Skip to main content
ClaudeWave
Skill72 repo starsupdated 11d ago

Log Analysis & SIEM Integration

Security log parsing, anomaly detection, SIEM query building, Sigma rule creation, and correlation rule development across Splunk, Elastic, QRadar, and Microsoft Sentinel

View sourceRepository: Claude-Code-CyberSecurity-Skill
Install in Claude Code
Copy
git clone --depth 1 https://github.com/Masriyan/Claude-Code-CyberSecurity-Skill /tmp/log-analysis-siem-integration && cp -r /tmp/log-analysis-siem-integration/skills/12-log-analysis ~/.claude/skills/log-analysis-siem-integration
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# Log Analysis & SIEM Integration

## Purpose

Enable Claude to assist with security log analysis across all major platforms. Claude directly parses and analyzes log samples provided by the user, builds SIEM queries for any platform, creates Sigma rules for portable detection, develops correlation rules, and identifies anomalous patterns in log data.

---

## Activation Triggers

This skill activates when the user asks about:
- Parsing Windows Event Logs, Linux syslog, or application logs
- Building Splunk SPL, Elastic KQL/EQL, QRadar AQL, or Sentinel KQL queries
- Creating Sigma rules for platform-agnostic detection
- Detecting anomalies or attack patterns in log data
- Building SIEM correlation rules for complex attack scenarios
- Converting queries between SIEM platforms
- Log source health monitoring and gap analysis
- Detecting lateral movement, privilege escalation, or persistence in logs
- EVTX analysis or Windows audit log review

---

## Prerequisites

```bash
pip install pandas pyyaml python-dateutil
```

**Platform tools:**
- `Splunk` — Splunk Web, SPL, and SOAR
- `Elastic Stack` — Kibana, KQL, EQL
- `Microsoft Sentinel` — KQL, Workbooks
- `IBM QRadar` — AQL, Rules
- `Sigma` — Platform-agnostic rule format
- `python-evtx` — Parse Windows .evtx files without Windows

---

## Core Capabilities

### 1. Log Parsing & Analysis

**When the user pastes logs or provides log files:**

Claude directly reads and analyzes logs to extract security-relevant events.

**Windows Event Log — Critical Event IDs:**

| Event ID | Log | Description |
|----------|-----|-------------|
| 4624 | Security | Successful logon — Logon Type 3 (network) is interesting |
| 4625 | Security | Failed logon — track source IP for brute force |
| 4648 | Security | Logon with explicit credentials (RunAs) |
| 4688 | Security | New process created — needs CommandLine auditing enabled |
| 4698 | Security | Scheduled task created |
| 4702 | Security | Scheduled task updated |
| 4720 | Security | User account created |
| 4728/4732 | Security | Member added to security/local group |
| 4768/4769 | Security | Kerberos TGT/TGS requested |
| 4776 | Security | NTLM authentication |
| 4946 | Security | Windows Firewall rule added |
| 5140 | Security | Network share accessed |
| 5145 | Security | Network share file access |
| 7045 | System | New service installed |
| 1102 | Security | Audit log cleared |
| 4103/4104 | PowerShell | PowerShell module/script block logging |

**Linux Log Analysis — Key Patterns:**
```bash
# Failed SSH logins
grep "Failed password" /var/log/auth.log | awk '{print $1,$2,$3,$11}' | sort | uniq -c | sort -rn

# Successful logins after failures (brute force success)
grep "Accepted password\|Accepted publickey" /var/log/auth.log

# Sudo usage
grep "sudo:" /var/log/auth.log | grep -v "session"

# Cron job execution
grep CRON /var/log/syslog

# New user creation
grep "useradd\|usermod" /var/log/auth.log

# Privilege escalation
grep "su\b" /var/log/auth.log
```

**Log parsing script:**
```bash
python scripts/log_parser.py --input /var/log/auth.log --format json --output parsed.json
python scripts/log_parser.py --input events.evtx --normalize ecs --output normalized.json
```

