analyzing-indicators-of-compromise

# Analyzing Indicators of Compromise ## When to Use Use this skill when: - A phishing email or alert generates IOCs (URLs, IP addresses, file hashes) requiring rapid triage - Automated feeds deliver bulk IOCs that need confidence scoring before ingestion into blocking controls - An incident investigation requires contextual enrichment of observed network artifacts **Do not use** this skill in isolation for high-stakes blocking decisions — always combine automated enrichment with analyst judgment, especially for shared infrastructure (CDNs, cloud providers). ## Prerequisites - VirusTotal API key (free or Enterprise) for multi-AV and sandbox lookup - AbuseIPDB API key for IP reputation checks - MISP instance or TIP for cross-referencing against known campaigns - Python with `requests` and `vt-py` libraries, or SOAR platform with pre-built connectors ## Workflow ### Step 1: Normalize and Classify IOC Types Before enriching, classify each IOC: - **IPv4/IPv6 address**: Check if RFC 1918 private (skip external enrichment), validate format - **Domain/FQDN**: Defang for safe handling (`evil[.]com`), extract registered domain via tldextract - **URL**: Extract domain + path separately; check for redirectors - **File hash**: Identify hash type (MD5/SHA-1/SHA-256); prefer SHA-256 for uniqueness - **Email address**: Split into domain (check MX/DMARC) and local part for pattern analysis Defang IOCs in documentation (replace `.` with `[.]` and `://` with `[://]`) to prevent acciden...