Listen to this Post

Introduction:
Security Operations Centers (SOCs) are drowning in alerts. The average analyst spends more time triaging false positives and manually correlating logs than actually hunting threats. Enter the Defensive SOC Skills suite – a set of three open-source, MIT-licensed Claude Code skills that transform security workflows into a streamlined pipeline: investigate → detect → respond. Built by the community for blue teams, this free, stdlib-only (no dependencies) toolchain ingests raw logs, generates NIST-aligned incident reports, converts attacker behavior into Sigma/SPL/KQL detections mapped to MITRE ATT&CK, and auto-enriches IOCs to block threats on Firewalls, WAFs, and CrowdStrike – all with dry-run, allowlists, and rollback built in.
Learning Objectives:
- Build complete incident response reports and executive summaries from raw log data following NIST SP 800-61 and SANS PICERL frameworks.
- Author Sigma detection rules and automatically convert them into SIEM queries (SPL, KQL, EQL, QRadar, Wazuh) with MITRE ATT&CK mappings.
- Construct SOAR playbooks that safely automate blocking actions across Firewall/WAF/IPS/DLP APIs with threat intelligence enrichment and built-in rollback capabilities.
You Should Know:
- The Investigative Core: IR-Report-Builder – From Log Chaos to Executive Clarity
The `ir-report-builder` skill is designed to transform a mountain of disparate logs into a structured, actionable incident response report. It ingests syslog (RFC3164/5424), JSON, CSV, CEF, access logs, FortiGate KV, and AWS CloudTrail, normalizing them into a single, timezone-aligned timeline.
Step‑by‑Step Guide:
- Intake & Scope: Confirm the incident type, affected assets, detection time, available data sources, and authorization.
- Normalize Evidence: Run the `log_timeline.py` script to parse all logs into a unified format. The script records a SHA-256 hash of each source file to maintain chain of custody.
Example usage within the skill context: python ir-report-builder/scripts/log_timeline.py --input /path/to/logs/ --output timeline.json
- Reconstruct Timeline: The skill orders events and automatically flags initial access, lateral movement, privilege escalation, impact, and last observed activity.
- Analyze: Extract IOCs, map each step to an ATT&CK technique, determine root cause, and assess the blast radius.
- Build IR Plan: Generate concrete Containment, Eradication, and Recovery actions with assigned owners and priorities, distinguishing between actions already taken and those recommended.
- Write Two Deliverables: The skill produces a dense, evidence-cited technical report and a one-page executive summary that leads with business impact.
- Quality Gate: Every claim in the report must cite an evidence line. Inferences are labeled with confidence levels, and visibility gaps are explicitly listed.
– Handoff: IOCs and techniques are passed to the `siem-detection-engineer` skill.
- The Detection Engine: SIEM-Detection-Engineer – From Hypothesis to Production Rules
The `siem-detection-engineer` skill bridges the gap between incident analysis and proactive detection. It uses Sigma as the source of truth, authoring rules that are then automatically converted into platform-specific queries.
Step‑by‑Step Guide:
- Understand the Data: Align the log source and its fields to the target SIEM schema using
resources/log-source-mapping.md. This step is critical – the skill’s documentation notes that field misalignment is the 1 cause of dead rules. - Form the Hypothesis: Define what you want to detect (e.g., “detect adversary behavior by observing specific events in a particular log source”), tying it to an ATT&CK technique ID.
- Author the Sigma Rule: Write the Sigma rule with precise selection/filter logic and an honest `falsepositives` section.
- Convert: Run the `sigma_to_queries.py` script to produce a first-pass conversion to SPL (Splunk), KQL (Microsoft Sentinel), EQL (Elastic), QRadar, or Wazuh queries for hand-review.
Convert a Sigma rule to multiple SIEM query formats python siem-detection-engineer/scripts/sigma_to_queries.py --rule detection_rule.yml --output ./queries/
- Rate & Tune: Assign severity and an expected false-positive rate. Define allowlists, thresholds, and aggregation windows to reduce noise.
- Test: Provide a positive test event (should fire) and a negative test event (should not fire) to validate the rule.
- Document for Handoff: The skill compiles a complete rule package containing the Sigma rule, converted queries, ATT&CK mapping, false-positive notes, test cases, and a deploy/rollback note.
– Handoff: Detections worth auto-responding are passed to the `soar-playbook-builder` skill.
- The Response Arm: SOAR-Playbook-Builder – Safe, Automated Blocking
The `soar-playbook-builder` skill is built on a safety-first principle: enrich before acting, gate the blast radius, and keep everything reversible.
Step‑by‑Step Guide:
- Define the Trigger: Identify the detection/alert that initiates the playbook and the associated indicators.
- Enrich: The `enrich_ioc.py` script queries multiple threat intelligence sources – VirusTotal, AbuseIPDB, OTX, and Group-IB – to compute an aggregate risk score and confidence level.
