analyzing-indicators-of-compromise

by mukul975

Analyzing-indicators-of-compromise helps triage IOCs such as IPs, domains, URLs, file hashes, and email artifacts. It supports threat-intelligence workflows for enrichment, confidence scoring, and block/monitor/whitelist decisions using source-backed checks and clear analyst context.

Stars0

Favorites0

Comments0

AddedMay 9, 2026

CategoryThreat Intelligence

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill analyzing-indicators-of-compromise

Curation Score

This skill scores 84/100 because it provides a real, task-specific IOC triage workflow with clear triggers, supporting references, and executable helper code. For directory users, that means it is worth installing when they need structured IOC enrichment and blocking-priority guidance, though it still requires external API access and analyst judgment for final decisions.

84/100

Strengths

Very clear triggerability: the frontmatter says it is for phishing, alert triage, threat-feed enrichment, and requests involving VirusTotal, AbuseIPDB, MalwareBazaar, or MISP.
Operationally useful content: the repo includes an API reference with concrete lookup examples plus a Python agent script for IOC classification, defanging/refanging, and enrichment flow support.
Good trust signals: valid frontmatter, no placeholder markers, and explicit caution not to use it alone for high-stakes blocking decisions.

Cautions

It depends on external services and API keys, so users without VirusTotal, AbuseIPDB, or related access may not get full value.
The excerpt shows practical setup material, but not an install command in SKILL.md, so adoption may require extra manual wiring.

Virus Total Abuse Ipdb Misp Stix Phishing Ioc Malware Bazaar

Overview

Overview of analyzing-indicators-of-compromise skill

What this skill does

The analyzing-indicators-of-compromise skill helps you triage IOCs such as IP addresses, domains, URLs, file hashes, and email artifacts so you can judge maliciousness, prioritize blocking, and add threat context. It is especially useful for analyzing-indicators-of-compromise for Threat Intelligence workflows where raw indicators need enrichment before action.

Who should use it

Use this skill if you handle phishing reports, SIEM alerts, external threat feeds, or incident-response notes and need a fast, repeatable enrichment pass. It is a good fit when you want more than a generic prompt: source-backed checks, clearer confidence signals, and a workflow that separates likely malicious items from benign shared infrastructure.

What makes it useful

The skill is built around practical IOC enrichment, not broad cyber advice. Its strongest value is helping you normalize indicator types, query external intelligence sources, and turn noisy inputs into a decision-oriented summary. That makes the analyzing-indicators-of-compromise skill more useful when you need a quick block/monitor/whitelist recommendation with evidence.

How to Use analyzing-indicators-of-compromise skill

Install and verify the skill

Run the analyzing-indicators-of-compromise install command in the target skills environment:
npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill analyzing-indicators-of-compromise

After install, confirm the skill path is present under skills/analyzing-indicators-of-compromise and read SKILL.md first to understand the workflow and required inputs.

Start with the right inputs

The skill works best when you provide:

the IOC list, one per line
IOC type if known
source context such as phishing email, alert, sandbox report, or feed
your decision goal: enrich, score, block, monitor, or whitelist
any constraints, such as internal allowlists or “do not query external APIs” rules

A strong request looks like: “Analyze these IOCs from a phishing email, enrich them with reputation and context, and return a block/monitor recommendation with confidence notes.”

Read these files first

For analyzing-indicators-of-compromise usage, preview SKILL.md, then references/api-reference.md, and scripts/agent.py. The reference file shows which APIs and response fields matter most, while the script reveals how the skill classifies, defangs, and refangs indicators. That combination tells you what input formats are safest and what output the workflow is trying to produce.

Practical workflow tips

Normalize IOCs before sending them in, and keep defanged values for documentation while refanging only when querying tools. Separate confirmed indicators from suspected ones, because mixed-quality lists can blur the final confidence score. If you are enriching shared services like cloud or CDN IPs, ask for a caution flag rather than a hard verdict.

analyzing-indicators-of-compromise skill FAQ

Is this better than a plain prompt?

Usually yes, because the skill encodes the IOC analysis workflow, expected API sources, and decision logic instead of relying on a one-off prompt. That reduces guesswork when you need consistent enrichment and a more defensible recommendation.

Is it beginner-friendly?

Yes, if you can provide a clean IOC list and a clear goal. You do not need deep threat-intelligence expertise to use analyzing-indicators-of-compromise, but you will get better results if you know the source of the indicators and whether they came from an alert, a feed, or a human report.

When should I not use it?

Do not use it as the only basis for high-stakes blocking decisions. The skill is meant to support threat intel triage, not replace analyst review, especially when indicators belong to shared infrastructure or when the evidence is thin.

What ecosystem does it fit best?

It fits teams already using VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or similar IOC enrichment pipelines. If your environment does not allow external lookups, you can still use the analysis structure, but you should expect less complete results.

How to Improve analyzing-indicators-of-compromise skill

Give cleaner IOC context

The biggest quality jump comes from better input hygiene. Group indicators by event, label known source type, and note whether each item is observed, suspected, or extracted from a report. That helps the skill avoid over-penalizing a single noisy artifact and improves the quality of analyzing-indicators-of-compromise usage.

Ask for the decision you actually need

Do not ask only for “analysis”; specify the output you want: maliciousness confidence, campaign linkage, allow/block guidance, or analyst notes. If you want analyzing-indicators-of-compromise for Threat Intelligence, say whether the goal is enrichment for casework, feed hygiene, or a containment decision.

