collecting-indicators-of-compromise

Solid

Systematically collects, categorizes, and distributes indicators of compromise (IOCs) during and after security incidents to enable detection, blocking, and threat intelligence sharing. Covers network, host, email, and behavioral indicators using STIX/TAXII formats and threat intelligence platforms. Activates for requests involving IOC collection, indicator extraction, threat indicator sharing, compromise indicators, STIX export, or IOC enrichment.

AI & Automation 39 stars 5 forks Updated 5 days ago MIT

Install

View on GitHub

Quality Score: 89/100

Stars 20%

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Collecting Indicators of Compromise ## When to Use - During active incident response to identify and block adversary infrastructure - Post-incident to document all observed adversary artifacts for future detection - When sharing threat intelligence with ISACs, sector partners, or law enforcement - When building detection rules in SIEM, EDR, or network security tools - When enriching IOCs with threat intelligence context for risk scoring **Do not use** for behavioral TTP analysis without accompanying technical indicators; use MITRE ATT&CK mapping for behavioral characterization. ## Prerequisites - Access to incident evidence sources: SIEM logs, EDR telemetry, memory dumps, disk images, network captures - Threat intelligence platform (MISP, OpenCTI, ThreatConnect) for IOC management and sharing - IOC enrichment tools: VirusTotal, OTX (AlienVault Open Threat Exchange), Shodan, DomainTools - STIX 2.1 knowledge for structured IOC representation - Sharing agreements with relevant ISACs (FS-ISAC, H-ISAC, IT-ISAC) or sector partners ## Workflow ### Step 1: Identify IOC Categories Collect indicators across all categories from incident evidence: **Network Indicators:** - IP addresses (C2 servers, staging servers, exfiltration destinations) - Domain names (C2 domains, phishing domains, DGA domains) - URLs (malware download, C2 check-in, exfiltration endpoints) - JA3/JA3S hashes (TLS client/server fingerprints) - User-Agent strings (custom or unusual HTTP headers) - DNS query ...

Details

Author: adriannoes
Repository: adriannoes/awesome-vibe-coding
Created: 8 months ago
Last Updated: 5 days ago
Language: Jupyter Notebook
License: MIT

Related Skills

AI & Automation Featured

videodb

See, Understand, Act on video and audio. See- ingest from local files, URLs, RTSP/live feeds, or live record desktop; return realtime context and playable stream links. Understand- extract frames, build visual/semantic/temporal indexes, and search moments with timestamps and auto-clips. Act- transcode and normalize (codec, fps, resolution, aspect ratio), perform timeline edits (subtitles, text/image overlays, branding, audio overlays, dubbing, translation), generate media assets (image, audio, video), and create real time alerts for events from live streams or desktop capture.

216,451 Updated today

affaan-m

AI & Automation Featured

ck

Persistent per-project memory for Claude Code. Auto-loads project context on session start, tracks sessions with git activity, and writes to native memory. Commands run deterministic Node.js scripts — behavior is consistent across model versions.

216,451 Updated today

affaan-m

AI & Automation Featured

code-simplifier

Review RTK Rust code for idiomatic simplification. Detects over-engineering, unnecessary allocations, verbose patterns. Applies Rust idioms without changing behavior.

62,788 Updated yesterday

rtk-ai