Security Monitoring
БесплатноБез исполняемых скриптовНе проверенAutomate security monitoring, threat detection, incident response, and compliance workflows
Об этом скилле
Security Monitoring
Comprehensive skill for security monitoring, threat detection, and incident response automation.
Core Architecture
Security Monitoring Stack
SECURITY MONITORING ARCHITECTURE:
┌─────────────────────────────────────────────────────────┐
│ DATA SOURCES │
├──────────┬──────────┬──────────┬──────────┬────────────┤
│ Firewall │ Endpoint │ Cloud │ Network │ Application│
│ Logs │ Logs │ Logs │ Traffic │ Logs │
└────┬─────┴────┬─────┴────┬─────┴────┬─────┴─────┬──────┘
│ │ │ │ │
└──────────┴──────────┴────┬─────┴───────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ LOG AGGREGATION │
│ (SIEM / Security Data Lake) │
└────────────────────────┬────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ DETECTION ENGINE │
│ • Rule-based Detection • ML Anomaly Detection │
│ • Correlation Rules • Threat Intelligence │
└────────────────────────┬────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ RESPONSE & ACTION │
│ • Alerting • Automated Response │
│ • Ticketing • Containment │
└─────────────────────────────────────────────────────────┘
Detection Rules
Rule Categories
detection_rules:
authentication:
- name: brute_force_login
description: "Multiple failed login attempts"
query: |
event.type == "authentication" AND
event.outcome == "failure" AND
COUNT(*) > 5 WITHIN 5 minutes
GROUP BY source.ip
severity: high
actions:
- create_alert
- block_ip_temporarily
- name: impossible_travel
description: "Login from geographically distant locations"
query: |
event.type == "authentication" AND
event.outcome == "success" AND
geo_distance(prev_location, current_location) > 500km AND
time_diff < 1 hour
severity: critical
actions:
- create_alert
- require_mfa_verification
- notify_user
data_exfiltration:
- name: large_data_transfer
description: "Unusual data egress volume"
query: |
event.type == "network" AND
direction == "outbound" AND
bytes_transferred > 100MB WITHIN 1 hour
GROUP BY user.id
severity: medium
actions:
- create_alert
- capture_network_session
malware:
- name: known_malware_hash
description: "File matches known malware signature"
query: |
event.type == "file" AND
file.hash.sha256 IN threat_intelligence.malware_hashes
severity: critical
actions:
- quarantine_file
- isolate_endpoint
- create_incident
Correlation Rules
correlation_rules:
- name: lateral_movement_detection
description: "Detect potential lateral movement"
events:
- type: authentication_success
from: internal_network
- type: process_execution
name: ["psexec", "wmic", "powershell"]
within: 5_minutes
- type: network_connection
to: different_internal_host
within: 10_minutes
severity: high
- name: privilege_escalation_chain
description: "Detect privilege escalation attempts"
events:
- type: authentication
account_type: standard_user
- type: process_execution
elevated: true
within: 30_minutes
- type: account_modification
action: add_to_admin_group
within: 1_hour
severity: critical
Alert Management
Alert Configuration
alert_config:
severity_levels:
critical:
response_time: 15_minutes
notifications:
- pagerduty: security_oncall
- slack: "#security-critical"
- email: [email protected]
auto_escalation: 30_minutes
high:
response_time: 1_hour
notifications:
- slack: "#security-alerts"
- email: [email protected]
medium:
response_time: 4_hours
notifications:
- slack: "#security-alerts"
low:
response_time: 24_hours
notifications:
- ticket_only: true
deduplication:
enabled: true
window: 1_hour
key_fields:
- rule_id
- source.ip
- destination.ip
Alert Template
alert_template:
title: "[{{severity}}] {{rule_name}}"
