collecting-threat-intelligence-with-misp

by mukul975

The collecting-threat-intelligence-with-misp skill helps you collect, normalize, search, and export threat intelligence in MISP. Use this collecting-threat-intelligence-with-misp guide for feeds, PyMISP workflows, event filtering, warninglist reduction, and practical collecting-threat-intelligence-with-misp for Threat Modeling and CTI operations.

Stars0

Favorites0

Comments0

AddedMay 9, 2026

CategoryThreat Modeling

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill collecting-threat-intelligence-with-misp

Curation Score

This skill scores 84/100, which means it is a solid listing candidate for directory users who want MISP-specific threat-intelligence collection workflows rather than a generic prompt. The repository provides enough operational structure, API examples, and automation scripts to help an agent trigger and execute the skill with relatively low guesswork, though users should still expect some setup overhead around MISP access and dependencies.

84/100

Strengths

Concrete MISP workflow coverage: the skill explicitly covers deployment, threat feeds, PyMISP access, and automated IOC collection pipelines.
Good agent leverage: references include PyMISP install and search examples, REST curl calls, standards guidance, and workflow diagrams that make execution more direct.
Executable support files: scripts/agent.py and scripts/process.py indicate real automation beyond documentation, with feed management, export, and warninglist filtering.

Cautions

No install command in SKILL.md, so users must infer dependency setup and runtime requirements from references and scripts.
Operational detail is uneven in places: the excerpted frontmatter and workflow signals are strong, but the repository still appears to rely on MISP familiarity and configured API access.

Threat Intelligence Misp Stix Taxii Ioc Mitre Attack Python Automation

Overview

Overview of collecting-threat-intelligence-with-misp skill

What this skill does

The collecting-threat-intelligence-with-misp skill helps you gather, normalize, and use threat intelligence in MISP instead of treating MISP like a generic IOC database. It is best for analysts, SOC engineers, and automation builders who need a practical collecting-threat-intelligence-with-misp guide for feeds, event search, enrichment, and export.

Best-fit use cases

Use this collecting-threat-intelligence-with-misp skill when you need to pull data from community feeds, search events by tags or date, filter noisy indicators, or export intelligence into formats that other tools can consume. It is especially relevant for operational CTI workflows and collecting-threat-intelligence-with-misp for Threat Modeling when you need evidence-backed indicators rather than assumptions.

What matters before install

This skill is strongest when you already have a MISP instance or are ready to work with one, plus API access for PyMISP-based workflows. It is less useful if you only want a one-off prompt to summarize a report, or if you do not plan to manage feeds, tags, warninglists, or event lifecycles.

How to Use collecting-threat-intelligence-with-misp skill

Install and confirm the context

Install with npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill collecting-threat-intelligence-with-misp. Then verify your MISP URL, API key, and Python environment before asking for output. The collecting-threat-intelligence-with-misp install path assumes you can reach a live instance or a documented test instance.

Read these files first

Start with SKILL.md, then review references/workflows.md, references/api-reference.md, and references/standards.md. Use assets/template.md if you need a reporting structure, and inspect scripts/process.py and scripts/agent.py if you want to automate collection or export.

How to prompt it well

Give the skill a concrete job, not a vague topic. A strong collecting-threat-intelligence-with-misp usage prompt includes source type, time range, target output, and constraints, for example: “Collect published MISP events from the last 30 days tagged tlp:white, extract IPs, domains, and hashes, filter warninglist noise, and return a CSV-ready summary plus a short analyst note.”

Practical workflow

Use the skill in this order: define the collection goal, choose input sources, confirm filters, decide the output format, then iterate on the first pass. For best results, ask for one of these outputs at a time: feed plan, search query, enrichment summary, export mapping, or report template. Mixing all five in one prompt usually reduces quality.

collecting-threat-intelligence-with-misp skill FAQ

Is this skill only for MISP admins?

No. It is useful for analysts who query and curate intelligence, engineers who automate collection, and threat hunters who need reusable search and export patterns. You do not need to administer MISP to benefit from the collecting-threat-intelligence-with-misp skill.

How is this different from a normal prompt?

A normal prompt can ask for a MISP summary, but this skill guide points you to the files that matter, the standard fields to provide, and the workflow constraints that change the result. That reduces guesswork around tags, timestamps, feeds, and output format.

Is it beginner-friendly?

Yes, if you already understand basic CTI terms like IOC, feed, and indicator. It is not ideal as a first introduction to threat intelligence, but it is approachable for beginners who can supply a clear use case and accept a structured output.

When should I not use it?

Do not use it for non-MISP threat research, for unsupported ad hoc scraping, or when you need purely conceptual threat modeling with no collection workflow. If your task is only to brainstorm adversary behavior, a lighter CTI prompt may be faster.

How to Improve collecting-threat-intelligence-with-misp skill

Give sharper input data

The biggest quality gain comes from specifying scope: exact MISP instance, event tags, date window, sharing level, and desired indicator types. For example, “published events only, last 14 days, type:OSINT, extract ip-dst, domain, and sha256” produces better output than “collect threat intel.”

