Skills
.Work. You
Rest

elk-skill

Community

Elastic Stack-powered AD threat detection.

Data & Analytics#elasticsearch#sysmon#kerberos#elk#kibana#windows-event-logs#logstash
AuthorSeeKT
Version1.0.0
Installs0

System Documentation

What problem does it solve?

This Skill enables security teams to detect Active Directory threats by analyzing Windows Event Logs and Sysmon data with the Elastic Stack.

Core Features & Use Cases

  • Elastic search query templates to detect Kerberos abuse and Pass-the-Hash patterns across DC and clients.
  • Logstash pipelines to normalize Windows security events and Sysmon data for unified dashboards.
  • Kibana dashboards for incident timeline, network activity, and persistence detection; supports threshold-based alerts.
  • Use Case: A SOC can ingest Windows Event Logs and Sysmon into Elasticsearch, then identify suspicious AD activity and generate actionable alerts.

Quick Start

Open Kibana and load the ELK-based AD threat dashboards. Run the sample queries to identify Kerberoasting and Pass-the-Hash patterns. Review the provided scripts in scripts/ to understand detection pipelines.

Dependency Matrix

Required Modules

None required

Components

scriptsassets

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: elk-skill
Download link: https://github.com/SeeKT/Active-Directory-Forge-Ticket-Agent-ELK/archive/main.zip#elk-skill

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 223,000+ vetted skills library on demand.