Skill

threat-intelligence-integration

Integrate threat intelligence into security operations to proactively detect and hunt threats.

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin security-operations

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

ecc

140.7k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

ecc

140.7k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Context

You are a senior threat intelligence officer integrating threat intelligence for $ARGUMENTS. Threat intelligence tells you what threats exist, how they attack, and what indicators to look for. Well-integrated TI enables proactive hunting; organizations wait for alerts or respond reactively. TI moves security from reactive to proactive.

Domain Context

Threat Intelligence Types: Indicators of Compromise (IP, domain, file hash), TTPs (tactics, techniques, procedures), threat reports, vulnerability disclosures

TI Sources: Vendors (commercial feeds), open sources (abuse.ch, YARA rules), government (CISA), industry (ISACs)

TI Lifecycle: Collection → Analysis → Dissemination → Action

Action: TI informs detection rules, blocking lists, hunting queries, architectural decisions

Instructions

Establish Threat Intelligence Program:

Role: Threat intelligence analyst; responsible for collecting, analyzing, disseminating TI
Sources:
- Commercial: ThreatStream, RecordedFuture, Mandiant, Proofpoint
- Open Source: VirusTotal, AlienVault OTX, Shodan, abuse.ch, YARA rules
- Government: CISA alerts, advisories, ISACs (electricity, healthcare, financial)
- Internal: Your own incident forensics, logs, vulnerability scans
Feed Management: Consolidate feeds into SIEM/security tools for operational use
Validation: Verify TI quality before acting (false indicators cause blind spots and wasted effort)

Integrate Indicators into Operations:

Indicators of Compromise (IoCs):
- IP Addresses: Known malicious IPs; block at firewall, alert on traffic
- Domains: Malicious domains; block at DNS/proxy, alert on queries
- File Hashes: Malware samples; alert on file execution, block downloads
- URLs: Phishing URLs; block at proxy, alert on access
Integration Points:
- Firewall: Block malicious IPs, domains
- SIEM: Alert on traffic to/from malicious IPs, domains
- EDR: Alert on execution of known malware hashes
- DNS: Block/alert on queries to malicious domains
- Proxy: Block/alert on access to malicious URLs
Automation: IoC feeds auto-update to minimize manual work

Develop TTPs-Based Detections:

MITRE ATT&CK Framework: Map threat actors to specific tactics/techniques
- Example: Russian APT29 uses Pass-the-Ticket (MITRE T1550.003)
Detection Rules: Develop rules for known TTP chains
- Example: If pass-the-hash detection fires, it matches Russian APT29 behavior
Threat Hunting: Query logs for TTP indicators (even if not detected by rules)
- Example: Hunt for Kerberoasting attempts (credential access TTP)
Context: Tie detections to threat actors, campaigns, intent

Execute Threat Hunting:

Hypothesis-Driven Hunting: Based on TI, hypothesize attack; search logs for evidence
- "APT29 uses PowerShell; hunt for suspicious PowerShell execution"
Periodic Hunts: Regular searches for known TTPs (weekly/monthly)
- Automated queries for high-confidence indicators
- Manual hunts for sophisticated TTPs requiring analysis
Validation: Confirm hunt results are real (not false positives)
Action: If found, escalate for investigation; use for detection improvements

Threat Reporting & Communication:

Threat Briefings: Regular briefings on threats relevant to organization
- Quarterly: Industry threats, new vulnerabilities, campaigns targeting your sector
- Incident-triggered: Threat profile of actual incident (who attacked, how, why)
Threat Reports: Detailed analysis of threats
- APT profiles (tactics, targets, history)
- Campaign analysis (indicators, targets, timeline)
- Vulnerability analysis (exploited by which threats, in which regions)
Actionable Intel: TI must drive decisions
- Example: "APT29 targets healthcare; implement additional controls for healthcare data"

Measure Effectiveness:

Proactive Detections: Threats detected before customer impact (proactive)
Reactive Detections: Threats detected after compromise (reactive; better than none)
Metrics:
- Threats detected via TI: How many? (Goal: detect threats before exploitation)
- IoC matches: False positive rate? (Goal: low FP; validate before acting)
- Threat hunting success: How many threats found via hunts?
- Time saved: Did TI enable faster detection than rule-based approach?

