correlating-threat-campaigns

by mukul975

correlating-threat-campaigns helps Threat Intelligence analysts correlate incidents, IOCs, and TTPs into campaign-level evidence. Use it to compare historical events, separate strong links from weak matches, and build defensible clustering for MISP, SIEM, and CTI reporting.

Stars0

Favorites0

Comments0

AddedMay 9, 2026

CategoryThreat Intelligence

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill correlating-threat-campaigns

Curation Score

This skill scores 78/100, which means it is a solid but not top-tier directory listing: users get a clearly targeted threat-intelligence workflow with enough concrete API/script evidence to justify installation, though they should expect some implementation and onboarding gaps. The repository gives agents a credible way to trigger and execute campaign correlation tasks with less guesswork than a generic prompt.

78/100

Strengths

Clear triggerability for campaign analysis, incident clustering, cross-organizational IOC correlation, and MISP correlation use cases in the frontmatter and usage section.
Operational evidence is strong: the repo includes a Python agent script plus API reference examples for MISP and OpenCTI workflows.
Good trust signals for a cybersecurity skill: explicit warning against weak correlation, Apache-2.0 license, and structured headings with real workflow content.

Cautions

No install command in SKILL.md, so users may need manual setup or repo inspection before adoption.
The excerpted workflow depends on external platforms like MISP/SIEM/OpenCTI and historical data, so it is less useful as a standalone skill.

Misp Stix Mitre Attack Threat Actor Cybersecurity Correlation Clustering

Overview

Overview of correlating-threat-campaigns skill

What correlating-threat-campaigns does

The correlating-threat-campaigns skill helps you turn scattered incidents, indicators, and TTPs into a defensible campaign view for Threat Intelligence work. It is best for analysts who need to decide whether multiple events belong to the same operation, whether shared indicators are meaningful, and how to express that linkage in a report or case file.

Who should use it

Use the correlating-threat-campaigns skill if you work with MISP, SIEM, TIP, CTI reporting, or cross-organization sharing and need more than a simple IOC lookup. It fits threat hunters, CTI analysts, and defenders who already have event history and want stronger clustering, attribution, and shared-indicator extraction.

What makes it different

This skill is centered on correlation judgment, not generic summarization. Its main value is helping you avoid weak linking logic, especially when common infrastructure, shared tooling, or noisy indicators could cause false campaign attribution. It is most useful when you need campaign-level evidence, not just event enrichment.

How to Use correlating-threat-campaigns skill

Install and activate it

For a correlating-threat-campaigns install, add the skill from the repo path and then inspect the skill files before prompting. A typical install context is:
npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill correlating-threat-campaigns

Give the skill the right input

The correlating-threat-campaigns usage pattern works best when you provide a small evidence set, not a vague objective. Include the incident dates, source systems, IOCs, TTPs, and any shared tags or actor names. Strong input looks like: “Correlate these five MISP events from the last 90 days, identify overlaps that support one campaign, and flag weak matches that should not be merged.”

Read these files first

Start with SKILL.md for the workflow, then open references/api-reference.md for the MISP and graph query examples, and scripts/agent.py to see the correlation logic and expected inputs. These files show where the skill expects historical data, how it searches, and what output structure is realistic.

Follow a practical workflow

Use the skill as a triage-to-analysis helper: collect candidate events, normalize names and indicators, check overlaps in time and technique, then decide whether the shared evidence is strong enough for campaign grouping. When using the skill for Threat Intelligence, ask it to separate likely correlation from speculative attribution and to summarize why each link is or is not credible.

correlating-threat-campaigns skill FAQ

Is correlating-threat-campaigns only for MISP users?

No. MISP is a strong fit, but the skill also supports broader threat-campaign analysis where historical events, actor tags, and ATT&CK-style behaviors are available. If you only have a single alert with no event history, the skill will be much less useful.

How is this different from a normal prompt?

A normal prompt may summarize indicators, but the correlating-threat-campaigns skill is designed to guide structured correlation decisions. That matters when you need consistency, explicit uncertainty, and a repeatable way to justify why events belong together or should stay separate.

Can beginners use it?

Yes, if they can provide concrete artifacts. Beginners get better results when they paste timestamps, IOCs, tags, and known relationships instead of asking for “campaign analysis” in the abstract. The skill is less suited to fully open-ended brainstorming.

When should I not use it?

Do not use correlating-threat-campaigns when the evidence is too thin, the indicators are common across many actors, or the task is only to detect one-off malicious activity. In those cases, correlation can create false confidence instead of better intelligence.

How to Improve correlating-threat-campaigns skill

Provide stronger evidence slices

The biggest quality gain comes from better input selection. Give the skill a bounded cluster: a date range, a set of events, and the specific fields you want compared. For example, include “same C2 IP,” “same malware hash,” or “same initial access technique” rather than asking it to search across all incidents.

Ask for confidence and exclusions

A useful correlating-threat-campaigns guide request should ask for both positive matches and reasons not to merge events. Tell the skill to rank links by confidence, exclude common infrastructure like CDN or shared hosting when appropriate, and call out over-correlation risks. That produces more reliable Threat Intelligence output.

