automating-ioc-enrichment

Featured

Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or automated IOC processing.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Automating IOC Enrichment ## When to Use Use this skill when: - Building a SOAR playbook that automatically enriches SIEM alerts with threat intelligence context before routing to analysts - Creating a Python pipeline for bulk IOC enrichment from phishing email submissions - Reducing analyst mean time to triage (MTTT) by pre-populating alert context with VT, Shodan, and MISP data **Do not use** this skill for fully automated blocking decisions without human review — enrichment automation should inform decisions, not execute blocks autonomously for high-impact actions. ## Prerequisites - SOAR platform (Cortex XSOAR, Splunk SOAR, Tines, or n8n) or Python 3.9+ environment - API keys: VirusTotal, AbuseIPDB, Shodan, and at minimum one TIP (MISP or OpenCTI) - SIEM integration endpoint for alert consumption - Rate limit budgets documented per API (VT: 4/min free, 500/min enterprise) ## Workflow ### Step 1: Design Enrichment Pipeline Architecture Define the enrichment flow for each IOC type: ``` SIEM Alert → Extract IOCs → Classify Type → Route to enrichment functions IP Address → AbuseIPDB + Shodan + VirusTotal IP + MISP Domain → VirusTotal Domain + PassiveTotal + Shodan + MISP URL → URLScan.io + VirusTotal URL + Google Safe Browse File Hash → VirusTotal Files + MalwareBazaar + MISP → Aggregate results → Calculate confidence score → Update alert → Notify analyst ``` ### Step 2: Implement Python Enrichment Functions ```python import requests import time from datac...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-ioc-enrichment-automation

Automates Indicator of Compromise (IOC) enrichment by orchestrating lookups across VirusTotal, AbuseIPDB, Shodan, MISP, and other intelligence sources to provide contextual scoring and disposition recommendations. Use when SOC analysts need rapid multi-source enrichment of IPs, domains, URLs, and file hashes during alert triage or incident investigation.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-indicators-of-compromise

Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.

12,642 Updated today
mukul975
AI & Automation Featured

building-ioc-enrichment-pipeline-with-opencti

OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its native data model. This skill covers building an automated IOC enrichment pipeline using O

12,642 Updated today
mukul975
AI & Automation Featured

implementing-soar-automation-with-phantom

Implements Security Orchestration, Automation, and Response (SOAR) workflows using Splunk SOAR (formerly Phantom) to automate alert triage, IOC enrichment, containment actions, and incident response playbooks. Use when SOC teams need to reduce manual analyst work, standardize response procedures, or integrate multiple security tools into automated workflows.

12,642 Updated today
mukul975
Data & Documents Solid

threat-hunting--ioc-analysis

IOC extraction, threat intelligence correlation, MITRE ATT&CK mapping, hunt hypothesis generation, and detection rule creation

47 Updated today
Masriyan