analyzing-threat-intelligence-feeds
Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics, and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
What this skill does
# Analyzing Threat Intelligence Feeds ## When to Use Use this skill when: - Ingesting new commercial or OSINT threat feeds and assessing their signal-to-noise ratio - Normalizing heterogeneous IOC formats (STIX 2.1, OpenIOC, YARA, Sigma) into a unified schema - Evaluating feed freshness, fidelity, and relevance to the organization's threat profile - Building automated enrichment pipelines that correlate IOCs against SIEM events **Do not use** this skill for raw packet capture analysis or live incident triage without first establishing a CTI baseline. ## Prerequisites - Access to a Threat Intelligence Platform (TIP) such as ThreatConnect, MISP, or OpenCTI - API keys for at least one commercial feed (Recorded Future, Mandiant Advantage, or VirusTotal Enterprise) - TAXII 2.1 client library (taxii2-client Python package or equivalent) - Role with read/write permissions to the TIP's indicator database ## Workflow ### Step 1: Enumerate and Prioritize Feed Sources List all available feeds categorized by type (commercial, government, ISAC, OSINT): - Commercial: Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intelligence - Government: CISA AIS (Automated Indicator Sharing), FBI InfraGard, MS-ISAC - OSINT: AlienVault OTX, Abuse.ch, PhishTank, Emerging Threats Score each feed on: update frequency, historical accuracy rate, coverage of your sector, and attribution depth. Use a weighted scoring matrix with criteria from NIST SP 800-150 (Guide to Cyber Threat Information Sharing). ### Step 2: Ingest via TAXII 2.1 or API For TAXII-enabled feeds: ``` taxii2-client discover https://feed.example.com/taxii/ taxii2-client get-collection --collection-id <id> --since 2024-01-01 ``` For REST API feeds (e.g., Recorded Future): - Query `/v2/indicator/search` with `risk_score_min=65` to filter low-confidence IOCs - Apply rate limiting and exponential backoff for API resilience ### Step 3: Normalize to STIX 2.1 Convert each IOC to STIX 2.1 objects using the OASIS standard schema: - IP address → `indicator` object with `pattern: "[ipv4-addr:value = '...']"` - Domain → `indicator` with `pattern: "[domain-name:value = '...']"` - File hash → `indicator` with `pattern: "[file:hashes.SHA-256 = '...']"` Attach `relationship` objects linking indicators to `threat-actor` or `malware` objects. Use `confidence` field (0–100) based on source fidelity rating. ### Step 4: Deduplicate and Enrich Run deduplication against existing TIP database using normalized value + type as composite key. Enrich surviving IOCs: - VirusTotal: detection ratio, sandbox behavior reports - PassiveTotal (RiskIQ): WHOIS history, passive DNS, SSL certificate chains - Shodan: banner data, open ports, geographic location ### Step 5: Distribute to Consuming Systems Export enriched indicators via TAXII 2.1 push to SIEM (Splunk, Microsoft Sentinel), firewalls (Palo Alto XSOAR playbooks), and EDR platforms. Set TTL (time-to-live) per indicator type: IP addresses 30 days, domains 90 days, file hashes 1 year. ## Key Concepts | Term | Definition | |------|-----------| | **STIX 2.1** | Structured Threat Information Expression — OASIS standard JSON schema for CTI objects including indicators, threat actors, campaigns, and relationships | | **TAXII 2.1** | Trusted Automated eXchange of Intelligence Information — HTTPS-based protocol for sharing STIX content between servers and clients | | **IOC** | Indicator of Compromise — observable artifact (IP, domain, hash, URL) that indicates a system may have been breached | | **TLP** | Traffic Light Protocol — color-coded classification (RED/AMBER/GREEN/WHITE) defining sharing restrictions for CTI | | **Confidence Score** | Numeric value (0–100 in STIX) reflecting the producer's certainty about an indicator's malicious attribution | | **Feed Fidelity** | Historical accuracy rate of a feed measured by true positive rate in production detections | ## Tools & Systems - **ThreatConnect TC Exchange**: Aggregates 100+ commercial and OSINT feeds; provides automated playbooks for IOC enrichment - **MISP (Malware Information Sharing Platform)**: Open-source TIP supporting STIX/TAXII; widely used by ISACs and government CERTs - **OpenCTI**: Open-source platform with native MITRE ATT&CK integration and graph-based relationship visualization - **Recorded Future**: Commercial feed with AI-powered risk scoring and real-time dark web monitoring - **taxii2-client**: Python library for TAXII 2.0/2.1 client operations (pip install taxii2-client) - **PyMISP**: Python API for MISP feed management and IOC submission ## Common Pitfalls - **IOC age staleness**: IP addresses and domains rotate frequently; applying 1-year-old IOCs generates false positives. Enforce TTL policies. - **Missing context**: Blocking an IOC without understanding the associated campaign or adversary can disrupt legitimate business traffic (e.g., CDN IPs shared with malicious actors). - **Feed overlap without deduplication**: Ingesting the same IOC from five feeds without deduplication inflates indicator counts and SIEM rule complexity. - **TLP violation**: Redistributing RED-classified intelligence outside authorized boundaries violates sharing agreements and trust relationships. - **Over-blocking on low-confidence indicators**: Indicators with confidence below 50 should trigger detection-only rules, not blocking, to avoid operational disruption.
