Threat Detection

Name: Threat Detection
Author: alirezarezvani

alirezarezvani/claude-skills

Hunt for attacker activity proactively using hypotheses, IOC sweeps, anomaly scoring, and MITRE ATT&CK–mapped signal prioritization.

Install

npx skills add https://github.com/alirezarezvani/claude-skills --skill threat-detection

What is this skill?

Hypothesis-driven threat hunting methodology distinct from incident response and red team skills
IOC analysis and IOC sweep generation for environment-wide indicator checks
Z-score behavioral anomaly detection on telemetry baselines
MITRE ATT&CK–mapped threat signal analyzer for prioritization
Deception and honeypot integration patterns plus documented anti-patterns

Adoption & trust: 546 installs on skills.sh; 17.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

OperateMonitoring & observability

Operate/monitoring is the canonical shelf because the skill targets ongoing telemetry, hunting, and detection—not initial product build. Subphase fits continuous detection in live environments (logs, EDR, SIEM) rather than one-off penetration tests or incident containment playbooks.

Common Questions / FAQ

Is Threat Detection safe to install?

skills.sh reports 2 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Threat Detection

# Threat Detection

Threat detection skill for proactive discovery of attacker activity through hypothesis-driven hunting, IOC analysis, and behavioral anomaly detection. This is NOT incident response (see incident-response) or red team operations (see red-team) — this is about finding threats that have evaded automated controls.

---

## Table of Contents

- [Overview](#overview)
- [Threat Signal Analyzer](#threat-signal-analyzer)
- [Threat Hunting Methodology](#threat-hunting-methodology)
- [IOC Analysis](#ioc-analysis)
- [Anomaly Detection](#anomaly-detection)
- [MITRE ATT&CK Signal Prioritization](#mitre-attck-signal-prioritization)
- [Deception and Honeypot Integration](#deception-and-honeypot-integration)
- [Workflows](#workflows)
- [Anti-Patterns](#anti-patterns)
- [Cross-References](#cross-references)

---

## Overview

### What This Skill Does

This skill provides the methodology and tooling for **proactive threat detection** — finding attacker activity through structured hunting hypotheses, IOC analysis, and statistical anomaly detection before alerts fire.

### Distinction from Other Security Skills

| Skill | Focus | Approach |
|-------|-------|----------|
| **threat-detection** (this) | Finding hidden threats | Proactive — hunt before alerts |
| incident-response | Active incidents | Reactive — contain and investigate declared incidents |
| red-team | Offensive simulation | Offensive — test defenses from attacker perspective |
| cloud-security | Cloud misconfigurations | Posture — IAM, S3, network exposure |

### Prerequisites

Read access to SIEM/EDR telemetry, endpoint logs, and network flow data. IOC feeds require freshness within 30 days to avoid false positives. Hunting hypotheses must be scoped to the environment before execution.

---

## Threat Signal Analyzer

The `threat_signal_analyzer.py` tool supports three modes: `hunt` (hypothesis scoring), `ioc` (sweep generation), and `anomaly` (statistical detection).

```bash
# Hunt mode: score a hypothesis against MITRE ATT&CK coverage
python3 scripts/threat_signal_analyzer.py --mode hunt \
  --hypothesis "Lateral movement via PtH using compromised service account" \
  --actor-relevance 3 --control-gap 2 --data-availability 2 --json

# IOC mode: generate sweep targets from an IOC feed file
python3 scripts/threat_signal_analyzer.py --mode ioc \
  --ioc-file iocs.json --json

# Anomaly mode: detect statistical outliers in telemetry events
python3 scripts/threat_signal_analyzer.py --mode anomaly \
  --events-file telemetry.json \
  --baseline-mean 100 --baseline-std 25 --json

# List all supported MITRE ATT&CK techniques
python3 scripts/threat_signal_analyzer.py --list-techniques
```

### IOC file format

```json
{
  "ips": ["1.2.3.4", "5.6.7.8"],
  "domains": ["malicious.example.com"],
  "hashes": ["abc123def456..."]
}
```

### Telemetry events file format

```json
[
  {"timestamp": "2024-01-15T14:32:00Z", "entity": "host-01", "action": "dns_query", "volume": 450},
  {"timestamp": "2024-01-15T14:33:00Z", "entity": "host-02", "action": "dns_query", "volume": 95}
]
```

### Exit codes

| Code | Meaning |
|------|---------|
| 0 | No high-priority findings |
| 1 | Medium-priority signals detected |
| 2 | High-priority confirmed findings |

---

## Threat Hunting Methodology

Structured threat hunting follows a five-step loop: hypothesis → data source identification → query execution → finding triage → feedback to detection engineering.

