安全监控技能：威胁检测、事件响应与自动化安全防护解决方案

Security Monitoring by claude-office-skills/skills

40 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/claude-office-skills/skills --skill 'Security Monitoring'

自动化监控安全

🇨🇳中文介绍

安全监控

用于安全监控、威胁检测和事件响应自动化的综合性技能。

核心架构

安全监控技术栈

SECURITY MONITORING ARCHITECTURE:
┌─────────────────────────────────────────────────────────┐
│                     数据源                              │
├──────────┬──────────┬──────────┬──────────┬────────────┤
│ 防火墙   │ 终端     │ 云       │ 网络     │ 应用       │
│ 日志     │ 日志     │ 日志     │ 流量     │ 日志       │
└────┬─────┴────┬─────┴────┬─────┴────┬─────┴─────┬──────┘
     │          │          │          │           │
     └──────────┴──────────┴────┬─────┴───────────┘
                                ▼
┌─────────────────────────────────────────────────────────┐
│                   日志聚合                               │
│              (SIEM / 安全数据湖)                         │
└────────────────────────┬────────────────────────────────┘
                         ▼
┌─────────────────────────────────────────────────────────┐
│                   检测引擎                               │
│  • 基于规则的检测    • 机器学习异常检测                 │
│  • 关联规则          • 威胁情报                         │
└────────────────────────┬────────────────────────────────┘
                         ▼
┌─────────────────────────────────────────────────────────┐
│                   响应与行动                             │
│  • 告警              • 自动化响应                       │
│  • 工单              • 遏制                             │
└─────────────────────────────────────────────────────────┘

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

相关 Skills

FlyClaw：零登录航班聚合查询工具，Python实现多源航班信息与价格搜索

4,000,000 周安装

Azure RBAC 权限管理工具：查找最小角色、创建自定义角色与自动化分配

117,000 周安装

网站审计工具 - 使用 squirrelscan CLI 全面检测 SEO、性能、安全及技术问题

41,700 周安装

前端性能优化指南：识别瓶颈与优化策略，提升LCP、FID、CLS核心指标

37,400 周安装

detection_rules:
  authentication:
    - name: brute_force_login
      description: "多次登录尝试失败"
      query: |
        event.type == "authentication" AND
        event.outcome == "failure" AND
        COUNT(*) > 5 WITHIN 5 minutes
        GROUP BY source.ip
      severity: high
      actions:
        - create_alert
        - block_ip_temporarily
        
    - name: impossible_travel
      description: "从地理位置遥远的位置登录"
      query: |
        event.type == "authentication" AND
        event.outcome == "success" AND
        geo_distance(prev_location, current_location) > 500km AND
        time_diff < 1 hour
      severity: critical
      actions:
        - create_alert
        - require_mfa_verification
        - notify_user
        
  data_exfiltration:
    - name: large_data_transfer
      description: "异常数据外传量"
      query: |
        event.type == "network" AND
        direction == "outbound" AND
        bytes_transferred > 100MB WITHIN 1 hour
        GROUP BY user.id
      severity: medium
      actions:
        - create_alert
        - capture_network_session
        
  malware:
    - name: known_malware_hash
      description: "文件匹配已知恶意软件签名"
      query: |
        event.type == "file" AND
        file.hash.sha256 IN threat_intelligence.malware_hashes
      severity: critical
      actions:
        - quarantine_file
        - isolate_endpoint
        - create_incident

correlation_rules:
  - name: lateral_movement_detection
    description: "检测潜在的横向移动"
    events:
      - type: authentication_success
        from: internal_network
      - type: process_execution
        name: ["psexec", "wmic", "powershell"]
        within: 5_minutes
      - type: network_connection
        to: different_internal_host
        within: 10_minutes
    severity: high
    
