siem-alert-investigation.md | Investigate a SIEM alert end-to-end: understand rule logic, correlate events, classify TP/FP, and document findings |
triage-procedures.md | Perform initial triage — the first questions to ask, checklist-driven assessment, and escalation criteria |
malware-analysis.md | Analyze suspicious files or processes: static/dynamic analysis, sandbox interpretation, and malware family identification |
phishing-investigation.md | Investigate phishing emails: header analysis, URL/attachment analysis, and response procedures |
brute-force-attacks.md | Investigate brute force or credential-stuffing alerts: detection patterns, log correlation, and response |
web-attacks.md | Investigate web application attacks: SQLi, XSS, path traversal, authentication bypass, and WAF log analysis |
network-traffic-analysis.md | Analyze network traffic for C2 beaconing, DNS tunneling, data exfiltration, or lateral movement |
log-analysis.md | Parse and analyze specific log types: netflow, firewall, proxy, DNS, and authentication logs |
threat-intelligence.md | Enrich IOCs with threat intelligence: reputation lookups, CTI frameworks (MITRE ATT&CK, Diamond Model), and feed integration |
security-solutions.md | Understand security tool outputs: IDS/IPS, EDR, SIEM, DLP, and firewall alert formats and field mappings |