Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From crowdstrike-source-threat-modeling
Threat-model-first detection planning for data sources without OOTB coverage. Analyzes what threats apply to a source type, validates against live log data, and produces a prioritized detection backlog with handoff docs for authoring skills. Use when onboarding a new data source, planning detection coverage for a source without OOTB templates, or assessing what threats a source can detect.
How this skill is triggered — by the user, by Claude, or both
Slash command
/crowdstrike-source-threat-modeling:source-threat-modelingThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Turn a data source into detection coverage. This skill reasons about what threats are relevant to a source type, validates which are detectable in your actual log data, and produces a prioritized detection backlog. It does NOT write detections — it hands off to authoring skills (`behavioral-detections`, `cql-patterns`, `logscale-security-queries`) via handoff documents.
Turn a data source into detection coverage. This skill reasons about what threats are relevant to a source type, validates which are detectable in your actual log data, and produces a prioritized detection backlog. It does NOT write detections — it hands off to authoring skills (behavioral-detections, cql-patterns, logscale-security-queries) via handoff documents.
Orchestrator, not author. This skill decides what to detect. Existing skills decide how to write it.
This skill can be invoked directly or via a handoff document. If a handoff doc is provided, read it first and skip questions already answered.
Goal: Establish what source we're working with and how to query it.
Ask the user:
#Vendor="okta", #repo="some_repo", #event.module="some_module"* | groupBy([@repo, #Vendor, #event.module], limit=20)
Check for existing coverage:
resources/detections/ for any rules already targeting this sourceOutput: A CQL scope filter and source profile that constrains all subsequent work.
STOP — Confirm the scope filter and source profile with the user before proceeding to threat modeling.
Goal: Enumerate threats this source can observe, mapped to MITRE ATT&CK.
Work through three threat categories systematically:
What can an attacker do through the system this source monitors?
| Source Role | Example Threats |
|---|---|
| Identity provider | Credential stuffing, MFA bypass, session hijacking, account takeover |
| Network perimeter | C2 communication, lateral movement, data exfiltration, port scanning |
| Cloud infrastructure | Resource abuse, privilege escalation, config tampering, data access |
| Application | Injection, unauthorized access, data theft, API abuse |
| Endpoint | Malware execution, LOLBins, persistence mechanisms, credential dumping |
| Email/collaboration | Phishing, BEC, forwarding rules, delegation abuse |
What does it look like when the source system is the target?
What cross-system activity is visible through this source?
For each threat scenario, document:
| Field | Description |
|---|---|
| Threat scenario | Plain-language description of the attack |
| MITRE technique | ATT&CK technique ID (e.g., T1621) |
| MITRE tactic | ATT&CK tactic (e.g., Credential Access) |
| Expected event types | What log events would reveal this activity |
| Expected severity | Critical / High / Medium / Low |
Present the threat model to the user as a ranked table. Rank by severity and likelihood. Discuss and refine before proceeding to log validation.
STOP — Get user approval on the threat model before querying live data.
Goal: Confirm which threats from Phase 2 are actually detectable in the live data.
For each threat scenario, run exploratory CQL queries using mcp__crowdstrike__ngsiem_query:
Map what the source actually emits:
<scope_filter>
| groupBy([event.type, event.action, event.category], limit=50)
For each threat scenario from Phase 2:
a) Do the required event types exist?
<scope_filter> event.type="<expected_type>"
| count()
b) What's the volume? (informs threshold decisions)
<scope_filter> event.type="<expected_type>"
| bucket(span=1d)
| count()
c) What fields are available? (informs detection logic)
<scope_filter> event.type="<expected_type>"
| head(10)
d) What does "normal" look like? (informs baselines)
<scope_filter> event.type="<expected_type>"
| groupBy([<key_field>], function=count())
| sort(_count, order=desc)
| head(20)
For each threat scenario, classify:
| Classification | Meaning | Action |
|---|---|---|
| Detectable | Required events exist, fields available, reasonable volume | Keep — proceed to backlog |
| Partially detectable | Some events present but missing key fields or context | Discuss with user — worth pursuing with limitations? |
| Not detectable | Required events don't exist in the data | Prune from backlog |
| Surprising find | Unexpected patterns worth investigating | Flag for user — potential quick win or live incident |
Present results. For each scenario, show: classification, event types found, key fields available, daily volume estimate, and any surprising observations.
