threat-hunting--ioc-analysis

# Threat Hunting & IOC Analysis ## Purpose Enable Claude to assist threat hunters with proactive threat detection, IOC extraction and normalization, MITRE ATT&CK mapping, hunt hypothesis generation, and converting threat intelligence into actionable detection rules across all major SIEM platforms. --- ## Activation Triggers This skill activates when the user asks about: - Extracting IOCs from threat reports, emails, or security advisories - Mapping behaviors or TTPs to MITRE ATT&CK framework - Generating hunt hypotheses for a specific threat actor or technique - Creating Sigma rules, Splunk SPL queries, KQL, or EQL - Converting threat intelligence into SIEM detection queries - STIX/TAXII or MISP-compatible indicator formatting - ATT&CK Navigator layer creation - Threat intelligence correlation across multiple sources - Proactive threat hunting in a SIEM or EDR --- ## Prerequisites ```bash pip install requests pyyaml stix2 taxii2-client ``` **Optional platforms:** - MISP — Threat intelligence sharing platform - OpenCTI — Threat intelligence platform - YARA — Pattern matching (→ Skill 05) - Sigma CLI — Rule conversion tool - SIEM access (Splunk, Elastic, QRadar, Microsoft Sentinel) --- ## Core Capabilities ### 1. IOC Extraction & Normalization **When the user provides a threat report, article, email, or log snippet:** Claude performs these extraction steps: 1. **Parse all text** for indicators using pattern matching: | IOC Type | Pattern Examples | |----------|-...