Skip to main content
Ejecuta cualquier Skill en Manus
con un clic
scanner-inc
Perfil de creador de GitHub

scanner-inc

Vista por repositorio de 11 skills recopiladas en 1 repositorios de GitHub.

skills recopiladas
11
repositorios
1
actualizado
2026-06-11
mapa de repositorios

Dónde viven las skills

Repositorios principales por número de skills recopiladas, con su participación en este catálogo del creador y su variedad ocupacional.

explorador de repositorios

Repositorios y skills representativas

posture-report
Analistas de seguridad de la información

Produce a daily Scanner posture report for the analyst's terminal — covers environment, log volume, alert activity (split into actionable / correlation / uncategorized buckets), coverage gaps, and 2-5 specific recommended next moves. Use when the user types `/posture-report`, asks for the "posture report", "daily report", "Scanner digest", "coverage report", "health report", or any variant of "what's our detection coverage looking like". Requires Scanner MCP configured plus SCANNER_API_URL / SCANNER_API_KEY / SCANNER_TENANT_ID env vars for the Detection Rules REST API.

2026-06-11
recommend-detections
Analistas de seguridad de la información

Produce a prioritised list of concrete, copy-paste-ready detection-engineering recommendations for the user's Scanner tenant — new rules to write, existing rules to tune, correlations to add, and Scanner OOB packs worth enabling. Consumes posture-report output as one input, walks every YAML in `SCANNER_DETECTIONS_DIR` AND pulls the tenant's full rule inventory via the Detection Rule API (catches UI-created rules too), queries `_detections` over 30 days to find noise / co-firing entities, and surfaces installable OOB packs from a hardcoded list of `scanner-inc/detection-rules-<source-type>` repos (no local clone needed). Each recommendation ends with the exact `/write-detection`, `/tune-detection`, or `/write-correlation` invocation needed to act on it. Read-only — writes nothing. Use when the user types `/recommend-detections`, asks "what detections should I add?", "where are my detection gaps?", "what should I be alerting on?", or "give me detection engineering ideas for this tenant". Does NOT walk foreign-S

2026-06-11
tune-detection
Analistas de seguridad de la información

Investigate a noisy Scanner detection rule against real `_detections` data, classify recent firings as false-positive vs true-positive vs unknown, and produce a concrete tuning patch — extra filter clauses, post-aggregation thresholds, dedup windows, or severity downgrades — along with regression tests seeded from the FP events. Validates the tuned rule with `scanner-cli validate` + `run-tests` and backtests the new firing rate. For out-of-the-box rules (which can't be edited in place), recommends the fork-and-disable workflow: clone the OOB YAML into the user's private repo, tune it there, and disable the original in the Scanner UI. Use when the user types `/tune-detection <rule-id-or-name>`, says "this rule is noisy", "reduce false positives on…", or "tune <name>". Requires Scanner MCP, `SCANNER_API_URL` + `SCANNER_API_KEY` for `scanner-cli`, and `SCANNER_DETECTIONS_DIR` (comma-separated paths to local rule repos).

2026-06-11
write-detection
Analistas de seguridad de la información

Author a new Scanner detection rule (YAML) from a natural-language description of the behaviour you want to catch. Discovers the relevant log-source schema via Scanner MCP, samples real production data to sanity-check the filter, drafts the rule with the proper YAML schema header, writes 2-4 inline unit tests seeded from real events, validates with `scanner-cli validate` + `run-tests`, backtests the full query against historical logs (needle-in-haystack regime can scan months of data), and hands off via the Scanner GitHub-app sync flow. Always writes rules in `Staging` state for first push. Use when the user types `/write-detection`, asks Claude to "write a detection rule for X", "create a Scanner rule that fires when…", or pastes an attacker behaviour and wants to detect it. Requires Scanner MCP configured, `SCANNER_API_URL` + `SCANNER_API_KEY` for `scanner-cli`, and optionally `SCANNER_DETECTIONS_DIR` (comma-separated paths to local rules repos).

2026-06-11
write-vrl
Desarrolladores de software

Author and test a VRL (Vector Remap Language) program for a Scanner transformation step. Takes sample raw logs (a file in JSON / JSONL / CSV / Parquet / plaintext, or an inline event) plus an objective — normalize to ECS, drop noisy events during ingestion, fan one event into many, parse an embedded string, enrich with derived fields — and produces a VRL program that the user can paste directly into the Scanner UI. Drafts the program, runs it against the sample with `vector vrl`, compares output to the objective, and iterates. Use when the user types `/write-vrl`, asks Claude to "write a VRL program", "make a Scanner transformation", "normalize this log to ECS", "drop these events during ingestion", or pastes/points to a raw log and says they want it transformed.

2026-06-11
investigate
Analistas de seguridad de la información

Answer a free-form security or detection-engineering question against the user's Scanner tenant using a summarize → plan → execute workflow — restate the question, draft a 3-6 bullet investigation plan grounded in the actual environment schema, then run that plan with Scanner MCP and return a structured finding. Use when the user types `/investigate [question]`, asks an open-ended security question that needs Scanner data ("did anyone exec from a public S3 bucket today?", "are there any failed Okta logins from new countries?", "which rules cover MITRE T1078?"), or asks Claude to "investigate", "look into", or "check on" something in the logs. Requires Scanner MCP configured.

2026-05-20
lookup-ioc
Analistas de seguridad de la información

Look up an external indicator of compromise (IP, domain, URL, file hash, or CVE) across abuse.ch ThreatFox, AlienVault OTX, and (for IPv4) Feodo Tracker, and return a single merged threat-intel report. Use when a SOC analyst types `/lookup-ioc [indicator]`, when another skill (triage-alert, threat-hunt, investigate) needs to enrich an indicator surfaced during investigation, or when the user asks any free-form variation of "is this IP/domain/hash bad?", "do we have threat intel on X?", or "check this IOC". Requires ABUSECH_AUTH_KEY and OTX_API_KEY in the environment; degrades gracefully if either is missing.

2026-05-20
report-as-html
Desarrolladores web

Render a Scanner-style report (terminal markdown + structured data the calling skill already gathered) as a polished, self-contained HTML file ready to open in the browser. Two templates ship — `light-mode` (cream + teal, default for shareable PDFs / printable reports / tickets) and `dark-mode` (Scanner's actual dark-first theme with Inter + Sometype Mono, matches the Scanner app aesthetic). **Not a stand-alone analysis skill — does not generate findings.** Use only as a follow-up step after another skill (`/posture-report`, `/recommend-detections`, `/triage-alert`, `/threat-hunt`, `/investigate`, `/lookup-ioc`) has produced a finished terminal report and the user has answered "yes, render an HTML version." Reads `templates/light-mode.html` or `templates/dark-mode.html` for the skeleton and `references/style-guide.md` + `references/components.md` for the component vocabulary, writes a single self-contained HTML file under `/tmp/`, and (if the user separately says yes) opens it via `open`. Use when the user ty

2026-05-20
Mostrando las 8 principales de 11 skills recopiladas en este repositorio.
Mostrando 1 de 1 repositorios
Todos los repositorios cargados