OR (EventCode=4688 CommandLine="*powershell*")
| search CommandLine IN ("*-EncodedCommand*", "*-enc *", "*-e *", "*-nop*",
"*DownloadString*", "*IEX*", "*Invoke-Expression*")
| table _time, ComputerName, User, CommandLine
// Scheduled task creation for persistence
index=windows EventCode=4698
| rex field=TaskContent "<Command>(?P<command>[^<]+)</Command>"
| where NOT match(command, "(?i)\\\\windows\\\\|\\\\microsoft\\\\|\\\\system32\\\\")
| table _time, ComputerName, SubjectUserName, TaskName, command
// LSASS memory access (credential dumping)
index=sysmon EventCode=10 TargetImage="*lsass.exe"
| where NOT (SourceImage IN
("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*",
"C:\\Program Files\\*", "C:\\Program Files (x86)\\*"))
| table _time, SourceImage, GrantedAccess, CallTrace
// DCSync detection
index=windows EventCode=4662
(ObjectType="*domainDNS*" OR ObjectType="*19195a5b-6da0-11d0-afd3-00c04fd930c9*")
(Properties="*Replicating Directory Changes All*" OR Properties="*1131f6ad*")
| where NOT match(SubjectUserName, "(?i)^.*\$$")
| table _time, SubjectUserName, SubjectDomainName, Properties
// Kerberoasting detection
index=windows EventCode=4769 Ticket_Encryption_Type=0x17
| where NOT (Account_Name="*$" OR Service_Name IN ("krbtgt", "kadmin/changepw"))
| stats count by Account_Name, Client_Address, Service_Name
| where count > 3
// Impossible Travel (logins from geographically impossible locations)
let TimeDelta = 2h;
SigninLogs
| where ResultType == 0 // Successful logins only
| where TimeGenerated > ago(7d)
| project UserPrincipalName, Location, TimeGenerated, IPAddress
| sort by UserPrincipalName asc, TimeGenerated asc
| serialize
| extend PreviousLogin = prev(TimeGenerated), PreviousLocation = prev(Location)
| where UserPrincipalName == prev(UserPrincipalName)
| extend TimeDiff = TimeGenerated - PreviousLogin
| where TimeDiff < TimeDelta and Location != PreviousLocation
| project UserPrincipalName, Location, PreviousLocation, TimeDiff, IPAddress
// Azure AD privilege escalation
AuditLogs
| where OperationName in ("Add member to role", "Add eligible member to role")
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| extend RoleAdded = tostring(TargetResources[0].displayName)
| where RoleAdded in ("Global Administrator", "Security Administrator",
"Exchange Administrator", "SharePoint Administrator")
| project TimeGenerated, TargetUser, RoleAdded,
InitiatedBy=tostring(InitiatedBy.user.userPrincipalName)
// Suspicious PowerShell activity
SecurityEvent
| where EventID == 4104
| where TimeGenerated > ago(24h)
| where ScriptBlockText has_any("IEX", "DownloadString", "EncodedCommand",
"WebClient", "Invoke-Expression", "bypass", "-nop")
| project TimeGenerated, Computer, Account, ScriptBlockText
| extend RiskScore = case(
ScriptBlockText has "IEX" and ScriptBlockText has "DownloadString", 10,
ScriptBlockText has "EncodedCommand", 7,
ScriptBlockText has "bypass", 5, 3)
| where RiskScore >= 5
| order by RiskScore desc
// Detect fileless malware execution chain
sequence by host.name with maxspan=5m
[process where event.type == "start" and
process.name in ("outlook.exe", "winword.exe", "excel.exe")]
[process where event.type == "start" and
process.name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")]
[network where network.direction == "egress" and
not network.destination.ip in ("127.0.0.0/8", "10.0.0.0/8", "192.168.0.0/16")]
// Ransomware detection: mass file extension changes + shadow copy deletion
sequence by host.name with maxspan=30m
[file where event.type == "creation" and
file.extension in ("locked", "encrypted", "crypted", "enc", "readme")]
[file where event.type == "creation" and
file.name in ("README.txt", "DECRYPT.txt", "HOW_TO_DECRYPT.txt")]
[process where event.type == "start" and
process.command_line : "* delete shadows *"]
When the user asks to detect anomalies in log data:
Statistical Anomaly Detection:
# Claude's approach to analyzing log data for anomalies:
import pandas as pd
from datetime import timedelta
# 1. Volume anomalies
# Calculate rolling average, flag if current > mean + 3*stddev
# 2. Time-based anomalies (off-hours activity)
# Business hours: Mon-Fri 08:00-18:00 local time
# Flag: admin activities on weekends, logins at 03:00 UTC
# 3. Never-before-seen entities
# - New admin account created
# - First-time login from country
# - New process never seen before
# - New domain in DNS queries
# 4. Impossible travel
# Calculate geographic distance / time delta
# Flag if impossible to travel physically in the time window
python scripts/anomaly_detector.py --logs parsed.json --baseline baseline.json --output anomalies.json
Anomaly Categories:
| Category | Indicators |
