npx claudepluginhub plurigrid/asi --plugin asiThis skill uses the workspace's default tool permissions.
Use this skill when:
Analyzes threat intelligence feeds to extract IOCs, adversary tactics, and context. Normalizes heterogeneous formats to STIX 2.1, evaluates feed quality, and enriches for CTI pipelines.
Analyzes structured and unstructured CTI feeds to extract actionable IOCs, adversary tactics, and attack context. For importing feeds, STIX 2.1 normalization, quality assessment, and IOC enrichment.
Builds pipelines integrating STIX/TAXII feeds, open-source and commercial threat intel into SIEM/security tools for real-time IOC matching and alerting. For SOC teams automating TI ingestion, normalization, scoring, and distribution.
Share bugs, ideas, or general feedback.
Use this skill when:
Do not use this skill for raw packet capture analysis or live incident triage without first establishing a CTI baseline.
List all available feeds categorized by type (commercial, government, ISAC, OSINT):
Score each feed on: update frequency, historical accuracy rate, coverage of your sector, and attribution depth. Use a weighted scoring matrix with criteria from NIST SP 800-150 (Guide to Cyber Threat Information Sharing).
For TAXII-enabled feeds:
taxii2-client discover https://feed.example.com/taxii/
taxii2-client get-collection --collection-id <id> --since 2024-01-01
For REST API feeds (e.g., Recorded Future):
/v2/indicator/search with risk_score_min=65 to filter low-confidence IOCsConvert each IOC to STIX 2.1 objects using the OASIS standard schema:
indicator object with pattern: "[ipv4-addr:value = '...']"indicator with pattern: "[domain-name:value = '...']"indicator with pattern: "[file:hashes.SHA-256 = '...']"Attach relationship objects linking indicators to threat-actor or malware objects. Use confidence field (0–100) based on source fidelity rating.
Run deduplication against existing TIP database using normalized value + type as composite key. Enrich surviving IOCs:
Export enriched indicators via TAXII 2.1 push to SIEM (Splunk, Microsoft Sentinel), firewalls (Palo Alto XSOAR playbooks), and EDR platforms. Set TTL (time-to-live) per indicator type: IP addresses 30 days, domains 90 days, file hashes 1 year.
| Term | Definition |
|---|---|
| STIX 2.1 | Structured Threat Information Expression — OASIS standard JSON schema for CTI objects including indicators, threat actors, campaigns, and relationships |
| TAXII 2.1 | Trusted Automated eXchange of Intelligence Information — HTTPS-based protocol for sharing STIX content between servers and clients |
| IOC | Indicator of Compromise — observable artifact (IP, domain, hash, URL) that indicates a system may have been breached |
| TLP | Traffic Light Protocol — color-coded classification (RED/AMBER/GREEN/WHITE) defining sharing restrictions for CTI |
| Confidence Score | Numeric value (0–100 in STIX) reflecting the producer's certainty about an indicator's malicious attribution |
| Feed Fidelity | Historical accuracy rate of a feed measured by true positive rate in production detections |