Summary
If you're running Elastic Security, this handles the tedious part of alert triage: it fetches the next open alert, runs targeted ES|QL queries to gather context (process trees, network activity, related alerts), creates or updates a case with your findings, and acknowledges the alert along with related ones in the same time window. The workflow is opinionated in a good way. It forces you to gather full context before classifying anything, explicitly calls out that most alerts are false positives, and won't let you mark something malicious without real evidence like persistence mechanisms or lateral movement. Built for SOC analysts who want Claude to automate the mechanical parts while keeping the judgment calls human.
Install to Claude Code
npx -y skills add elastic/agent-skills --skill security-alert-triage --agent claude-codeInstalls into .claude/skills of the current project.
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
An agent that runs the SEO playbooks that move rankings and ships PRs you control.
Get founding access →
Connect Claude to +800M contacts, +150M companies. Find & Enrich leads in chat.
Try For Free →Files
SKILL.md
Select a file.
Featured
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →An agent that runs the SEO playbooks that move rankings and ships PRs you control.
Get founding access →Connect Claude to +800M contacts, +150M companies. Find & Enrich leads in chat.
Try For Free →
