From cybersecurity-skills
Analyzes threat intelligence feeds to extract IOCs, adversary tactics, and context. Normalizes heterogeneous formats to STIX 2.1, evaluates feed quality, and enriches for CTI pipelines.
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsThis skill uses the workspace's default tool permissions.
Use this skill when:
Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.
Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.
Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.
Use this skill when:
Do not use this skill for raw packet capture analysis or live incident triage without first establishing a CTI baseline.
List all available feeds categorized by type (commercial, government, ISAC, OSINT):
Score each feed on: update frequency, historical accuracy rate, coverage of your sector, and attribution depth. Use a weighted scoring matrix with criteria from NIST SP 800-150 (Guide to Cyber Threat Information Sharing).
For TAXII-enabled feeds:
taxii2-client discover https://feed.example.com/taxii/
taxii2-client get-collection --collection-id <id> --since 2024-01-01
For REST API feeds (e.g., Recorded Future):
/v2/indicator/search with risk_score_min=65 to filter low-confidence IOCsConvert each IOC to STIX 2.1 objects using the OASIS standard schema:
indicator object with pattern: "[ipv4-addr:value = '...']"indicator with pattern: "[domain-name:value = '...']"indicator with pattern: "[file:hashes.SHA-256 = '...']"Attach relationship objects linking indicators to threat-actor or malware objects. Use confidence field (0–100) based on source fidelity rating.
Run deduplication against existing TIP database using normalized value + type as composite key. Enrich surviving IOCs:
Export enriched indicators via TAXII 2.1 push to SIEM (Splunk, Microsoft Sentinel), firewalls (Palo Alto XSOAR playbooks), and EDR platforms. Set TTL (time-to-live) per indicator type: IP addresses 30 days, domains 90 days, file hashes 1 year.
| Term | Definition |
|---|---|
| STIX 2.1 | Structured Threat Information Expression — OASIS standard JSON schema for CTI objects including indicators, threat actors, campaigns, and relationships |
| TAXII 2.1 | Trusted Automated eXchange of Intelligence Information — HTTPS-based protocol for sharing STIX content between servers and clients |
| IOC | Indicator of Compromise — observable artifact (IP, domain, hash, URL) that indicates a system may have been breached |
| TLP | Traffic Light Protocol — color-coded classification (RED/AMBER/GREEN/WHITE) defining sharing restrictions for CTI |
| Confidence Score | Numeric value (0–100 in STIX) reflecting the producer's certainty about an indicator's malicious attribution |
| Feed Fidelity | Historical accuracy rate of a feed measured by true positive rate in production detections |