security-operations_skill

This skill helps you implement SOC incident response and threat hunting practices aligned with NIST 800-61 to improve detection, containment, and recovery.
  • Python

13

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill williamzujkowski/standards --skill security-operations

  • REFERENCE.md44.6 KB
  • SKILL.md10.2 KB

Overview

This skill captures practical Security Operations Center (SOC) practices for incident response, SIEM management, and threat hunting aligned to NIST 800-61. It distills team roles, incident lifecycle steps, playbooks for common incidents (phishing, ransomware, data breach), and essential SIEM queries and metrics. Use it to build repeatable operational processes and measurable detection/response capabilities.

How this skill works

The skill outlines a four-phase incident response lifecycle: Preparation, Detection, Containment/Eradication, and Post-Incident review. It maps SOC tiers (T1–T3) to responsibilities, provides SIEM query examples and correlation rules, and describes threat-hunting and forensics procedures. Actionable checklists, recovery steps, and timing targets (MTTD/MTTR) make it operationally usable.

When to use it

  • When designing or maturing a SOC and defining roles, on-call rotation, and escalation paths.
  • When creating or updating incident response playbooks for phishing, ransomware, or data breaches.
  • When tuning SIEM rules, implementing correlation, and reducing alert noise.
  • When running tabletop exercises, red team tests, or post-incident reviews.
  • When building threat-hunting programs and creating hypotheses tied to telemetry sources.

Best practices

  • Automate repetitive Tier 1 tasks with SOAR and enrich alerts with threat intel to reduce fatigue.
  • Prioritize log sources (auth, network, endpoints, cloud, apps) and ensure complete ingest and retention.
  • Define clear severity levels and SLA targets (e.g., critical detection <1 hour, response <4 hours).
  • Preserve forensic evidence before remediation and document chain-of-custody for legal needs.
  • Run quarterly rule tuning and annual tabletop or red-team exercises to validate procedures.

Example use cases

  • Triage workflow for a suspected credential compromise: validation, scoping, contain, and escalate.
  • Implementing SIEM correlation rules for brute force, privilege escalation, lateral movement, and data exfiltration.
  • Ransomware playbook execution: isolate, assess encrypted systems, rebuild from gold image, and improve backups.
  • Threat hunt for beaconing activity using connection-interval analysis and UEBA baselines.
  • Post-incident review template creation with timelines, lessons learned, and tracked remediation items.

FAQ

Start with authentication logs (AD/SSO/VPN), endpoint telemetry (EDR), network devices (firewall/proxy/DNS), cloud audit logs, and critical application logs.

How should incidents be classified and escalated?

Use severity tiers: Critical (<15 min response, CISO/legal), High (<1 hour, T3/management), Medium (<4 hours, T2), Low (<24 hours, T1) and escalate based on impact and active data exfiltration.

When should evidence be collected versus systems isolated?

Preserve volatile evidence (memory dumps) before reboot or remediation. Perform short-term containment (isolate host) immediately, then collect full disk images and metadata under forensic controls.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
security-operations skill by williamzujkowski/standards | VeilStrat