  - name: privilege_escalation_chain
    description: "检测权限提升尝试"
    events:
      - type: authentication
        account_type: standard_user
      - type: process_execution
        elevated: true
        within: 30_minutes
      - type: account_modification
        action: add_to_admin_group
        within: 1_hour
    severity: critical

alert_config:
  severity_levels:
    critical:
      response_time: 15_minutes
      notifications:
        - pagerduty: security_oncall
        - slack: "#security-critical"
        - email: security-team@company.com
      auto_escalation: 30_minutes
      
    high:
      response_time: 1_hour
      notifications:
        - slack: "#security-alerts"
        - email: security-team@company.com
        
    medium:
      response_time: 4_hours
      notifications:
        - slack: "#security-alerts"
        
    low:
      response_time: 24_hours
      notifications:
        - ticket_only: true
        
  deduplication:
    enabled: true
    window: 1_hour
    key_fields:
      - rule_id
      - source.ip
      - destination.ip

alert_template:
  title: "[{{severity}}] {{rule_name}}"
  
  body: |
    ## 安全告警
    
    **规则:** {{rule_name}}
    **严重性:** {{severity}}
    **时间:** {{timestamp}}
    
    ### 详情
    - **源 IP:** {{source.ip}}
    - **源用户:** {{user.name}}
    - **目标:** {{destination.ip}}
    - **操作:** {{event.action}}
    
    ### 上下文
    {{event_context}}
    
    ### 推荐操作
    {{#each recommended_actions}}
    - {{this}}
    {{/each}}
    
    ### 相关事件
    {{related_events_link}}

INCIDENT RESPONSE WORKFLOW:
┌─────────────────┐
│     检测        │
│  (告警触发)     │
└────────┬────────┘
         ▼
┌─────────────────┐
│     分类        │
│  - 验证         │
│  - 分类         │
│  - 优先级排序   │
└────────┬────────┘
         ▼
┌─────────────────┐
│     遏制        │
│  - 隔离         │
│  - 阻断         │
│  - 保存         │
└────────┬────────┘
         ▼
┌─────────────────┐
│     调查        │
│  - 收集         │
│  - 分析         │
│  - 关联         │
└────────┬────────┘
         ▼
┌─────────────────┐
│     根除        │
│  - 移除         │
│  - 修补         │
│  - 加固         │
└────────┬────────┘
         ▼
┌─────────────────┐
│     恢复        │
│  - 还原         │
│  - 验证         │
│  - 监控         │
└────────┬────────┘
         ▼
┌─────────────────┐
│     事后处理    │
│  - 文档化       │
│  - 回顾         │
│  - 改进         │
└─────────────────┘

playbooks:
  - name: ransomware_response
    trigger:
      alert_type: ransomware_detected
    steps:
      - name: isolate_endpoint
        action: network_isolate
        target: "{{affected_host}}"
        
      - name: disable_account
        action: disable_ad_account
        target: "{{user.name}}"
        
      - name: preserve_evidence
        action: capture_memory_image
        target: "{{affected_host}}"
        
      - name: notify_stakeholders
        action: send_notification
        channels:
          - security_team
          - it_leadership
          - legal_if_needed
          
      - name: create_incident
        action: create_ticket
        priority: critical
        template: ransomware_incident
        
  - name: phishing_response
    trigger:
      alert_type: phishing_reported
    steps:
      - name: analyze_email
        action: extract_iocs
        extract:
          - sender_address
          - urls
          - attachments
          
      - name: check_recipients
        action: query_email_logs
        find: all_recipients
        
      - name: block_sender
        action: add_to_blocklist
        target: "{{sender_address}}"
        
      - name: remove_emails
        action: delete_from_mailboxes
        target: all_recipients

compliance_checks:
  pci_dss:
    - requirement: "10.2.1"
      description: "记录所有对持卡人数据的访问"
      query: |
        SELECT * FROM audit_logs
        WHERE data_classification = 'cardholder'
        AND timestamp > NOW() - INTERVAL '24 hours'
      expected: all_access_logged
      
    - requirement: "10.6.1"
      description: "每日审查日志"
      check: daily_log_review_completed
      
  hipaa:
    - requirement: "164.312(b)"
      description: "审计控制"
      checks:
        - audit_logging_enabled
        - log_retention_6_years
        - tamper_protection
        
  soc2:
    - control: "CC6.1"
      description: "逻辑访问安全"
      checks:
        - mfa_enabled
        - password_policy_enforced
        - access_reviews_quarterly

COMPLIANCE STATUS DASHBOARD
═══════════════════════════════════════

PCI-DSS:      ████████████░░░░ 92% ✓
HIPAA:        ██████████████░░ 98% ✓
SOC 2:        █████████████░░░ 95% ✓
GDPR:         ████████████████ 100% ✓