### 2. SIEM Query Library

**When the user asks to build detection queries:**

#### Splunk SPL — Attack Pattern Queries

```spl
// Brute force attack detection
index=windows EventCode=4625
| bin _time span=5m
| stats count as FailedLogins, values(Account_Name) as Accounts by src_ip, _time
| where FailedLogins > 20
| sort -FailedLogins

// Pass-the-Hash detection (Logon Type 3 with NTLM)
index=windows EventCode=4624 Logon_Type=3 Authentication_Package=NTLM
| where NOT (Account_Name="ANONYMOUS LOGON" OR Account_Name="*$")
| stats count by Account_Name, Workstation_Name, src_ip
| where count > 1

// Lateral movement via PsExec / admin shares
index=windows EventCode=5145
| where (ShareName="\\\\*\\ADMIN$" OR ShareName="\\\\*\\C$") 
    AND RelativeTargetName="*PSEXESVC*"
| table _time, SubjectUserName, IpAddress, ShareName

// PowerShell encoded command execution
index=windows (source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104)
    OR (EventCode=4688 CommandLine="*powershell*")
| search CommandLine IN ("*-EncodedCommand*", "*-enc *", "*-e *", "*-nop*", 
                          "*DownloadString*", "*IEX*", "*Invoke-Expression*")
| table _time, ComputerName, User, CommandLine

// Scheduled task creation for persistence
index=windows EventCode=4698
| rex field=TaskContent "<Command>(?P<command>[^<]+)</Command>"
| where NOT match(command, "(?i)\\\\windows\\\\|\\\\microsoft\\\\|\\\\system32\\\\")
| table _time, ComputerName, SubjectUserName, TaskName, command

// LSASS memory access (credential dumping)
index=sysmon EventCode=10 TargetImage="*lsass.exe"
| where NOT (SourceImage IN 
    ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*",
     "C:\\Program Files\\*", "C:\\Program Files (x86)\\*"))
| table _time, SourceImage, GrantedAccess, CallTrace

// DCSync detection
index=windows EventCode=4662 
    (ObjectType="*domainDNS*" OR ObjectType="*19195a5b-6da0-11d0-afd3-00c04fd930c9*")
    (Properties="*Replicating Directory Changes All*" OR Properties="*1131f6ad*")
| where NOT match(SubjectUserName, "(?i)^.*\$$") 
| table _time, SubjectUserName, SubjectDomainName, Properties

// Kerberoasting detection
index=windows EventCode=4769 Ticket_Encryption_Type=0x17
| where NOT (Account_Name="*$" OR Service_Name IN ("krbtgt", "kadmin/changepw"))
| stats count by Account_Name, Client_Address, Service_Name
| where count > 3
```

#### Microsoft Sentinel KQL — Queries

```kql
// Impossible Travel (logins from geographically impossible locations)
let TimeDelta = 2h;
SigninLogs
| where ResultType == 0  // Successful logins only
| where TimeGenerated > ago(7d)
| project UserPrincipalName, Location, TimeGenerated, IPAddress
| sort by UserPrincipalName asc, TimeGenerated asc
| serialize
| extend PreviousLogin = prev(TimeGenerated),
More from this repository
Reconnaissance & OSINT AutomationSkill

Passive and active reconnaissance, subdomain enumeration, DNS analysis, technology fingerprinting, and OSINT data correlation for authorized security assessments

Vulnerability Scanning & AssessmentSkill

Dependency auditing, CVE detection, configuration security review, CVSS scoring, and prioritized vulnerability reporting

Exploit Development & Payload EngineeringSkill

Proof-of-concept development, payload crafting, shellcode analysis, and exploitation technique research for authorized security testing

Reverse Engineering & Binary AnalysisSkill

Binary analysis, assembly interpretation, disassembly, decompilation, firmware RE, and protocol reverse engineering

Malware Analysis & SandboxingSkill

Static and dynamic malware analysis, YARA rule generation, sandbox configuration, behavioral profiling, and malware family classification

Threat Hunting & IOC AnalysisSkill

IOC extraction, threat intelligence correlation, MITRE ATT&CK mapping, hunt hypothesis generation, and detection rule creation

Incident Response & Digital ForensicsSkill

IR playbook execution, evidence collection, forensic timeline analysis, memory forensics, and post-incident reporting following NIST SP 800-61 and SANS PICERL methodology

Network Security & Traffic AnalysisSkill

Network traffic analysis, PCAP parsing, IDS/IPS rule creation, firewall configuration auditing, and network anomaly detection