Enrich an IP address or domain python soar-playbook-builder/scripts/enrich_ioc.py --ioc 192.168.1.100 --sources vt,abuseipdb,otx
- Decide: Apply explicit, ordered rules. For example: malicious + high confidence → block; suspicious → escalate to a ticket; benign → close as false positive.
- Respond: The `respond_block.py` script calls the device API (Cloudflare, Palo Alto, FortiGate, CrowdStrike). Crucially, it operates with a dry-run by default, includes a TTL/expiry for temporary blocks, and generates a rollback action.
Dry-run a block action (default behavior) python soar-playbook-builder/scripts/respond_block.py --ip 192.168.1.100 --device paloalto --action block Actually commit the block (requires explicit flag) python soar-playbook-builder/scripts/respond_block.py --ip 192.168.1.100 --device paloalto --action block --commit
- Guardrails: The skill enforces multiple safety layers: a never-block allowlist, a max-actions circuit breaker, an approval gate for production environments, and full audit logging.
- Emit the Playbook: The skill produces a vendor-1eutral `playbook-template.yml` file that defines the complete workflow: trigger → enrich → decision → actions → guardrails → rollback.
- Test Plan: Provide a dry-run walkthrough showing the exact API calls that would fire, allowing for thorough review before enabling automation.
– Handoff: Actions taken are fed back into the `ir-report-builder` skill to update the incident record.
- Installation & Activation – Getting Started in Minutes
Deploying the Defensive SOC Skills suite is straightforward and requires no dependency installation.
Clone the repository git clone https://github.com/arttapon1/defensive-soc-skills.git cd defensive-soc-skills Run the installer (copies skills to ~/.claude/skills/) ./install.sh Or manually copy the skills cp -R skills/ ~/.claude/skills/
Once installed, start a new Claude Code session. The skill activates automatically when you describe the task – for example:
– “Analyze these logs and write an IR report”
– “Write a detection rule for this incident”
– “Build a playbook to block this IP on the firewall”
5. Authorization & Safety – Rules of Engagement
The entire suite is explicitly designed for authorized defensive use only – systems you own or are engaged to protect. Key safety principles include:
– Preserve evidence integrity; always work on copies of logs.
– The SOAR response scripts are dry-run by default.
– A never-block allowlist is enforced.
– Critical Warning: Automation that blocks production traffic can cause outages – review thoroughly before flipping the `–commit` flag.
What Undercode Say:
- Key Takeaway 1: This suite democratizes advanced SOC capabilities. By eliminating dependencies and providing a clear pipeline, it empowers teams of all sizes to implement NIST-aligned IR, Sigma-based detection engineering, and safe SOAR automation without costly proprietary tools.
- Key Takeaway 2: The built-in safety mechanisms – dry-run defaults, allowlists, rollback, and audit logging – address the primary concern with automation: losing control. The design philosophy of “enrich before acting, gate the blast radius” is a model for responsible SOAR implementation.
Analysis: The release of these skills represents a significant shift in the accessibility of AI-driven security operations. By embedding expertise (NIST frameworks, Sigma conversion logic, threat intel enrichment) directly into an AI agent’s toolkit, the barrier to entry for effective SOC automation is dramatically lowered. The choice to use Sigma as the source of truth for detection rules is particularly strategic – it ensures vendor-agnostic portability, allowing organizations to avoid lock-in while maintaining a single source of detection logic. The `stdlib-only` design choice ensures the skills remain lightweight and deployable in air-gapped or restricted environments where `pip install` is not an option. However, the reliance on Claude Code as the execution environment means organizations must have access to and trust in the underlying AI model, and the quality of output will still depend on the clarity of the user’s prompts and the quality of the input data.
Prediction:
- +1 Expect widespread community adoption and rapid evolution of these skills. As more blue teams contribute playbooks, detection rules, and log parsers, the repository will likely become a de facto standard for AI-assisted SOC workflows, similar to how Sigma became the standard for detection rule sharing.
- +1 Commercial SIEM and SOAR vendors will likely integrate similar AI agent capabilities within 12-18 months, but this open-source project will remain the most agile and customizable option, particularly for organizations that prefer to keep their automation logic in-house.
- -1 The primary risk is over-reliance without proper validation. If analysts blindly trust the AI-generated reports, detection rules, or playbooks without human review, organizations could introduce insecure configurations, false expectations, or even operational outages. The skills’ emphasis on dry-runs, quality gates, and evidence citation is necessary, but the human-in-the-loop requirement remains paramount.
- -1 The skills’ effectiveness is directly tied to the quality and structure of the input logs. Organizations with messy, unstructured, or incomplete logging will see diminished results, and the skills themselves cannot fix fundamental data hygiene issues – they can only work with what they are given. This may lead to frustration if teams expect magic from garbage data.
▶️ Related Video (70% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Arttapon Boonchoo – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