FINDINGS BY SEVERITY:
Critical  ░░░░░░░░░░░░░░░░ 0
High      ██░░░░░░░░░░░░░░ 3
Medium    ████░░░░░░░░░░░░ 8
Low       ██████░░░░░░░░░░ 15

UPCOMING DEADLINES:
• Jan 30: 季度访问审查
• Feb 15: 渗透测试计划
• Feb 28: 年度审计准备

SECURITY OPERATIONS METRICS
═══════════════════════════════════════

DETECTION:
MTTD (平均检测时间): 4.2 小时
告警量: 1,234/天
真阳性率: 78%

RESPONSE:
MTTR (平均响应时间): 1.8 小时
已解决事件: 23/周
SLA 合规性: 96%

COVERAGE:
监控资产: 2,456/2,500 (98%)
日志源: 45 个活跃
检测规则: 234 个活跃

THREAT LANDSCAPE:
已阻断攻击: 12,456/月
漏洞: 89 个未修复
补丁合规性: 94%

reports:
  - name: daily_security_briefing
    schedule: "0 8 * * *"
    recipients: security_team
    sections:
      - overnight_alerts
      - active_incidents
      - threat_intelligence_updates
      
  - name: weekly_executive_summary
    schedule: "0 9 * * 1"
    recipients: leadership
    sections:
      - key_metrics
      - significant_incidents
      - risk_posture
      - recommendations
      
  - name: monthly_compliance_report
    schedule: "0 9 1 * *"
    recipients: compliance_team
    sections:
      - control_status
      - audit_findings
      - remediation_progress

纵深防御 : 多层检测
最小权限 : 最小化访问权限
记录一切 : 全面的审计跟踪
自动化响应 : 减少平均响应时间
定期测试 : 验证控制措施
威胁情报 : 保持信息更新
事件演练 : 练习响应
持续改进 : 从事件中学习

🇺🇸English

Security Monitoring

Comprehensive skill for security monitoring, threat detection, and incident response automation.

Core Architecture

Security Monitoring Stack

SECURITY MONITORING ARCHITECTURE:
┌─────────────────────────────────────────────────────────┐
│                     DATA SOURCES                         │
├──────────┬──────────┬──────────┬──────────┬────────────┤
│ Firewall │ Endpoint │ Cloud    │ Network  │ Application│
│ Logs     │ Logs     │ Logs     │ Traffic  │ Logs       │
└────┬─────┴────┬─────┴────┬─────┴────┬─────┴─────┬──────┘
     │          │          │          │           │
     └──────────┴──────────┴────┬─────┴───────────┘
                                ▼
┌─────────────────────────────────────────────────────────┐
│                   LOG AGGREGATION                        │
│              (SIEM / Security Data Lake)                 │
└────────────────────────┬────────────────────────────────┘
                         ▼
┌─────────────────────────────────────────────────────────┐
│                   DETECTION ENGINE                       │
│  • Rule-based Detection    • ML Anomaly Detection       │
│  • Correlation Rules       • Threat Intelligence        │
└────────────────────────┬────────────────────────────────┘
                         ▼
┌─────────────────────────────────────────────────────────┐
│                   RESPONSE & ACTION                      │
│  • Alerting        • Automated Response                 │
│  • Ticketing       • Containment                        │
└─────────────────────────────────────────────────────────┘

Detection Rules

Rule Categories

detection_rules:
  authentication:
    - name: brute_force_login
      description: "Multiple failed login attempts"
      query: |
        event.type == "authentication" AND
        event.outcome == "failure" AND
        COUNT(*) > 5 WITHIN 5 minutes
        GROUP BY source.ip
      severity: high
      actions:
        - create_alert
        - block_ip_temporarily
        
