Skill

performing-indicator-lifecycle-management

Manages IOC lifecycle in threat intelligence from discovery to retirement, with validation, enrichment, deployment, monitoring, confidence decay, hit/false positive tracking, and auto-expiration using Python state machine.

Python

security

npx claudepluginhub killvxk/cybersecurity-skills-zh

Tool Access

This skill uses the workspace's default tool permissions.

Preview

指标生命周期管理跟踪 IOC 从初始发现到验证、富化、部署、监控和最终停用的全过程。本技能涵盖实施 IOC 质量评估、老化策略、置信度衰减评分、误报跟踪、命中率监控和自动到期的系统化流程，以维护高质量、可操作的指标数据库，最大限度减少分析师疲劳并提高检测效能。

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

performing-indicator-lifecycle-management

5.9k

Implements IOC lifecycle management from discovery to retirement, with validation, enrichment, confidence decay, and monitoring using Python, MISP, and STIX. For threat intelligence pipelines.

7 files

cybersecurity-skills

performing-indicator-lifecycle-management

Implements IOC lifecycle management for threat intelligence: tracks indicators from discovery via validation, enrichment, deployment, monitoring to retirement with confidence decay, hit-rate tracking, and automated expiration.

asi

implementing-threat-intelligence-lifecycle-management

Implements threat intelligence lifecycle management covering planning, collection, processing, analysis, dissemination, and feedback stages using Python with pymisp and stix2 for CTI programs.

3 files

cybersecurity-skills-zh

Stats

Stars10

Forks1

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

执行指标生命周期管理

概述

前置条件

Python 3.9+，安装 pymisp、requests、stix2 库
用于指标存储的 MISP 或 OpenCTI 实例
具备 IOC 监控列表能力的 SIEM（Splunk、Elastic）
了解 IOC 类型、置信度评分和 TLP 分类

核心概念

指标生命周期阶段

发现：从威胁情报、恶意软件分析或事件响应中首次识别 IOC
验证：通过富化来源（VirusTotal、Shodan）核实 IOC
富化：添加额外上下文（WHOIS、被动 DNS、威胁行为者归因）
部署：将 IOC 推送到检测系统（SIEM、IDS、防火墙）
监控：跟踪命中率、误报率和检测效能
审查：定期评估 IOC 的相关性和准确性
停用：根据老化策略使 IOC 过期或移除

置信度衰减

指标置信度随时间降低，因为对手会轮换基础设施。基于时间的衰减函数自动降低置信度评分，确保旧指标不会产生过多告警。典型半衰期：IP 地址（30 天）、域名（90 天）、文件哈希（365 天）。

质量指标

命中率：生成真正告警的已部署 IOC 百分比
误报率：IOC 告警中良性的百分比
覆盖率：已知威胁技术中具有 IOC 覆盖的百分比
新鲜度：数据库中活跃指标的平均年龄

操作步骤

步骤 1：实现 IOC 生命周期状态机

from datetime import datetime, timedelta
from enum import Enum

class IOCState(Enum):
    DISCOVERED = "discovered"      # 已发现
    VALIDATED = "validated"        # 已验证
    ENRICHED = "enriched"          # 已富化
    DEPLOYED = "deployed"          # 已部署
    MONITORING = "monitoring"      # 监控中
    UNDER_REVIEW = "under_review"  # 审查中
    RETIRED = "retired"            # 已停用

class IOCLifecycle:
    def __init__(self, ioc_type, value, source, initial_confidence=50):
        self.ioc_type = ioc_type
        self.value = value
        self.source = source
        self.confidence = initial_confidence
        self.state = IOCState.DISCOVERED
        self.created = datetime.utcnow()
        self.last_updated = datetime.utcnow()
        self.last_seen = None
        self.hit_count = 0
        self.false_positive_count = 0
        self.history = [{"state": "discovered", "timestamp": self.created.isoformat()}]

    def transition(self, new_state: IOCState, reason=""):
        self.state = new_state
        self.last_updated = datetime.utcnow()
        self.history.append({
            "state": new_state.value,
            "timestamp": self.last_updated.isoformat(),
            "reason": reason,
        })

    def apply_decay(self):
        """根据 IOC 类型半衰期应用置信度衰减。"""
        half_lives = {"ip": 30, "domain": 90, "hash": 365, "url": 60}
        half_life = half_lives.get(self.ioc_type, 90)
        age_days = (datetime.utcnow() - self.created).days
        decay_factor = 0.5 ** (age_days / half_life)
        self.confidence = max(0, int(self.confidence * decay_factor))

    def record_hit(self, is_true_positive=True):
        self.hit_count += 1
        self.last_seen = datetime.utcnow()
        if not is_true_positive:
            self.false_positive_count += 1
            if self.false_positive_count > 3:
                self.transition(IOCState.UNDER_REVIEW, "误报过多")

    def should_retire(self):
        max_ages = {"ip": 90, "domain": 180, "hash": 730, "url": 120}
        max_age = max_ages.get(self.ioc_type, 180)
        age_days = (datetime.utcnow() - self.created).days
        return age_days > max_age and self.hit_count == 0

验收标准

IOC 生命周期状态机在各阶段间正确转换
置信度衰减根据 IOC 类型半衰期降低评分
命中率和误报跟踪功能正常
老化策略自动标记指标进行审查/停用
质量指标仪表盘显示 IOC 数据库健康状态

performing-indicator-lifecycle-management

Tool Access

Preview

Supporting Assets

SKILL.md

Similar Skills

Help us improve

Help us improve

performing-indicator-lifecycle-management

Tool Access

Preview

Supporting Assets

SKILL.md

执行指标生命周期管理

概述

前置条件

核心概念

指标生命周期阶段

置信度衰减

质量指标

操作步骤

步骤 1：实现 IOC 生命周期状态机

验收标准

参考资料

Similar Skills

Help us improve

执行指标生命周期管理

概述

前置条件

核心概念

指标生命周期阶段

置信度衰减

质量指标

操作步骤

步骤 1：实现 IOC 生命周期状态机

验收标准

参考资料