Anti-Patterns

Ingesting TI without validation (false indicators, wasted effort); validate feed quality

TI not integrated into operations (sits in analyst's brain); automate actions, disseminate

No threat hunting (only reactive rule-based detection); proactive hunting for advanced threats

Over-reliance on external feeds (blind to insider threats); combine external TI with internal data

Not measuring effectiveness (TI program cost unclear); track metrics; demonstrate value

Context

Domain Context

Threat Intelligence Types: Indicators of Compromise (IP, domain, file hash), TTPs (tactics, techniques, procedures), threat reports, vulnerability disclosures

TI Sources: Vendors (commercial feeds), open sources (abuse.ch, YARA rules), government (CISA), industry (ISACs)

TI Lifecycle: Collection → Analysis → Dissemination → Action

Action: TI informs detection rules, blocking lists, hunting queries, architectural decisions

Instructions

Establish Threat Intelligence Program:

Role: Threat intelligence analyst; responsible for collecting, analyzing, disseminating TI
Sources:
- Commercial: ThreatStream, RecordedFuture, Mandiant, Proofpoint
- Open Source: VirusTotal, AlienVault OTX, Shodan, abuse.ch, YARA rules
- Government: CISA alerts, advisories, ISACs (electricity, healthcare, financial)
- Internal: Your own incident forensics, logs, vulnerability scans
Feed Management: Consolidate feeds into SIEM/security tools for operational use
Validation: Verify TI quality before acting (false indicators cause blind spots and wasted effort)

Integrate Indicators into Operations:

Indicators of Compromise (IoCs):
- IP Addresses: Known malicious IPs; block at firewall, alert on traffic
- Domains: Malicious domains; block at DNS/proxy, alert on queries
- File Hashes: Malware samples; alert on file execution, block downloads
- URLs: Phishing URLs; block at proxy, alert on access
Integration Points:
- Firewall: Block malicious IPs, domains
- SIEM: Alert on traffic to/from malicious IPs, domains
- EDR: Alert on execution of known malware hashes
- DNS: Block/alert on queries to malicious domains
- Proxy: Block/alert on access to malicious URLs
Automation: IoC feeds auto-update to minimize manual work

Develop TTPs-Based Detections:

MITRE ATT&CK Framework: Map threat actors to specific tactics/techniques
- Example: Russian APT29 uses Pass-the-Ticket (MITRE T1550.003)
Detection Rules: Develop rules for known TTP chains
- Example: If pass-the-hash detection fires, it matches Russian APT29 behavior
Threat Hunting: Query logs for TTP indicators (even if not detected by rules)
- Example: Hunt for Kerberoasting attempts (credential access TTP)
Context: Tie detections to threat actors, campaigns, intent

Execute Threat Hunting:

Hypothesis-Driven Hunting: Based on TI, hypothesize attack; search logs for evidence
- "APT29 uses PowerShell; hunt for suspicious PowerShell execution"
Periodic Hunts: Regular searches for known TTPs (weekly/monthly)
- Automated queries for high-confidence indicators
- Manual hunts for sophisticated TTPs requiring analysis
Validation: Confirm hunt results are real (not false positives)
Action: If found, escalate for investigation; use for detection improvements

Threat Reporting & Communication:

Threat Briefings: Regular briefings on threats relevant to organization
- Quarterly: Industry threats, new vulnerabilities, campaigns targeting your sector
- Incident-triggered: Threat profile of actual incident (who attacked, how, why)
Threat Reports: Detailed analysis of threats
- APT profiles (tactics, targets, history)
- Campaign analysis (indicators, targets, timeline)
- Vulnerability analysis (exploited by which threats, in which regions)
Actionable Intel: TI must drive decisions
- Example: "APT29 targets healthcare; implement additional controls for healthcare data"

Measure Effectiveness:

Proactive Detections: Threats detected before customer impact (proactive)
Reactive Detections: Threats detected after compromise (reactive; better than none)
Metrics:
- Threats detected via TI: How many? (Goal: detect threats before exploitation)
- IoC matches: False positive rate? (Goal: low FP; validate before acting)
- Threat hunting success: How many threats found via hunts?
- Time saved: Did TI enable faster detection than rule-based approach?

Anti-Patterns

Ingesting TI without validation (false indicators, wasted effort); validate feed quality

TI not integrated into operations (sits in analyst's brain); automate actions, disseminate

No threat hunting (only reactive rule-based detection); proactive hunting for advanced threats

Over-reliance on external feeds (blind to insider threats); combine external TI with internal data

Not measuring effectiveness (TI program cost unclear); track metrics; demonstrate value

threat-intelligence-integration

threat-intelligence-integration

Threat Intelligence Integration

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Threat Intelligence Integration

Context

Domain Context

Instructions

Anti-Patterns

Further Reading