body: |
## Security Alert
**Rule:** {{rule_name}}
**Severity:** {{severity}}
**Time:** {{timestamp}}
### Details
- **Source IP:** {{source.ip}}
- **Source User:** {{user.name}}
- **Destination:** {{destination.ip}}
- **Action:** {{event.action}}
### Context
{{event_context}}
### Recommended Actions
{{#each recommended_actions}}
- {{this}}
{{/each}}
### Related Events
{{related_events_link}}
Incident Response
Incident Workflow
INCIDENT RESPONSE WORKFLOW:
┌─────────────────┐
│ Detection │
│ (Alert Fired) │
└────────┬────────┘
▼
┌─────────────────┐
│ Triage │
│ - Validate │
│ - Classify │
│ - Prioritize │
└────────┬────────┘
▼
┌─────────────────┐
│ Containment │
│ - Isolate │
│ - Block │
│ - Preserve │
└────────┬────────┘
▼
┌─────────────────┐
│ Investigation │
│ - Collect │
│ - Analyze │
│ - Correlate │
└────────┬────────┘
▼
┌─────────────────┐
│ Eradication │
│ - Remove │
│ - Patch │
│ - Harden │
└────────┬────────┘
▼
┌─────────────────┐
│ Recovery │
│ - Restore │
│ - Verify │
│ - Monitor │
└────────┬────────┘
▼
┌─────────────────┐
│ Post-Incident │
│ - Document │
│ - Review │
│ - Improve │
└─────────────────┘
Playbook Automation
playbooks:
- name: ransomware_response
trigger:
alert_type: ransomware_detected
steps:
- name: isolate_endpoint
action: network_isolate
target: "{{affected_host}}"
- name: disable_account
action: disable_ad_account
target: "{{user.name}}"
- name: preserve_evidence
action: capture_memory_image
target: "{{affected_host}}"
- name: notify_stakeholders
action: send_notification
channels:
- security_team
- it_leadership
- legal_if_needed
- name: create_incident
action: create_ticket
priority: critical
template: ransomware_incident
- name: phishing_response
trigger:
alert_type: phishing_reported
steps:
- name: analyze_email
action: extract_iocs
extract:
- sender_address
- urls
- attachments
- name: check_recipients
action: query_email_logs
find: all_recipients
- name: block_sender
action: add_to_blocklist
target: "{{sender_address}}"
- name: remove_emails
action: delete_from_mailboxes
target: all_recipients
Compliance Monitoring
Compliance Frameworks
compliance_checks:
pci_dss:
- requirement: "10.2.1"
description: "Log all access to cardholder data"
query: |
SELECT * FROM audit_logs
WHERE data_classification = 'cardholder'
AND timestamp > NOW() - INTERVAL '24 hours'
expected: all_access_logged
- requiremen
Установить Security Monitoring в Claude Code и Claude Desktop
Зарегайся, чтобы установить скилл
Создай бесплатный аккаунт, чтобы открыть команду установки и сохранить скилл в библиотеку.
- Открой команду установки в одну строку
- Сохраняй скиллы в синхронизируемую библиотеку
- Уведомления, когда скиллы обновляются
Разрешённые инструменты
Инструменты, которые скиллу разрешено вызывать.
Без ограничений — скилл может использовать любой инструмент.
FAQ
Что делает скилл Security Monitoring?
Automate security monitoring, threat detection, incident response, and compliance workflows
Как установить скилл Security Monitoring?
Скопируй папку скилла в ~/.claude/skills (вкладка Claude Code выше делает это одной командой), либо поставь как плагин.
Скилл Security Monitoring запускает скрипты?
Нет, скилл состоит только из инструкций (SKILL.md), без исполняемых скриптов.
Похожие скиллы
Skill Creator
Author a new Agent Skill the right way
от Anthropictheme-factory
Toolkit for styling artifacts with a theme. These artifacts can be slides, docs, reportings, HTML landing pages, etc. There are 10 pre-set themes with colors/fo
от Anthropictemplate-skill
Replace with description of the skill and when Claude should use it.
от Anthropicvercel-composition-patterns
vercel-composition-patterns — Agent Skill for Claude
от Vercel