Iterate with missing-evidence checks

If the first result feels uncertain, ask for what evidence is missing rather than rerunning the same query. Useful follow-ups include “show which indicators need cross-source confirmation” or “separate high-confidence detections from reputation-only hits.” This surfaces the real blockers: sparse telemetry, shared hosting, or inconsistent indicator formatting.

Tune for your environment

Improve results by adding your own allowlists, asset context, and internal naming conventions before analysis. Then reuse the same prompt shape across incidents so the skill can compare cases consistently. Over time, that makes analyzing-indicators-of-compromise more reliable than a generic threat-intel prompt because the workflow stays aligned with your organization’s actual response thresholds.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

evaluating-threat-intelligence-platforms

by mukul975

evaluating-threat-intelligence-platforms helps you compare TIP products by feed ingestion, STIX/TAXII support, automation, analyst workflow, integrations, and total cost of ownership. Use this evaluating-threat-intelligence-platforms guide for procurement, migration, or maturity planning, including evaluating-threat-intelligence-platforms for Threat Modeling when platform choice affects traceability and evidence sharing.

Threat Modeling

Favorites 0GitHub 0

detecting-privilege-escalation-attempts

by mukul975

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

Threat Hunting

Favorites 0GitHub 0

detecting-insider-threat-behaviors

by mukul975

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

Threat Modeling

Favorites 0GitHub 0

detecting-credential-dumping-techniques

by mukul975

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

Security Audit

Favorites 0GitHub 0

detecting-command-and-control-over-dns

by mukul975

detecting-command-and-control-over-dns is a cybersecurity skill for spotting C2 over DNS, including tunneling, beaconing, DGA domains, and TXT/CNAME abuse. It supports SOC analysts, threat hunters, and security audits with entropy checks, passive DNS correlation, and Zeek or Suricata-style detection workflows.

Security Audit

Favorites 0GitHub 0

correlating-security-events-in-qradar

by mukul975

correlating-security-events-in-qradar helps SOC and detection teams correlate IBM QRadar offenses with AQL, offense context, custom rules, and reference data. Use this guide to investigate incidents, reduce false positives, and build stronger correlation logic for Incident Response.

Incident Response

Favorites 0GitHub 0

auditing-tls-certificate-transparency-logs

by mukul975

The auditing-tls-certificate-transparency-logs skill helps security teams monitor Certificate Transparency logs for owned domains, detect unauthorized certificate issuance, discover certificate-exposed subdomains, and track suspicious CA activity with a repeatable Security Audit workflow.

Security Audit

Favorites 0GitHub 0

analyzing-windows-event-logs-in-splunk

by mukul975

The analyzing-windows-event-logs-in-splunk skill helps SOC analysts investigate Windows Security, System, and Sysmon logs in Splunk for authentication attacks, privilege escalation, persistence, and lateral movement. Use it for incident triage, detection engineering, and timeline analysis with mapped SPL patterns and event ID guidance.

Incident Triage

Favorites 0GitHub 0

analyzing-windows-amcache-artifacts

by mukul975

The analyzing-windows-amcache-artifacts skill parses Windows Amcache.hve data to recover evidence of program execution, installed software, device activity, and driver loading for DFIR and security audit workflows. It uses AmcacheParser and regipy-based guidance to support artifact extraction, SHA-1 correlation, and timeline review.

Security Audit

Favorites 0GitHub 0

analyzing-powershell-empire-artifacts

by mukul975

analyzing-powershell-empire-artifacts skill helps Security Audit teams detect PowerShell Empire artifacts in Windows logs using Script Block Logging, Base64 launcher patterns, stager IOCs, module signatures, and detection references for triage and rule writing.

Security Audit

Favorites 0GitHub 0

analyzing-network-traffic-of-malware

by mukul975

analyzing-network-traffic-of-malware helps inspect PCAPs and telemetry from sandbox runs or incident response to find C2, exfiltration, payload downloads, DNS tunneling, and detection ideas. It is a practical analyzing-network-traffic-of-malware guide for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

analyzing-cyber-kill-chain

by mukul975

analyzing-cyber-kill-chain helps map intrusion activity to the Lockheed Martin Cyber Kill Chain to show what happened, where defenses held or failed, and which controls could have stopped the attack earlier. It is useful for incident response, detection-gap analysis, and analyzing-cyber-kill-chain for Threat Intelligence.

Threat Intelligence

Favorites 0GitHub 0

collecting-indicators-of-compromise

by mukul975

collecting-indicators-of-compromise skill for extracting, enriching, scoring, and exporting IOCs from incident evidence. Use it for Security Audit workflows, threat intel sharing, and STIX 2.1 output when you need a practical collecting-indicators-of-compromise guide instead of a generic incident-response prompt.

Security Audit

Favorites 0GitHub 0

detecting-business-email-compromise

by mukul975

The detecting-business-email-compromise skill helps analysts, SOC teams, and incident responders identify BEC attempts using email-header checks, social-engineering clues, detection logic, and response-oriented workflows. Use it as a practical detecting-business-email-compromise guide for triage, validation, and containment.

Incident Response

Favorites 0GitHub 6.1k

analyzing-command-and-control-communication

by mukul975

analyzing-command-and-control-communication helps analyze malware C2 traffic to identify beaconing, decode commands, map infrastructure, and support Security Audit, threat hunting, and malware triage with PCAP-based evidence and practical workflow guidance.

Security Audit

Favorites 0GitHub 0

building-incident-timeline-with-timesketch

by mukul975

building-incident-timeline-with-timesketch helps DFIR teams build collaborative incident timelines in Timesketch by ingesting Plaso, CSV, or JSONL evidence, normalizing timestamps, correlating events, and documenting attack chains for incident triage and reporting.

Incident Triage

Favorites 0GitHub 6.1k