    - name: impossible_travel
      description: "Login from geographically distant locations"
      query: |
        event.type == "authentication" AND
        event.outcome == "success" AND
        geo_distance(prev_location, current_location) > 500km AND
        time_diff < 1 hour
      severity: critical
      actions:
        - create_alert
        - require_mfa_verification
        - notify_user
        
  data_exfiltration:
    - name: large_data_transfer
      description: "Unusual data egress volume"
      query: |
        event.type == "network" AND
        direction == "outbound" AND
        bytes_transferred > 100MB WITHIN 1 hour
        GROUP BY user.id
      severity: medium
      actions:
        - create_alert
        - capture_network_session
        
  malware:
    - name: known_malware_hash
      description: "File matches known malware signature"
      query: |
        event.type == "file" AND
        file.hash.sha256 IN threat_intelligence.malware_hashes
      severity: critical
      actions:
        - quarantine_file
        - isolate_endpoint
        - create_incident

Correlation Rules

correlation_rules:
  - name: lateral_movement_detection
    description: "Detect potential lateral movement"
    events:
      - type: authentication_success
        from: internal_network
      - type: process_execution
        name: ["psexec", "wmic", "powershell"]
        within: 5_minutes
      - type: network_connection
        to: different_internal_host
        within: 10_minutes
    severity: high
    
  - name: privilege_escalation_chain
    description: "Detect privilege escalation attempts"
    events:
      - type: authentication
        account_type: standard_user
      - type: process_execution
        elevated: true
        within: 30_minutes
      - type: account_modification
        action: add_to_admin_group
        within: 1_hour
    severity: critical

Alert Management

Alert Configuration

alert_config:
  severity_levels:
    critical:
      response_time: 15_minutes
      notifications:
        - pagerduty: security_oncall
        - slack: "#security-critical"
        - email: security-team@company.com
      auto_escalation: 30_minutes
      
    high:
      response_time: 1_hour
      notifications:
        - slack: "#security-alerts"
        - email: security-team@company.com
        
    medium:
      response_time: 4_hours
      notifications:
        - slack: "#security-alerts"
        
    low:
      response_time: 24_hours
      notifications:
        - ticket_only: true
        
  deduplication:
    enabled: true
    window: 1_hour
    key_fields:
      - rule_id
      - source.ip
      - destination.ip

Alert Template

alert_template:
  title: "[{{severity}}] {{rule_name}}"
  
  body: |
    ## Security Alert
    
    **Rule:** {{rule_name}}
    **Severity:** {{severity}}
    **Time:** {{timestamp}}
    
    ### Details
    - **Source IP:** {{source.ip}}
    - **Source User:** {{user.name}}
    - **Destination:** {{destination.ip}}
    - **Action:** {{event.action}}
    
    ### Context
    {{event_context}}
    
    ### Recommended Actions
    {{#each recommended_actions}}
    - {{this}}
    {{/each}}
    
    ### Related Events
    {{related_events_link}}

Incident Response

Incident Workflow

INCIDENT RESPONSE WORKFLOW:
┌─────────────────┐
│    Detection    │
│  (Alert Fired)  │
└────────┬────────┘
         ▼
┌─────────────────┐
│     Triage      │
│  - Validate     │
│  - Classify     │
│  - Prioritize   │
└────────┬────────┘
         ▼
┌─────────────────┐
│   Containment   │
│  - Isolate      │
│  - Block        │
│  - Preserve     │
└────────┬────────┘
         ▼
┌─────────────────┐
│  Investigation  │
│  - Collect      │
│  - Analyze      │
│  - Correlate    │
└────────┬────────┘
         ▼
┌─────────────────┐
│   Eradication   │
│  - Remove       │
│  - Patch        │
│  - Harden       │
└────────┬────────┘
         ▼
┌─────────────────┐
│    Recovery     │
│  - Restore      │
│  - Verify       │
│  - Monitor      │
└────────┬────────┘
         ▼
┌─────────────────┐
│  Post-Incident  │
│  - Document     │
│  - Review       │
│  - Improve      │
└─────────────────┘

Playbook Automation

playbooks:
  - name: ransomware_response
    trigger:
      alert_type: ransomware_detected
    steps:
      - name: isolate_endpoint
        action: network_isolate
        target: "{{affected_host}}"
        
      - name: disable_account
        action: disable_ad_account
        target: "{{user.name}}"
        
      - name: preserve_evidence
        action: capture_memory_image
        target: "{{affected_host}}"
        
      - name: notify_stakeholders
        action: send_notification
        channels:
          - security_team
          - it_leadership
          - legal_if_needed
          
      - name: create_incident
        action: create_ticket
        priority: critical
        template: ransomware_incident
        
