Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From crowdstrike-source-threat-modeling
Threat-model-first detection planning for data sources without OOTB coverage. Analyzes what threats apply to a source type, validates against live log data, and produces a prioritized detection backlog with handoff docs for authoring skills. Use when onboarding a new data source, planning detection coverage for a source without OOTB templates, or assessing what threats a source can detect.
npx claudepluginhub willwebster5/agent-skills --plugin crowdstrike-source-threat-modelingHow this skill is triggered — by the user, by Claude, or both
Slash command
/crowdstrike-source-threat-modeling:source-threat-modelingThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Turn a data source into detection coverage. This skill reasons about what threats are relevant to a source type, validates which are detectable in your actual log data, and produces a prioritized detection backlog. It does NOT write detections — it hands off to authoring skills (`behavioral-detections`, `cql-patterns`, `logscale-security-queries`) via handoff documents.
Build detection engineering capabilities including threat modeling, detection hypothesis development, and hypothesis testing.
Designs SIEM correlation rules, threshold alerts, and behavioral analytics mapped to MITRE ATT&CK across Splunk, Elastic, and Sentinel. Use when SOC teams need to expand detection coverage or formalize use case lifecycle management.
Autonomous threat hunting using the PEAK framework (Prepare → Execute → Act). Executes hypothesis-driven, intelligence-driven, and baseline hunts against CrowdStrike NG-SIEM. Produces hunt reports, detection backlogs, and visibility gap reports. Use when proactively hunting for threats, validating detection coverage, or responding to new threat intelligence.
Share bugs, ideas, or general feedback.
Turn a data source into detection coverage. This skill reasons about what threats are relevant to a source type, validates which are detectable in your actual log data, and produces a prioritized detection backlog. It does NOT write detections — it hands off to authoring skills (behavioral-detections, cql-patterns, logscale-security-queries) via handoff documents.
Orchestrator, not author. This skill decides what to detect. Existing skills decide how to write it.
This skill can be invoked directly or via a handoff document. If a handoff doc is provided, read it first and skip questions already answered.
Goal: Establish what source we're working with and how to query it.
Ask the user:
#Vendor="okta", #repo="some_repo", #event.module="some_module"* | groupBy([@repo, #Vendor, #event.module], limit=20)
Check for existing coverage:
resources/detections/ for any rules already targeting this sourceOutput: A CQL scope filter and source profile that constrains all subsequent work.
STOP — Confirm the scope filter and source profile with the user before proceeding to threat modeling.
Goal: Enumerate threats this source can observe, mapped to MITRE ATT&CK.
Work through three threat categories systematically:
What can an attacker do through the system this source monitors?
| Source Role | Example Threats |
|---|---|
| Identity provider | Credential stuffing, MFA bypass, session hijacking, account takeover |
| Network perimeter | C2 communication, lateral movement, data exfiltration, port scanning |
| Cloud infrastructure | Resource abuse, privilege escalation, config tampering, data access |
| Application | Injection, unauthorized access, data theft, API abuse |
| Endpoint | Malware execution, LOLBins, persistence mechanisms, credential dumping |
| Email/collaboration | Phishing, BEC, forwarding rules, delegation abuse |
What does it look like when the source system is the target?
What cross-system activity is visible through this source?
For each threat scenario, document:
| Field | Description |
|---|---|
| Threat scenario | Plain-language description of the attack |
| MITRE technique | ATT&CK technique ID (e.g., T1621) |
| MITRE tactic | ATT&CK tactic (e.g., Credential Access) |
| Expected event types | What log events would reveal this activity |
| Expected severity | Critical / High / Medium / Low |
Present the threat model to the user as a ranked table. Rank by severity and likelihood. Discuss and refine before proceeding to log validation.
STOP — Get user approval on the threat model before querying live data.
Goal: Confirm which threats from Phase 2 are actually detectable in the live data.
For each threat scenario, run exploratory CQL queries using mcp__crowdstrike__ngsiem_query:
Map what the source actually emits:
<scope_filter>
| groupBy([event.type, event.action, event.category], limit=50)
For each threat scenario from Phase 2:
a) Do the required event types exist?
