Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, security event correlation, or log-based incident investigation.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionanalyzing-security-logs-with-splunkExecute the skills CLI command in your project's root directory to begin installation:
Fetches analyzing-security-logs-with-splunk from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate analyzing-security-logs-with-splunk. Access via /analyzing-security-logs-with-splunk in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | analyzing-security-logs-with-splunk |
| description | 'Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, security event correlation, or log-based incident investigation. ' |
| domain | cybersecurity |
| subdomain | incident-response |
| tags | - splunk - SPL - SIEM - log-analysis - security-monitoring |
| mitre_attack | - T1070 - T1562 - T1059 |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| atlas_techniques | - AML.T0070 - AML.T0066 - AML.T0082 |
| d3fend_techniques | - Executable Denylisting - Execution Isolation - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis |
| nist_ai_rmf | - MEASURE-2.7 - MAP-5.1 - MANAGE-2.4 - MANAGE-3.1 - MEASURE-3.1 |
| nist_csf | - RS.MA-01 - RS.MA-02 - RS.AN-03 - RC.RP-01 |
Do not use for real-time packet-level analysis; use Wireshark or Zeek for full packet capture analysis.
search and accelerate_search capabilities in SplunkDefine search parameters based on incident triage data:
| Set initial investigation scope
index=windows OR index=firewall OR index=proxy
earliest="2025-11-14T00:00:00" latest="2025-11-16T00:00:00"
(host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith")
| stats count by index, sourcetype, host
| sort -count
This query establishes which log sources contain relevant data for the investigation timeframe and affected assets.
Investigate suspicious authentication patterns using Windows Security Event Logs:
| Detect brute force and credential stuffing
index=windows sourcetype="WinEventLog:Security" EventCode=4625
earliest=-24h
| stats count as failed_attempts, values(src_ip) as source_ips,
dc(src_ip) as unique_sources by TargetUserName
| where failed_attempts > 10
| sort -failed_attempts
| Detect pass-the-hash (Logon Type 9 - NewCredentials)
index=windows sourcetype="WinEventLog:Security" EventCode=4624
Logon_Type=9
| table _time, host, TargetUserName, src_ip, LogonProcessName
| Detect lateral movement via RDP
index=windows sourcetype="WinEventLog:Security" EventCode=4624
Logon_Type=10
| stats count, values(host) as targets by TargetUserName, src_ip
| where count > 3
| sort -count
Use Sysmon logs to reconstruct process execution chains:
| Process creation with parent chain (Sysmon Event ID 1)
index=sysmon EventCode=1 host="WKSTN-042"
earliest="2025-11-15T14:00:00" latest="2025-11-15T15:00:00"
| table _time, ParentImage, ParentCommandLine, Image, CommandLine, User, Hashes
| sort _time
| Detect suspicious PowerShell execution
index=sysmon EventCode=1 Image="*\\powershell.exe"
(CommandLine="*-enc*" OR CommandLine="*-encodedcommand*"
OR CommandLine="*downloadstring*" OR CommandLine="*iex*")
| table _time, host, User, ParentImage, CommandLine
| sort _time
| Detect LSASS credential dumping
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
GrantedAccess=0x1010
| table _time, host, SourceImage, SourceUser, GrantedAccess
Correlate network logs with endpoint events:
| Detect C2 beaconing pattern
index=proxy OR index=firewall dest_ip="185.220.101.42"
| timechart span=1m count by src_ip
| where count > 0
| Detect DNS tunneling (high query volume to single domain)
index=dns
| rex field=query "(?<subdomain>[^\.]+)\.(?<domain>[^\.]+\.[^\.]+)$"
| stats count, avg(len(query)) as avg_query_len by domain, src_ip
| where count > 500 AND avg_query_len > 40
| sort -count
| Detect large data transfers (potential exfiltration)
index=proxy action=allowed
| stats sum(bytes_out) as total_bytes by src_ip, dest_ip, dest_host
| eval total_MB=round(total_bytes/1024/1024,2)
| where total_MB > 100
| sort -total_MB
Reconstruct a unified timeline across all log sources:
| Unified incident timeline
index=windows OR index=sysmon OR index=proxy OR index=firewall
(host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith")
earliest="2025-11-15T14:00:00" latest="2025-11-15T16:00:00"