Related in Ads & Marketing
ads
IncludedMulti-platform paid advertising audit and optimization skill. Analyzes Google, Meta, YouTube, LinkedIn, TikTok, Microsoft, and Apple Ads. 250+ checks with scoring, parallel agents, industry templates, and AI creative generation.
banana
IncludedAI image generation Creative Director powered by Google Gemini Nano Banana models. Use this skill for ANY request involving image creation, editing, visual asset production, or creative direction. Triggers on: generate an image, create a photo, edit this picture, design a logo, make a banner, visual for my anything, and all /banana commands. Handles text-to-image, image editing, multi-turn creative sessions, batch workflows, and brand presets.
rpg-migration-analyzer
IncludedAnalyzes legacy RPG (Report Program Generator) programs from AS/400 and IBM i systems for migration to modern Java applications. Extracts business logic from RPG III/IV/ILE source code, identifies data structures (D-specs), file operations (F-specs), program dependencies (CALLB/CALLP), and converts RPG constructs to Java equivalents. Generates migration reports, complexity estimates, and Java implementation strategies with POJO classes, JPA entities, and service methods. Use when modernizing AS/400 or IBM i legacy systems, analyzing RPG source files (.rpg, .rpgle, .RPGLE), converting RPG to Java, mapping data specifications to Java classes, planning legacy system migration, or when user mentions RPG analysis, Report Program Generator, RPG III/IV/ILE, AS/400 modernization, IBM i migration, packed decimal conversion, or mainframe application rewrite.
brand-library-architect
IncludedBuild a complete brand library for a product — visual asset render pipeline, brand documentation set (BRAND, COPY, MANIFESTO, BIOS, FAQ, GLOSSARY, TONE, PRICING), open-source convention files (README, CONTRIBUTING, SECURITY, CODE_OF_CONDUCT), and a self-contained press kit. This skill should be used when the user asks to "build a brand library / brand kit / press kit / brand assets" for a product, "set up a brand library workflow," "create a positioning manifesto plus visual identity," or any combination of brand documentation + visual asset pipeline. Apply phase-by-phase or run end-to-end. Templates are product-agnostic and use {{TOKEN}} placeholders the skill prompts the user to fill.
writing-tech-post
IncludedAuthors engineering blog posts end-to-end: launch deep-dives, incident postmortems, architecture migrations, performance case studies, tutorials, AI/agent system writeups, security disclosures, and research-to-product translations. Picks the correct archetype, plans the abstraction ladder, enforces an evidence cadence (diagrams, benchmarks, profiles, traces, code, ablations), tunes voice against publisher house styles (Datadog, Vercel, GitHub, AWS, Meta, Cloudflare, Jane Street), and runs a pre-publish gate for narrative momentum and disclosure ethics. Use when drafting a new engineering post, restructuring a draft that feels flat, deciding which evidence form belongs where, validating that depth and product context are balanced, or preparing a postmortem, migration, or performance narrative for external publication. Do not use for API reference documentation, README authoring, marketing copy, release notes, generic SEO content, ghost-written executive thought leadership, or non-engineering long-form essays.
blog-google
IncludedGoogle API integration for blog performance: PageSpeed Insights, CrUX Core Web Vitals with 25-week history, Search Console performance, URL Inspection, Indexing API, GA4 organic traffic, NLP entity analysis for E-E-A-T, YouTube video search for embedding, and Google Ads Keyword Planner. Progressive feature availability based on credential tier (API key, OAuth/service account, GA4, Ads). Shares config with claude-seo at ~/.config/claude-seo/google-api.json. Use when user says "google data", "page speed", "core web vitals", "search console", "indexation", "GA4", "keyword research", "nlp entities", "blog performance", "youtube search", "google api setup".