log-triagelisted

Identity-log triage workflow — anomaly patterns per provider (AWS CloudTrail, Azure AD/Entra, Google Workspace, Okta), session and token misuse, MFA-bypass signals, conditional-access evasion, and cross-provider correlation. Produces a prioritized finding list routed to ir-runbook or detection-engineer.
roodlicht/accans-sec-skills · ★ 4 · DevOps & Infrastructure · score 65

Install: claude install-skill roodlicht/accans-sec-skills

# Log Triage > **Identity-first context**: the bulk of modern incidents starts or escalates via identity providers. Logs are the truth source — UIs are stale snapshots. This skill covers audit/identity logs from the major IdPs; network logs and endpoint EDR touch on this but live in other skills. ## When to use A log-triage question begins with "something is odd in the logs, take a look". This skill provides, per provider, the pattern set you can use to triage where people get lost in volume. Triggers on: - A question like "look at these CloudTrail events", "is this Azure AD sign-in anomaly real", "Google Workspace audit log has N login failures", "what is the anomaly here in Okta", "compromised-account investigation". - A handoff from `detection-engineer` (rule fired, asks for deeper triage), `ir-runbook` (incident investigation), `ioc-hunter` (IOC match in an identity log). - A proactive hunting session focused on identity anomalies — overlap with `threat-hunt`. - A post-incident investigation where the identity path must be reconstructed for `forensics-assist` or regulatory reporting. ### When NOT (handoff) - Generic SIEM-query building → `siem-query`. - Writing a detection rule based on the pattern → `detection-engineer`. - A threat-hunt session as a whole → `threat-hunt` (command). - Forensic memory/disk analysis → `forensics-assist`. - Network-flow triage or EDR process events → out of scope here; covered in generic SIEM-query or an EDR-tool skill. - IOC curation