STOP — Discuss findings with user. Prune not-detectable scenarios. Decide on partial detections.
Goal: Produce a prioritized detection backlog and hand off selected detections to authoring skills.
For each validated threat scenario, create a backlog entry:
| Field | Description |
|---|---|
| Priority | 1 (highest) through N — based on severity + feasibility |
| Threat scenario | Plain-language description |
| MITRE mapping | Technique ID + tactic |
| Detection approach | simple (single event match), threshold (aggregation), behavioral (multi-event correlation) |
| Complexity | Low (single event) / Medium (aggregation/threshold) / High (multi-event correlation) |
| Key event types | From log validation |
| Key fields | From log validation |
| Volume estimate | Events/day from log validation |
| Recommended skill | Which authoring skill should build this |
| Detection Approach | Route To | Why |
|---|---|---|
| Multi-event attack chains (deny-then-success, create-then-escalate) | behavioral-detections | Needs correlate() function |
| Threshold/aggregation rules (N events in T time) | cql-patterns | Pattern-based aggregation |
| Simple event matching or complex field logic | logscale-security-queries | General CQL development |
Show the full backlog as a prioritized table. User selects which detections to pursue.
For each selected detection, write a handoff doc to docs/handoffs/.
Filename: YYYY-MM-DD-threat-model-to-<target-skill>-<brief-description>.md
Template:
# Handoff: Source Threat Modeling → <Target Skill>
## Objective
Author a detection for: <threat scenario one-liner>
## Source
- **Produced by:** source-threat-modeling skill
- **Date:** <today>
- **Target skill:** <behavioral-detections | cql-patterns | logscale-security-queries>
## Context
| Field | Value |
|---|---|
| Data source | <source name> |
| CQL scope filter | `<filter>` |
| Source role | <identity / network / cloud / app / endpoint> |
| Threat scenario | <description> |
| MITRE technique | <ID> — <name> |
| MITRE tactic | <tactic> |
| Detection approach | <simple / threshold / behavioral> |
| Estimated severity | <Critical / High / Medium / Low> |
### Key Event Types
- `<event.type>` — <what it represents>
### Key Fields
- `<field>` — <what it contains, example values>
### Volume Notes
<daily volume estimate and baseline observations from Phase 3>
## Decisions Made
These have been reviewed and approved by the user. The receiving skill should NOT re-ask:
- <decision 1>
- <decision 2>
## Constraints
- 120s NGSIEM query timeout — keep correlation windows reasonable
- <any source-specific constraints discovered during exploration>
- <relevant enrichment functions from detection-tuning, if applicable>
## Artifacts
- <paths to any files created during this session, or "None">
Tell the user: "Handoff doc written to <path>. Invoke the <target-skill> skill and point it at this file to begin authoring."
| Source Category | Examples | Typical Threat Focus |
|---|---|---|
| Identity Provider | Okta, EntraID, Ping, Auth0 | Credential attacks, MFA bypass, admin takeover, privilege escalation |
| Cloud Infrastructure | AWS CloudTrail, GCP Audit, Azure Activity | Resource abuse, IAM escalation, config tampering, data access |
| Network Security | Cisco ASA, Palo Alto, Zscaler, Akamai | C2 comms, lateral movement, exfiltration, scanning |
| Source Code / DevOps | GitHub, GitLab, Bitbucket | Code theft, secret exposure, pipeline compromise, access changes |
| SaaS Applications | Salesforce, Workday, ServiceNow | Data exfiltration, privilege abuse, config changes |
| Endpoint | CrowdStrike EDR, Carbon Black, SentinelOne | Malware, LOLBins, persistence, credential dumping |
| Email / Collaboration | M365, Google Workspace | Phishing, BEC, forwarding rules, delegation abuse |
This table is a starting point for Phase 2 — reason about threats specific to the actual product, not just the category.
npx claudepluginhub willwebster5/agent-skills --plugin crowdstrike-source-threat-modelingEngineers and audits SIEM detection rules — log source coverage, Sigma/KQL/SPL/Elastic query authoring, MITRE ATT&CK mapping, and false-positive tuning.
Build detection engineering capabilities including threat modeling, detection hypothesis development, and hypothesis testing.
Designs SIEM correlation rules, threshold alerts, and behavioral analytics mapped to MITRE ATT&CK across Splunk, Elastic, and Sentinel. Use when SOC teams need to expand detection coverage or formalize use case lifecycle management.