Use the right collection constraints

The skill works better when you state what should be excluded, such as warninglist hits, duplicate events, private events, or stale feeds. If you are using collecting-threat-intelligence-with-misp for Threat Modeling, also name the system, threat scenario, and what evidence should count as a relevant indicator.

Iterate from search to export

If the first result is too broad, narrow the search by tags, date range, or published status before asking for enrichment or export. If the result is too thin, ask the skill to widen source coverage or switch from event-level summaries to attribute-level extraction, then re-run the collecting-threat-intelligence-with-misp usage flow with the revised filters.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Threat Modeling

Favorites 0GitHub 0

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

exploiting-insecure-data-storage-in-mobile

by mukul975

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

Security Audit

Favorites 0GitHub 6.2k

algorand-vulnerability-scanner

by trailofbits

algorand-vulnerability-scanner is a security-audit skill for Algorand TEAL and PyTeal. It helps find 11 common issues, including rekeying attacks, fee validation gaps, field checks, and access control flaws. Use the algorand-vulnerability-scanner skill for a practical first-pass review before a manual audit.

Security Audit

Favorites 0GitHub 4.9k

evaluating-threat-intelligence-platforms

by mukul975

evaluating-threat-intelligence-platforms helps you compare TIP products by feed ingestion, STIX/TAXII support, automation, analyst workflow, integrations, and total cost of ownership. Use this evaluating-threat-intelligence-platforms guide for procurement, migration, or maturity planning, including evaluating-threat-intelligence-platforms for Threat Modeling when platform choice affects traceability and evidence sharing.

Threat Modeling

Favorites 0GitHub 0

detecting-insider-threat-behaviors

by mukul975

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

Threat Modeling

Favorites 0GitHub 0

detecting-credential-dumping-techniques

by mukul975

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

Security Audit

Favorites 0GitHub 0

analyzing-threat-intelligence-feeds

by mukul975

Analyzing-threat-intelligence-feeds helps you ingest CTI feeds, normalize indicators, assess feed quality, and enrich IOCs for STIX 2.1 workflows. This analyzing-threat-intelligence-feeds skill is built for threat intel operations and Data Analysis, with practical guidance for TAXII, MISP, and commercial feeds.

Data Analysis

Favorites 0GitHub 0

cosmos-vulnerability-scanner

by trailofbits

cosmos-vulnerability-scanner finds consensus-critical bugs in Cosmos SDK modules, CosmWasm contracts, IBC integrations, and Cosmos EVM stacks. Use this cosmos-vulnerability-scanner guide for security audit workflows, chain-halt risks, fund-loss paths, and pre-launch reviews.

Security Audit

Favorites 0GitHub 4.9k

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-email-forwarding-rules-attack

by mukul975

The detecting-email-forwarding-rules-attack skill helps Security Audit, threat hunting, and incident response teams find malicious mailbox forwarding rules used for persistence and email collection. It guides analysts through Microsoft 365 and Exchange evidence, suspicious rule patterns, and practical triage for forwarding, redirect, delete, and hide behaviors.

Security Audit

Favorites 0GitHub 0

analyzing-ios-app-security-with-objection

by mukul975

The analyzing-ios-app-security-with-objection skill helps authorized testers run runtime iOS app security checks with Objection and Frida. Use it to review keychain exposure, filesystem storage, cookies, SSL pinning, jailbreak detection, and other client-side defenses during a Security Audit. Includes workflow guidance, install steps, and practical usage notes.

Security Audit

Favorites 0GitHub 0

analyzing-heap-spray-exploitation

by mukul975

analyzing-heap-spray-exploitation helps analyze heap spray exploitation in memory dumps with Volatility3. It identifies NOP sled patterns, suspicious large allocations, shellcode landing zones, and process VAD evidence for Security Audit, malware triage, and exploit validation.

Security Audit

Favorites 0GitHub 0

detecting-supply-chain-attacks-in-ci-cd

by mukul975

detecting-supply-chain-attacks-in-ci-cd skill for auditing GitHub Actions and CI/CD configs. It helps find unpinned actions, script injection, dependency confusion, secret exposure, and risky permissions for Security Audit workflows. Use it to review a repo, workflow file, or suspicious pipeline change with clear findings and fixes.

Security Audit

Favorites 0GitHub 0

detecting-api-enumeration-attacks

by mukul975

detecting-api-enumeration-attacks helps Security Audit teams detect API probing, BOLA, and IDOR by analyzing sequential IDs, 404 bursts, authorization failures, and docs discovery paths. It is built for log-driven detection guidance, rule drafting, and practical review of API abuse patterns.

Security Audit

Favorites 0GitHub 0

defi-amm-security

by affaan-m

defi-amm-security is a focused security checklist for Solidity AMMs, liquidity pools, LP vaults, and swap flows. It helps auditors and engineers review reentrancy, CEI ordering, donation or inflation attacks, oracle assumptions, slippage, admin controls, and integer math with less guesswork than a generic prompt.

Security Audit

Favorites 0GitHub 156.1k