performing-ioc-enrichment-automation

Featured

Automates Indicator of Compromise (IOC) enrichment by orchestrating lookups across VirusTotal, AbuseIPDB, Shodan, MISP, and other intelligence sources to provide contextual scoring and disposition recommendations. Use when SOC analysts need rapid multi-source enrichment of IPs, domains, URLs, and file hashes during alert triage or incident investigation.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing IOC Enrichment Automation ## When to Use Use this skill when: - SOC analysts need to quickly enrich IOCs from multiple sources during alert triage - High alert volumes require automated enrichment to reduce manual lookup time - Incident investigations need comprehensive IOC context for scope assessment - SOAR playbooks require enrichment actions as part of automated triage workflows **Do not use** for bulk blocking decisions without analyst review — enrichment provides context, not definitive malicious/benign determination. ## Prerequisites - API keys: VirusTotal (free or premium), AbuseIPDB, Shodan, URLScan.io, GreyNoise - Python 3.8+ with `requests`, `vt-py`, `shodan` libraries - MISP instance or TIP for cross-referencing organizational intelligence - SOAR platform (optional) for workflow integration - Rate limit awareness: VT free (4 req/min), AbuseIPDB (1000/day), Shodan (1 req/sec) ## Workflow ### Step 1: Build Unified Enrichment Engine Create a multi-source enrichment pipeline: ```python import requests import vt import shodan import time from dataclasses import dataclass, field from typing import Optional @dataclass class EnrichmentResult: ioc_value: str ioc_type: str virustotal: dict = field(default_factory=dict) abuseipdb: dict = field(default_factory=dict) shodan_data: dict = field(default_factory=dict) greynoise: dict = field(default_factory=dict) urlscan: dict = field(default_factory=dict) misp_matches: list =...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

automating-ioc-enrichment

Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or automated IOC processing.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-indicators-of-compromise

Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.

12,642 Updated today
mukul975
AI & Automation Featured

building-ioc-enrichment-pipeline-with-opencti

OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its native data model. This skill covers building an automated IOC enrichment pipeline using O

12,642 Updated today
mukul975
Data & Documents Solid

ioc

IOC extraction, enrichment, and threat intelligence correlation

183 Updated 1 months ago
majiayu000
Data & Documents Listed

ioc

IOC extraction, enrichment, and threat intelligence correlation

3 Updated 1 months ago
majiayu000