### Hypothesis Scoring

| Factor | Weight | Description |
|--------|--------|-------------|
| Actor relevance | ×3 | How closely does this TTP match known threat actors in your sector? |
| Control gap | ×2 | How many of your existing controls

What is this skill?

Hypothesis-driven threat hunting methodology distinct from incident response and red team skills

IOC analysis and IOC sweep generation for environment-wide indicator checks

Z-score behavioral anomaly detection on telemetry baselines

MITRE ATT&CK–mapped threat signal analyzer for prioritization

Deception and honeypot integration patterns plus documented anti-patterns

Adoption & trust: 546 installs on skills.sh; 17.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

OperateMonitoring & observability

SKILL.md

READMESKILL.md - Threat Detection

# Threat Detection

Threat detection skill for proactive discovery of attacker activity through hypothesis-driven hunting, IOC analysis, and behavioral anomaly detection. This is NOT incident response (see incident-response) or red team operations (see red-team) — this is about finding threats that have evaded automated controls.

---

## Table of Contents

- [Overview](#overview)
- [Threat Signal Analyzer](#threat-signal-analyzer)
- [Threat Hunting Methodology](#threat-hunting-methodology)
- [IOC Analysis](#ioc-analysis)
- [Anomaly Detection](#anomaly-detection)
- [MITRE ATT&CK Signal Prioritization](#mitre-attck-signal-prioritization)
- [Deception and Honeypot Integration](#deception-and-honeypot-integration)
- [Workflows](#workflows)
- [Anti-Patterns](#anti-patterns)
- [Cross-References](#cross-references)

---

## Overview

### What This Skill Does

This skill provides the methodology and tooling for **proactive threat detection** — finding attacker activity through structured hunting hypotheses, IOC analysis, and statistical anomaly detection before alerts fire.

### Distinction from Other Security Skills

| Skill | Focus | Approach |
|-------|-------|----------|
| **threat-detection** (this) | Finding hidden threats | Proactive — hunt before alerts |
| incident-response | Active incidents | Reactive — contain and investigate declared incidents |
| red-team | Offensive simulation | Offensive — test defenses from attacker perspective |
| cloud-security | Cloud misconfigurations | Posture — IAM, S3, network exposure |

### Prerequisites

Read access to SIEM/EDR telemetry, endpoint logs, and network flow data. IOC feeds require freshness within 30 days to avoid false positives. Hunting hypotheses must be scoped to the environment before execution.

---

## Threat Signal Analyzer

The `threat_signal_analyzer.py` tool supports three modes: `hunt` (hypothesis scoring), `ioc` (sweep generation), and `anomaly` (statistical detection).

```bash
# Hunt mode: score a hypothesis against MITRE ATT&CK coverage
python3 scripts/threat_signal_analyzer.py --mode hunt \
  --hypothesis "Lateral movement via PtH using compromised service account" \
  --actor-relevance 3 --control-gap 2 --data-availability 2 --json

# IOC mode: generate sweep targets from an IOC feed file
python3 scripts/threat_signal_analyzer.py --mode ioc \
  --ioc-file iocs.json --json

# Anomaly mode: detect statistical outliers in telemetry events
python3 scripts/threat_signal_analyzer.py --mode anomaly \
  --events-file telemetry.json \
  --baseline-mean 100 --baseline-std 25 --json

# List all supported MITRE ATT&CK techniques
python3 scripts/threat_signal_analyzer.py --list-techniques
```

### IOC file format

```json
{
  "ips": ["1.2.3.4", "5.6.7.8"],
  "domains": ["malicious.example.com"],
  "hashes": ["abc123def456..."]
}
```

### Telemetry events file format

```json
[
  {"timestamp": "2024-01-15T14:32:00Z", "entity": "host-01", "action": "dns_query", "volume": 450},
  {"timestamp": "2024-01-15T14:33:00Z", "entity": "host-02", "action": "dns_query", "volume": 95}
]
```

### Exit codes

| Code | Meaning |
|------|---------|
| 0 | No high-priority findings |
| 1 | Medium-priority signals detected |
| 2 | High-priority confirmed findings |

---

## Threat Hunting Methodology

Structured threat hunting follows a five-step loop: hypothesis → data source identification → query execution → finding triage → feedback to detection engineering.

### Hypothesis Scoring

| Factor | Weight | Description |
|--------|--------|-------------|
| Actor relevance | ×3 | How closely does this TTP match known threat actors in your sector? |
| Control gap | ×2 | How many of your existing controls

Install

What is this skill?

Recommended Skills

Journey fit

Is Threat Detection safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Threat Detection safe to install?

SKILL.md