| eval event_summary=case(
sourcetype=="WinEventLog:Security" AND EventCode==4624, "Logon: ".TargetUserName." from ".src_ip,
sourcetype=="WinEventLog:Security" AND EventCode==4625, "Failed logon: ".TargetUserName,
sourcetype=="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode==1,
"Process: ".Image." by ".User,
sourcetype=="proxy", "Web: ".http_method." ".url,
1==1, sourcetype.": ".EventCode)
| table _time, sourcetype, host, event_summary
| sort _time
Convert investigation findings into persistent Splunk correlation searches:
| Correlation search: PowerShell spawned by Office applications
index=sysmon EventCode=1
Image="*\\powershell.exe"
(ParentImage="*\\winword.exe" OR ParentImage="*\\excel.exe"
OR ParentImage="*\\outlook.exe")
| eval severity="high"
| eval mitre_technique="T1059.001"
| collect index=notable_events
| Term | Definition |
|---|---|
| SPL (Search Processing Language) | Splunk's query language for searching, filtering, transforming, and visualizing machine data |
| CIM (Common Information Model) | Splunk's field normalization standard that maps vendor-specific field names to common names for cross-source queries |
| Notable Event | An event in Splunk Enterprise Security flagged for analyst review based on a correlation search match |
| Data Model | Structured representation of indexed data in Splunk enabling accelerated searches and pivot-based analysis |
| Sourcetype | Classification label in Splunk that defines the format and parsing rules for a specific log type |
| Correlation Search | Scheduled Splunk search that runs continuously and generates notable events when conditions are met |
| Timechart | SPL command that creates time-series visualizations for identifying patterns, anomalies, and trends |
Context: Security operations receives an alert for multiple successful logins to a single account from geographically dispersed IP addresses within a 30-minute window.
Approach:
Pitfalls:
SPLUNK INVESTIGATION REPORT
============================
Incident: INC-2025-1547
Analyst: [Name]
Investigation Period: 2025-11-14 00:00 UTC - 2025-11-16 00:00 UTC
SEARCH SCOPE
Indexes: windows, sysmon, proxy, firewall, dns
Hosts: WKSTN-042, SRV-FILE01
Users: jsmith, svc-backup
Source IPs: 10.1.5.42, 10.1.10.15
KEY FINDINGS
1. [timestamp] - Initial compromise via phishing (Sysmon Event 1)
2. [timestamp] - C2 established (proxy logs, beacon pattern detected)
3. [timestamp] - Credential theft (Sysmon Event 10, LSASS access)
4. [timestamp] - Lateral movement to SRV-FILE01 (Event 4624 Type 3)
5. [timestamp] - Data staging and exfiltration (proxy bytes_out anomaly)
SPL QUERIES USED
[numbered list of key queries with descriptions]
DETECTION GAPS IDENTIFIED
- No Sysmon deployed on SRV-FILE01 (blind spot)
- Proxy logs missing SSL inspection for C2 domain
- PowerShell ScriptBlock logging not enabled
RECOMMENDED DETECTIONS
1. Correlation search for Office-spawned PowerShell
2. Threshold alert for LSASS access patterns
3. Behavioral rule for beacon-interval network traffic
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Solid pick for teams standardizing on skills: analyzing-security-logs-with-splunk is focused, and the summary matches what you get after install.
I recommend analyzing-security-logs-with-splunk for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Registry listing for analyzing-security-logs-with-splunk matched our evaluation — installs cleanly and behaves as described in the markdown.
Keeps context tight: analyzing-security-logs-with-splunk is the kind of skill you can hand to a new teammate without a long onboarding doc.
analyzing-security-logs-with-splunk is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Registry listing for analyzing-security-logs-with-splunk matched our evaluation — installs cleanly and behaves as described in the markdown.
analyzing-security-logs-with-splunk reduced setup friction for our internal harness; good balance of opinion and flexibility.
Solid pick for teams standardizing on skills: analyzing-security-logs-with-splunk is focused, and the summary matches what you get after install.
I recommend analyzing-security-logs-with-splunk for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
We added analyzing-security-logs-with-splunk from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
showing 1-10 of 43