threat-detection
Installation
SKILL.md
Threat Detection
Category: Engineering Domain: Security Operations
Overview
The Threat Detection skill provides automated analysis of log files for suspicious patterns including brute force attacks, injection attempts, unusual access patterns, and privilege escalation indicators. It helps security teams triage log data and identify threats before they escalate.
Quick Start
# Analyze a log file for threat signals
python scripts/threat_signal_analyzer.py --file /var/log/auth.log
# Analyze with specific threat category
python scripts/threat_signal_analyzer.py --file access.log --category injection
# JSON output for SIEM integration
python scripts/threat_signal_analyzer.py --file auth.log --format json
# Set minimum severity
python scripts/threat_signal_analyzer.py --file access.log --min-severity high
Tools Overview
threat_signal_analyzer.py
Analyzes log files for suspicious activity patterns across multiple threat categories.
| Feature | Description |
|---|---|
| Brute force detection | Identifies repeated failed login attempts from same source |
| Injection scanning | Detects SQL injection, XSS, command injection in requests |
| Access anomalies | Flags unusual access times, forbidden paths, admin probes |
| Privilege escalation | Detects sudo abuse, role changes, permission modifications |
| Rate analysis | Identifies request flooding and denial-of-service patterns |
| IP reputation | Flags known-bad patterns (scanners, bots, TOR indicators) |
Workflows
Log Analysis Workflow
- Collect - Gather logs from auth, access, application sources
- Analyze - Run threat_signal_analyzer.py across log files
- Triage - Review critical and high severity findings first
- Correlate - Cross-reference findings across log sources
- Respond - Block IPs, reset credentials, escalate as needed
Incident Investigation Workflow
- Scope - Identify time window and affected systems
- Scan - Run analyzer on all relevant log files
- Timeline - Build timeline from threat signals
- Impact - Assess what was accessed or modified
- Contain - Block threat actors and patch vulnerabilities
Continuous Monitoring
# Cron job: analyze auth logs every hour
python scripts/threat_signal_analyzer.py --file /var/log/auth.log --format json --min-severity high > /tmp/threat_report.json
# CI/CD: scan application logs on deployment
python scripts/threat_signal_analyzer.py --file app.log --category injection --format json
Reference Documentation
- Threat Indicators - Common attack patterns, indicators of compromise, response playbooks
Common Patterns Quick Reference
Threat Categories
| Category | Signals | Severity |
|---|---|---|
| Brute force | 5+ failed logins from same IP in 5 min | High |
| SQL injection | UNION SELECT, OR 1=1, DROP TABLE in requests | Critical |
| XSS | script tags, javascript: URIs, event handlers in input | High |
| Path traversal | ../ sequences, /etc/passwd access attempts | High |
| Command injection | ; cat /etc/passwd, | nc, backtick usage |
| Admin probing | /admin, /wp-admin, /phpmyadmin access attempts | Medium |
| Rate flooding | 100+ requests/minute from single IP | High |
Severity Levels
- CRITICAL - Active exploitation attempt (injection, RCE)
- HIGH - Likely attack in progress (brute force, privilege escalation)
- MEDIUM - Suspicious activity requiring investigation
- LOW - Informational, possible false positive
Response Actions
| Severity | Immediate Action | Follow-Up |
|---|---|---|
| Critical | Block IP, alert SOC | Incident report, forensics |
| High | Rate limit, monitor | Review access, check damage |
| Medium | Log and monitor | Weekly review |
| Low | Log only | Monthly trend analysis |