configuring-host-based-intrusion-detection

Featured

Configures host-based intrusion detection systems (HIDS) to monitor endpoint file integrity, system calls, and configuration changes for security violations. Use when deploying OSSEC, Wazuh, or AIDE for endpoint monitoring, building file integrity monitoring (FIM) policies, or meeting compliance requirements for change detection. Activates for requests involving HIDS configuration, file integrity monitoring, OSSEC/Wazuh deployment, or host-based detection.

AI & Automation 13,115 stars 1533 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Configuring Host-Based Intrusion Detection ## When to Use Use this skill when: - Deploying HIDS agents (Wazuh, OSSEC, AIDE) across Windows and Linux endpoints - Configuring file integrity monitoring (FIM) for compliance (PCI DSS 11.5, NIST SI-7) - Monitoring system configuration changes, rootkit detection, and security policy violations - Integrating HIDS alerts with SIEM platforms for centralized monitoring **Do not use** this skill for network-based IDS (Suricata, Snort) or for EDR deployment. ## Prerequisites - Wazuh server (manager) deployed and accessible from endpoints - Administrative access to target endpoints - Network connectivity: agents to Wazuh manager on port 1514 (TCP/UDP) and 1515 (TCP enrollment) - Wazuh dashboard (OpenSearch Dashboards) for alert visualization - Understanding of critical files/directories to monitor per OS ## Workflow ### Step 1: Install Wazuh Agent **Windows**: ```powershell # Download and install Wazuh agent Invoke-WebRequest -Uri "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.0-1.msi" ` -OutFile "wazuh-agent.msi" msiexec /i wazuh-agent.msi /q WAZUH_MANAGER="wazuh-manager.corp.com" ` WAZUH_REGISTRATION_SERVER="wazuh-manager.corp.com" WAZUH_AGENT_GROUP="windows-workstations" net start WazuhSvc ``` **Linux (Debian/Ubuntu)**: ```bash curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --dearmor -o /usr/share/keyrings/wazuh.gpg echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

implementing-endpoint-detection-with-wazuh

Deploy and configure Wazuh SIEM/XDR for endpoint detection including agent management, custom decoder and rule XML creation, alert querying via the Wazuh REST API, and automated response actions.

13,115 Updated today
mukul975
AI & Automation Featured

detecting-fileless-attacks-on-endpoints

Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files to disk, evading traditional antivirus. Use when building detections for PowerShell-based attacks, reflective DLL injection, WMI persistence, and registry-resident malware. Activates for requests involving fileless malware detection, in-memory attacks, PowerShell exploitation, or living-off-the-land techniques.

13,115 Updated today
mukul975
AI & Automation Solid

implementing-file-integrity-monitoring-with-aide

Configure AIDE (Advanced Intrusion Detection Environment) for file integrity monitoring including baseline creation, scheduled integrity checks, change detection, and alerting

13,115 Updated today
mukul975
AI & Automation Featured

configuring-windows-event-logging-for-detection

Configures Windows Event Logging with advanced audit policies to generate high-fidelity security events for threat detection and forensic investigation. Use when enabling audit policies for logon events, process creation, privilege use, and object access to feed SIEM detection rules. Activates for requests involving Windows audit policy, event log configuration, security logging, or detection-oriented logging.

13,115 Updated today
mukul975
DevOps & Infrastructure Featured

deploying-osquery-for-endpoint-monitoring

Deploys and configures osquery for real-time endpoint monitoring using SQL-based queries to inspect running processes, open ports, installed software, and system configuration. Use when building visibility into endpoint state, threat hunting across fleet, or implementing compliance monitoring. Activates for requests involving osquery deployment, endpoint visibility, fleet management, or SQL-based endpoint querying.

13,115 Updated today
mukul975