building-ioc-defanging-and-sharing-pipeline

# Building IOC Defanging and Sharing Pipeline ## Overview IOC defanging modifies potentially malicious indicators (URLs, IP addresses, domains, email addresses) to prevent accidental clicks or execution while preserving readability for analysis and sharing. This skill covers building an automated pipeline that ingests raw IOCs from multiple sources, normalizes and deduplicates them, applies defanging for safe human consumption, converts them to STIX 2.1 format for machine consumption, and distributes through TAXII servers, MISP instances, and email reports. ## When to Use - When deploying or configuring building ioc defanging and sharing pipeline capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Python 3.9+ with `defang`, `ioc-fanger`, `stix2`, `requests`, `validators` libraries - MISP instance or TAXII server for automated sharing - Understanding of IOC types: IPv4/IPv6, domains, URLs, email addresses, file hashes - Familiarity with STIX 2.1 Indicator patterns and TLP marking definitions - Access to threat intelligence feeds for IOC ingestion ## Key Concepts ### IOC Defanging Standards Defanging replaces active protocol and domain components to prevent execution: `http://` becomes `hxxp://`, `https://` becomes `hxxps://`, dots in domains/IPs become `[.]`,...