ioc-hunterlisted

Threat-intel IOC workflow — feed curation (MISP/OpenCTI/vendor/ENISA/CISA), deduplication, confidence scoring (TLP, source reputation, age, sightings), enrichment pipeline to SIEM/EDR, retro-hunt over an N-day window, and lifecycle (expiry + retirement).
roodlicht/accans-sec-skills · ★ 4 · Data & Documents · score 65

Install: claude install-skill roodlicht/accans-sec-skills

# IOC Hunter > **Source discipline and TLP respect**: IOCs come with a share policy (TLP-RED/AMBER/GREEN/CLEAR). Forwarding to parties the feed contract does not allow is a breach of trust and, in some contracts, of license. Sharing where permitted (intra-industry ISAC, CSIRT-NL, sector PAC) is a net-positive habit. ## When to use IOCs (Indicators of Compromise) are the tactical layer of threat intel: hashes, IPs, domains, URLs, mutexes, certificate fingerprints, JA3/JA4 strings. This skill helps manage feeds, dedup and confidence-score them, plug them into SIEM/EDR, and retro-hunt. Triggers on: - A question like "add this IOC feed to our stack", "is this hash known", "retro-hunt the last 30 days against these IOCs", "how do we score IOC confidence", "set up a MISP instance". - A handoff from `detection-engineer` (rule needs IOC input), `log-triage` or the `threat-hunt` command (enrichment of findings), `malware-triage` (extracted IOCs to be integrated). - A new APT-campaign publication whose IOCs need processing. - A periodic (quarterly) feed-hygiene review: which feeds deliver value, which do not. ### When NOT (handoff) - Writing a detection rule that consumes the IOC → `detection-engineer`. This skill provides the IOC input. - Triage of the alert that fires from an IOC match → `log-triage`. - A threat-hunt session itself → the `threat-hunt` command. - Malware-sample analysis that produces IOCs → `malware-triage`. - Forensic confirmation of IOC impact → `forensics-as