Analyzing Indicators of Compromise

What Is This Skill?

The "Analyzing Indicators of Compromise" skill provides a structured way to assess and enrich indicators of compromise (IOCs) such as IP addresses, domain names, file hashes, URLs, and email artifacts. It leverages multiple threat intelligence sources to determine the potential maliciousness of these artifacts, attribute them to known threat campaigns, and prioritize them for blocking or monitoring. This skill is designed for integration into SOC (Security Operations Center) workflows, automated IOC enrichment pipelines, and incident response playbooks.

The skill activates when users need to triage IOCs sourced from phishing emails, security alerts, or threat intelligence feeds. It automatically queries open-source and commercial intelligence platforms like VirusTotal, AbuseIPDB, MalwareBazaar, and MISP to aggregate multi-source context for each IOC. The results support decisions such as whether to block, monitor, or whitelist a given IOC, and provide a confidence score to guide prioritization.

Why Use This Skill?

IOC analysis is a critical function within threat intelligence and incident response. Raw IOCs, without context, can result in false positives, operational disruptions, or missed threats. This skill helps organizations:

• Accelerate response: Quickly triage large volumes of IOCs from security alerts or feeds.
• Improve accuracy: Aggregate intelligence from multiple sources to reduce false positives and improve detection fidelity.
• Support decision-making: Provide actionable enrichment such as maliciousness scores, campaign associations, and recommended actions (block, monitor, or whitelist).
• Streamline operations: Automate enrichment steps, freeing up analyst time for more complex investigations.

The skill aligns with industry frameworks such as NIST CSF (ID.RA-01, ID.RA-05, DE.CM-01, DE.AE-02) and supports integration with STIX/TAXII, enabling consistent handling of IOCs in modern security architectures.

How to Use It

To use the "Analyzing Indicators of Compromise" skill, you must have API access to relevant threat intelligence sources. The following workflow describes typical usage:

1. Collect IOCs: Gather artifacts (IPs, domains, hashes, URLs, emails) from alerts, logs, or external feeds.
2. Submit IOCs for Enrichment: Invoke the skill with the collected IOCs. The skill queries sources such as VirusTotal (for AV verdicts and behavioral analysis), AbuseIPDB (for IP reputation), MalwareBazaar (for malware sample metadata), and MISP (for community threat intelligence).
3. Aggregate Intelligence: The skill consolidates responses, extracting key properties like detection counts, threat labels, historical sightings, and campaign associations.
4. Score and Prioritize: Each IOC receives a confidence score (malicious, suspicious, benign) based on aggregated data and pre-defined thresholds.
5. Decision Support: The enriched output guides blocking, monitoring, or whitelisting decisions. Results may be exported in STIX format or integrated into SIEM/SOAR platforms.

Example:

Enriching a File Hash with VirusTotal

Here’s a simple Python example using the VirusTotal API to enrich a file hash:

import requests

API_KEY = 'YOUR_VIRUSTOTAL_API_KEY'
file_hash = '44d88612fea8a8f36de82e1278abb02f'

headers = {
    'x-apikey': API_KEY
}

response = requests.get(
    f'https://www.virustotal.com/api/v3/files/{file_hash}',
    headers=headers
)

if response.status_code == 200:
    data = response.json()
    stats = data['data']['attributes']['last_analysis_stats']
    print(f"Malicious: {stats['malicious']}, Suspicious: {stats['suspicious']}, Harmless: {stats['harmless']}")
else:
    print("Error fetching data:", response.status_code)

This code retrieves the detection statistics for a given file hash, which can be used to inform your block/allow decisions as part of the skill's workflow.

When to Use It

Use the "Analyzing Indicators of Compromise" skill in scenarios such as:

• Triage after phishing incidents: When you receive IOCs extracted from suspicious emails and need to rapidly assess risk.
• Processing threat intelligence feeds: When ingesting bulk IOCs from commercial or open-source feeds and need to prioritize which to add to blocklists.
• Incident investigations: When an ongoing event reveals new IOCs (IPs, domains, hashes) and you require external context to understand their threat level and possible attribution.
• SOC automation: When integrating IOC enrichment into SIEM/SOAR workflows for automated response.

Avoid using this skill in isolation for critical blocking decisions, especially for IOCs associated with widely used infrastructure (e.g., cloud platforms, CDNs), as false positives can cause significant disruption.

Important Notes

• API access required: To fully leverage this skill, you need appropriate API keys for sources like VirusTotal, AbuseIPDB, MalwareBazaar, and MISP.
• Analyst oversight recommended: While the skill provides high-confidence enrichment, human validation is essential for high-impact decisions, as attackers frequently use shared infrastructure.
• Data privacy: Take care when submitting potentially sensitive IOCs to third-party services, especially hashes derived from internal files.
• Integration: The skill is designed for use within automation pipelines and can output data in standardized formats for interoperability.
• Continuous improvement: Regularly update thresholds and source integrations to reflect evolving threat landscapes and reduce false positives.

By systematically enriching and analyzing IOCs, this skill enhances your organization’s ability to detect, prioritize, and respond to cyber threats in a timely and accurate manner.