|---|---|
| Volume spike | 10x normal event rate in 5 minutes |
| Off-hours activity | Admin access at 03:00 local time |
| New geography | Login from country with no prior history |
| New process | First-ever execution of binary |
| Large data transfer | Upload > 10x baseline for this user/system |
| Silent log source | No events received in 30+ minutes |
| Authentication pattern | Logon Type 3 from non-admin workstation |
When the user asks to create Sigma rules:
title: Credential Dumping via Procdump
id: e5eb5a27-4a98-4c34-8b39-1fbe552d2aa4
status: stable
description: Detects the use of ProcDump to dump LSASS memory for credential theft
author: SOC Analyst
date: 2025/05/28
references:
- https://attack.mitre.org/techniques/T1003/001/
- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
tags:
- attack.credential_access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_tool:
Image|endswith:
- '\procdump.exe'
- '\procdump64.exe'
selection_lsass:
CommandLine|contains:
- 'lsass'
- '-ma 4' # PID 4 = System, sometimes used
selection_flags:
CommandLine|contains|all:
- '-accepteula'
- '-ma'
condition: selection_tool and (selection_lsass or selection_flags)
falsepositives:
- Legitimate use by administrators for debugging (rare, should be investigated)
level: high
Sigma rule conversion to SIEM platforms:
# Install sigma-cli
pip install sigma-cli
# Convert to Splunk SPL
sigma convert -t splunk -p splunk_windows sigma_rule.yml
# Convert to Elastic KQL
sigma convert -t elasticsearch -p ecs_windows sigma_rule.yml
# Convert to Microsoft Sentinel KQL
sigma convert -t kusto sigma_rule.yml
When the user asks to create correlation rules for multi-event detection:
## Correlation Rule: Brute Force → Successful Login → Lateral Movement
**Trigger:**
Event 1: 4625 (Failed Login) × 20+ in 5 minutes (same source IP)
THEN Event 2: 4624 (Successful Login) from same source IP within 10 minutes
THEN Event 3: 5145 (Admin Share Access) from same host within 30 minutes
**Logic:**
Step 1: Bucket failed logins by source IP in 5-minute windows
Step 2: If count > 20 → mark IP as "brute force source"
Step 3: Watch for successful login from same IP within 10 minutes
Step 4: If successful login → escalate to HIGH severity
Step 5: Watch for lateral movement from the successfully logged-in host
Step 6: Declare incident if all 3 events observed
**Splunk Correlation (corr_rule.conf):**
```spl
index=windows EventCode=4625
| bin _time span=5m
| stats count by src_ip, _time
| where count > 20
| join src_ip [
search index=windows EventCode=4624
| bin _time span=10m
| stats count by src_ip, _time, Account_Name, Workstation_Name
]
| table _time, src_ip, Account_Name, Workstation_Name, count
Suppression & De-duplication:
When the user asks about log source health:
// Splunk: Detect silent log sources (no events in 30 minutes)
| tstats count WHERE index=* BY host, sourcetype, _time span=30m
| where _time > relative_time(now(), "-30m@m")
| stats max(_time) as last_seen by host, sourcetype
| where last_seen < relative_time(now(), "-30m@m")
| eval lag = round((now() - last_seen) / 60, 1)
| table host, sourcetype, last_seen, lag
| sort -lag
log_parser.pypython scripts/log_parser.py --input /var/log/auth.log --format json --output parsed.json
python scripts/log_parser.py --input events.evtx --normalize ecs --output normalized.json
anomaly_detector.pypython scripts/anomaly_detector.py --logs parsed.json --baseline baseline.json --output anomalies.json
| Condition | Adjacent Skill |
|---|---|
| Anomaly found → escalate to SOC | → Skill 11 (CSOC Automation) |
| Anomaly is a hunt lead | → Skill 06 (Threat Hunting) |
| Build timeline from logs for IR | → Skill 07 (Incident Response) |
| Create detection rules from findings | → Skill 15 (Blue Team Defense) |
Normalized, testable detection content:
sigma convert) in CI before deployment.tstats/data models), Microsoft Sentinel (KQL, ASIM functions), and Elastic (ES|QL/EQL).Precision rule: each rule documents data source + schema, false-positive conditions, ATT&CK mapping, and a tested sample event.
npx claudepluginhub masriyan/claude-code-cybersecurity-skill --plugin cybersecurityEngineers and audits SIEM detection rules — log source coverage, Sigma/KQL/SPL/Elastic query authoring, MITRE ATT&CK mapping, and false-positive tuning.
Correlates events across multiple log sources to detect multi-stage attacks. Guides SIEM design, correlation rule building, and log source integration for compliance and detection engineering.
Investigates security incidents using Splunk Enterprise Security and SPL to correlate Windows event logs, firewall, proxy, and authentication data for timeline reconstruction and anomaly detection.