- Home
- Skills
- Williamzujkowski
- Standards
- Security Operations
security-operations_skill
- Python
13
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill williamzujkowski/standards --skill security-operations- REFERENCE.md44.6 KB
- SKILL.md10.2 KB
Overview
This skill captures practical Security Operations Center (SOC) practices for incident response, SIEM management, and threat hunting aligned to NIST 800-61. It distills team roles, incident lifecycle steps, playbooks for common incidents (phishing, ransomware, data breach), and essential SIEM queries and metrics. Use it to build repeatable operational processes and measurable detection/response capabilities.
How this skill works
The skill outlines a four-phase incident response lifecycle: Preparation, Detection, Containment/Eradication, and Post-Incident review. It maps SOC tiers (T1–T3) to responsibilities, provides SIEM query examples and correlation rules, and describes threat-hunting and forensics procedures. Actionable checklists, recovery steps, and timing targets (MTTD/MTTR) make it operationally usable.
When to use it
- When designing or maturing a SOC and defining roles, on-call rotation, and escalation paths.
- When creating or updating incident response playbooks for phishing, ransomware, or data breaches.
- When tuning SIEM rules, implementing correlation, and reducing alert noise.
- When running tabletop exercises, red team tests, or post-incident reviews.
- When building threat-hunting programs and creating hypotheses tied to telemetry sources.
Best practices
- Automate repetitive Tier 1 tasks with SOAR and enrich alerts with threat intel to reduce fatigue.
- Prioritize log sources (auth, network, endpoints, cloud, apps) and ensure complete ingest and retention.
- Define clear severity levels and SLA targets (e.g., critical detection <1 hour, response <4 hours).
- Preserve forensic evidence before remediation and document chain-of-custody for legal needs.
- Run quarterly rule tuning and annual tabletop or red-team exercises to validate procedures.
Example use cases
- Triage workflow for a suspected credential compromise: validation, scoping, contain, and escalate.
- Implementing SIEM correlation rules for brute force, privilege escalation, lateral movement, and data exfiltration.
- Ransomware playbook execution: isolate, assess encrypted systems, rebuild from gold image, and improve backups.
- Threat hunt for beaconing activity using connection-interval analysis and UEBA baselines.
- Post-incident review template creation with timelines, lessons learned, and tracked remediation items.
FAQ
Start with authentication logs (AD/SSO/VPN), endpoint telemetry (EDR), network devices (firewall/proxy/DNS), cloud audit logs, and critical application logs.
How should incidents be classified and escalated?
Use severity tiers: Critical (<15 min response, CISO/legal), High (<1 hour, T3/management), Medium (<4 hours, T2), Low (<24 hours, T1) and escalate based on impact and active data exfiltration.
When should evidence be collected versus systems isolated?
Preserve volatile evidence (memory dumps) before reboot or remediation. Perform short-term containment (isolate host) immediately, then collect full disk images and metadata under forensic controls.