<scope_filter> event.type="<expected_type>"
| count()
b) What's the volume? (informs threshold decisions)
<scope_filter> event.type="<expected_type>"
| bucket(span=1d)
| count()
c) What fields are available? (informs detection logic)
<scope_filter> event.type="<expected_type>"
| head(10)
d) What does "normal" look like? (informs baselines)
<scope_filter> event.type="<expected_type>"
| groupBy([<key_field>], function=count())
| sort(_count, order=desc)
| head(20)
For each threat scenario, classify:
| Classification | Meaning | Action |
|---|---|---|
| Detectable | Required events exist, fields available, reasonable volume | Keep — proceed to backlog |
| Partially detectable | Some events present but missing key fields or context | Discuss with user — worth pursuing with limitations? |
| Not detectable | Required events don't exist in the data | Prune from backlog |
| Surprising find | Unexpected patterns worth investigating | Flag for user — potential quick win or live incident |
Present results. For each scenario, show: classification, event types found, key fields available, daily volume estimate, and any surprising observations.
STOP — Discuss findings with user. Prune not-detectable scenarios. Decide on partial detections.
Goal: Produce a prioritized detection backlog and hand off selected detections to authoring skills.
For each validated threat scenario, create a backlog entry:
| Field | Description |
|---|---|
| Priority | 1 (highest) through N — based on severity + feasibility |
| Threat scenario | Plain-language description |
| MITRE mapping | Technique ID + tactic |
| Detection approach | simple (single event match), threshold (aggregation), behavioral (multi-event correlation) |
| Complexity | Low (single event) / Medium (aggregation/threshold) / High (multi-event correlation) |
| Key event types | From log validation |
| Key fields | From log validation |
| Volume estimate | Events/day from log validation |
| Recommended skill | Which authoring skill should build this |
| Detection Approach | Route To | Why |
|---|---|---|
| Multi-event attack chains (deny-then-success, create-then-escalate) | behavioral-detections | Needs correlate() function |
| Threshold/aggregation rules (N events in T time) | cql-patterns | Pattern-based aggregation |
| Simple event matching or complex field logic | logscale-security-queries | General CQL development |
Show the full backlog as a prioritized table. User selects which detections to pursue.
For each selected detection, write a handoff doc to docs/handoffs/.
Filename: YYYY-MM-DD-threat-model-to-<target-skill>-<brief-description>.md
Template:
# Handoff: Source Threat Modeling → <Target Skill>
## Objective
Author a detection for: <threat scenario one-liner>
## Source
- **Produced by:** source-threat-modeling skill
- **Date:** <today>
- **Target skill:** <behavioral-detections | cql-patterns | logscale-security-queries>
## Context
| Field | Value |
|---|---|
| Data source | <source name> |
| CQL scope filter | `<filter>` |
| Source role | <identity / network / cloud / app / endpoint> |
| Threat scenario | <description> |
| MITRE technique | <ID> — <name> |
| MITRE tactic | <tactic> |
| Detection approach | <simple / threshold / behavioral> |
| Estimated severity | <Critical / High / Medium / Low> |
### Key Event Types
- `<event.type>` — <what it represents>
### Key Fields
- `<field>` — <what it contains, example values>
### Volume Notes
<daily volume estimate and baseline observations from Phase 3>
## Decisions Made
These have been reviewed and approved by the user. The receiving skill should NOT re-ask:
- <decision 1>
- <decision 2>
## Constraints
- 120s NGSIEM query timeout — keep correlation windows reasonable
- <any source-specific constraints discovered during exploration>
- <relevant enrichment functions from detection-tuning, if applicable>
## Artifacts
- <paths to any files created during this session, or "None">
Tell the user: "Handoff doc written to <path>. Invoke the <target-skill> skill and point it at this file to begin authoring."
| Source Category | Examples | Typical Threat Focus |
|---|---|---|
| Identity Provider | Okta, EntraID, Ping, Auth0 | Credential attacks, MFA bypass, admin takeover, privilege escalation |
| Cloud Infrastructure | AWS CloudTrail, GCP Audit, Azure Activity | Resource abuse, IAM escalation, config tampering, data access |
| Network Security | Cisco ASA, Palo Alto, Zscaler, Akamai | C2 comms, lateral movement, exfiltration, scanning |
| Source Code / DevOps | GitHub, GitLab, Bitbucket | Code theft, secret exposure, pipeline compromise, access changes |
| SaaS Applications | Salesforce, Workday, ServiceNow | Data exfiltration, privilege abuse, config changes |
| Endpoint | CrowdStrike EDR, Carbon Black, SentinelOne | Malware, LOLBins, persistence, credential dumping |
| Email / Collaboration | M365, Google Workspace | Phishing, BEC, forwarding rules, delegation abuse |
This table is a starting point for Phase 2 — reason about threats specific to the actual product, not just the category.