Iterate after the first pass

Review the first correlation result for missing context, then feed back new facts such as alternate aliases, updated indicator ownership, or a wider time window. If the initial grouping looks too broad, narrow the indicators; if it looks too strict, add technique overlap or organizational linkage. This iterative loop usually improves the campaign model faster than one large prompt.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

evaluating-threat-intelligence-platforms

by mukul975

evaluating-threat-intelligence-platforms helps you compare TIP products by feed ingestion, STIX/TAXII support, automation, analyst workflow, integrations, and total cost of ownership. Use this evaluating-threat-intelligence-platforms guide for procurement, migration, or maturity planning, including evaluating-threat-intelligence-platforms for Threat Modeling when platform choice affects traceability and evidence sharing.

Threat Modeling

Favorites 0GitHub 0

detecting-privilege-escalation-attempts

by mukul975

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

Threat Hunting

Favorites 0GitHub 0

detecting-insider-threat-behaviors

by mukul975

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

Threat Modeling

Favorites 0GitHub 0

detecting-credential-dumping-techniques

by mukul975

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

Security Audit

Favorites 0GitHub 0

detecting-command-and-control-over-dns

by mukul975

detecting-command-and-control-over-dns is a cybersecurity skill for spotting C2 over DNS, including tunneling, beaconing, DGA domains, and TXT/CNAME abuse. It supports SOC analysts, threat hunters, and security audits with entropy checks, passive DNS correlation, and Zeek or Suricata-style detection workflows.

Security Audit

Favorites 0GitHub 0

correlating-security-events-in-qradar

by mukul975

correlating-security-events-in-qradar helps SOC and detection teams correlate IBM QRadar offenses with AQL, offense context, custom rules, and reference data. Use this guide to investigate incidents, reduce false positives, and build stronger correlation logic for Incident Response.

Incident Response

Favorites 0GitHub 0

auditing-tls-certificate-transparency-logs

by mukul975

The auditing-tls-certificate-transparency-logs skill helps security teams monitor Certificate Transparency logs for owned domains, detect unauthorized certificate issuance, discover certificate-exposed subdomains, and track suspicious CA activity with a repeatable Security Audit workflow.

Security Audit

Favorites 0GitHub 0

analyzing-windows-event-logs-in-splunk

by mukul975

The analyzing-windows-event-logs-in-splunk skill helps SOC analysts investigate Windows Security, System, and Sysmon logs in Splunk for authentication attacks, privilege escalation, persistence, and lateral movement. Use it for incident triage, detection engineering, and timeline analysis with mapped SPL patterns and event ID guidance.

Incident Triage

Favorites 0GitHub 0

analyzing-windows-amcache-artifacts

by mukul975

The analyzing-windows-amcache-artifacts skill parses Windows Amcache.hve data to recover evidence of program execution, installed software, device activity, and driver loading for DFIR and security audit workflows. It uses AmcacheParser and regipy-based guidance to support artifact extraction, SHA-1 correlation, and timeline review.

Security Audit

Favorites 0GitHub 0

analyzing-powershell-empire-artifacts

by mukul975

analyzing-powershell-empire-artifacts skill helps Security Audit teams detect PowerShell Empire artifacts in Windows logs using Script Block Logging, Base64 launcher patterns, stager IOCs, module signatures, and detection references for triage and rule writing.

Security Audit

Favorites 0GitHub 0

analyzing-network-traffic-of-malware

by mukul975

analyzing-network-traffic-of-malware helps inspect PCAPs and telemetry from sandbox runs or incident response to find C2, exfiltration, payload downloads, DNS tunneling, and detection ideas. It is a practical analyzing-network-traffic-of-malware guide for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

analyzing-indicators-of-compromise

by mukul975

Analyzing-indicators-of-compromise helps triage IOCs such as IPs, domains, URLs, file hashes, and email artifacts. It supports threat-intelligence workflows for enrichment, confidence scoring, and block/monitor/whitelist decisions using source-backed checks and clear analyst context.

Threat Intelligence

Favorites 0GitHub 0

analyzing-cyber-kill-chain

by mukul975

analyzing-cyber-kill-chain helps map intrusion activity to the Lockheed Martin Cyber Kill Chain to show what happened, where defenses held or failed, and which controls could have stopped the attack earlier. It is useful for incident response, detection-gap analysis, and analyzing-cyber-kill-chain for Threat Intelligence.

Threat Intelligence

Favorites 0GitHub 0

collecting-indicators-of-compromise

by mukul975

collecting-indicators-of-compromise skill for extracting, enriching, scoring, and exporting IOCs from incident evidence. Use it for Security Audit workflows, threat intel sharing, and STIX 2.1 output when you need a practical collecting-indicators-of-compromise guide instead of a generic incident-response prompt.

Security Audit

Favorites 0GitHub 0

detecting-business-email-compromise

by mukul975

The detecting-business-email-compromise skill helps analysts, SOC teams, and incident responders identify BEC attempts using email-header checks, social-engineering clues, detection logic, and response-oriented workflows. Use it as a practical detecting-business-email-compromise guide for triage, validation, and containment.

Incident Response

Favorites 0GitHub 6.1k

analyzing-command-and-control-communication

by mukul975

analyzing-command-and-control-communication helps analyze malware C2 traffic to identify beaconing, decode commands, map infrastructure, and support Security Audit, threat hunting, and malware triage with PCAP-based evidence and practical workflow guidance.

Security Audit

Favorites 0GitHub 0