  - name: phishing_response
    trigger:
      alert_type: phishing_reported
    steps:
      - name: analyze_email
        action: extract_iocs
        extract:
          - sender_address
          - urls
          - attachments
          
      - name: check_recipients
        action: query_email_logs
        find: all_recipients
        
      - name: block_sender
        action: add_to_blocklist
        target: "{{sender_address}}"
        
      - name: remove_emails
        action: delete_from_mailboxes
        target: all_recipients

Compliance Monitoring

Compliance Frameworks

compliance_checks:
  pci_dss:
    - requirement: "10.2.1"
      description: "Log all access to cardholder data"
      query: |
        SELECT * FROM audit_logs
        WHERE data_classification = 'cardholder'
        AND timestamp > NOW() - INTERVAL '24 hours'
      expected: all_access_logged
      
    - requirement: "10.6.1"
      description: "Review logs daily"
      check: daily_log_review_completed
      
  hipaa:
    - requirement: "164.312(b)"
      description: "Audit controls"
      checks:
        - audit_logging_enabled
        - log_retention_6_years
        - tamper_protection
        
  soc2:
    - control: "CC6.1"
      description: "Logical access security"
      checks:
        - mfa_enabled
        - password_policy_enforced
        - access_reviews_quarterly

Compliance Dashboard

COMPLIANCE STATUS DASHBOARD
═══════════════════════════════════════

PCI-DSS:      ████████████░░░░ 92% ✓
HIPAA:        ██████████████░░ 98% ✓
SOC 2:        █████████████░░░ 95% ✓
GDPR:         ████████████████ 100% ✓

FINDINGS BY SEVERITY:
Critical  ░░░░░░░░░░░░░░░░ 0
High      ██░░░░░░░░░░░░░░ 3
Medium    ████░░░░░░░░░░░░ 8
Low       ██████░░░░░░░░░░ 15

UPCOMING DEADLINES:
• Jan 30: Quarterly access review
• Feb 15: Penetration test scheduled
• Feb 28: Annual audit prep

Security Metrics

KPI Dashboard

SECURITY OPERATIONS METRICS
═══════════════════════════════════════

DETECTION:
MTTD (Mean Time to Detect): 4.2 hours
Alert Volume: 1,234/day
True Positive Rate: 78%

RESPONSE:
MTTR (Mean Time to Respond): 1.8 hours
Incidents Resolved: 23/week
SLA Compliance: 96%

COVERAGE:
Assets Monitored: 2,456/2,500 (98%)
Log Sources: 45 active
Detection Rules: 234 active

THREAT LANDSCAPE:
Blocked Attacks: 12,456/month
Vulnerabilities: 89 open
Patch Compliance: 94%

Reporting

reports:
  - name: daily_security_briefing
    schedule: "0 8 * * *"
    recipients: security_team
    sections:
      - overnight_alerts
      - active_incidents
      - threat_intelligence_updates
      
  - name: weekly_executive_summary
    schedule: "0 9 * * 1"
    recipients: leadership
    sections:
      - key_metrics
      - significant_incidents
      - risk_posture
      - recommendations
      
  - name: monthly_compliance_report
    schedule: "0 9 1 * *"
    recipients: compliance_team
    sections:
      - control_status
      - audit_findings
      - remediation_progress

Best Practices

Defense in Depth : Multiple detection layers
Least Privilege : Minimize access rights
Log Everything : Comprehensive audit trails
Automate Response : Reduce MTTR
Regular Testing : Validate controls
Threat Intelligence : Stay informed
Incident Drills : Practice response
Continuous Improvement : Learn from incidents

Weekly Installs

Repository

claude-office-s…s/skills

GitHub Stars

First Seen

Jan 1, 1970

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

前端代码审计工具 - 自动化检测可访问性、性能、响应式设计、主题化与反模式

37,200 周安装

安全监控技能：威胁检测、事件响应与自动化安全防护解决方案

🇨🇳中文介绍

安全监控

核心架构

安全监控技术栈

相关 Skills

检测规则

规则类别

关联规则

告警管理

告警配置

告警模板

事件响应

事件工作流

剧本自动化

合规监控

合规框架

合规仪表板

安全指标

KPI 仪表板

报告

最佳实践