npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
Use this skill when:
- SOC teams need automated ingestion of threat intelligence feeds into SIEM platforms
- Multiple TI sources require normalization into a common format (STIX 2.1)
- Detection systems need real-time IOC matching against network and endpoint telemetry
- TI feed quality assessment and deduplication processes need to be established
Do not use for manual IOC lookup — use dedicated enrichment tools (VirusTotal, AbuseIPDB) for ad-hoc queries.
Prerequisites
- MISP instance or Threat Intelligence Platform (TIP) for feed aggregation
- STIX/TAXII client library (
taxii2-client,stix2Python packages) - SIEM platform (Splunk ES, Elastic Security, or Sentinel) with TI framework configured
- API keys for commercial and open-source feeds (AlienVault OTX, Abuse.ch, CISA AIS)
- Python 3.8+ for feed processing automation
Workflow
Step 1: Identify and Catalog Intelligence Sources
Map available feeds by type, format, and update frequency:
| Feed Source | Format | IOC Types | Update Freq | Cost |
|---|---|---|---|---|
| AlienVault OTX | STIX/JSON | IP, Domain, Hash, URL | Real-time | Free |
| Abuse.ch URLhaus | CSV/JSON | URL, Domain | Every 5 min | Free |
| Abuse.ch MalwareBazaar | JSON API | File Hash | Real-time | Free |
| CISA AIS | STIX/TAXII 2.1 | All types | Daily | Free (US Gov) |
| CrowdStrike Intel | STIX/JSON | All types + Actor TTP | Real-time | Commercial |
| Mandiant Advantage | STIX 2.1 | All types + Reports | Real-time | Commercial |
Step 2: Ingest STIX/TAXII Feeds
Connect to a TAXII 2.1 server and download indicators:
from taxii2client.v21 import Server, Collection
from stix2 import parse
# Connect to TAXII server (example: CISA AIS)
server = Server(
"https://taxii.cisa.gov/taxii2/",
user="your_username",
password="your_password"
)
# List available collections
for api_root in server.api_roots:
print(f"API Root: {api_root.title}")
for collection in api_root.collections:
print(f" Collection: {collection.title} (ID: {collection.id})")
# Fetch indicators from a collection
collection = Collection(
"https://taxii.cisa.gov/taxii2/collections/COLLECTION_ID/",
user="your_username",
password="your_password"
)
# Get indicators added in last 24 hours
from datetime import datetime, timedelta
added_after = (datetime.utcnow() - timedelta(days=1)).strftime("%Y-%m-%dT%H:%M:%S.000Z")
response = collection.get_objects(added_after=added_after, type=["indicator"])
for obj in response.get("objects", []):
indicator = parse(obj)
print(f"Type: {indicator.type}")
print(f"Pattern: {indicator.pattern}")
print(f"Valid Until: {indicator.valid_until}")
print(f"Confidence: {indicator.confidence}")
print("---")Step 3: Ingest Open-Source Feeds
Abuse.ch URLhaus Feed:
import requests
import csv
from io import StringIO
# Download URLhaus recent URLs
response = requests.get("https://urlhaus.abuse.ch/downloads/csv_recent/")
reader = csv.reader(StringIO(response.text), delimiter=',')
indicators = []
for row in reader:
if row[0].startswith("#"):
continue
indicators.append({
"id": row[0],
"dateadded": row[1],
"url": row[2],
"url_status": row[3],
"threat": row[5],
"tags": row[6]
})
print(f"Ingested {len(indicators)} URLs from URLhaus")
# Filter for active threats only
active = [i for i in indicators if i["url_status"] == "online"]
print(f"Active threats: {len(active)}")AlienVault OTX Pulse Feed:
from OTXv2 import OTXv2, IndicatorTypes
otx = OTXv2("YOUR_OTX_API_KEY")
# Get subscribed pulses (last 24 hours)
pulses = otx.getall(modified_since="2024-03-14T00:00:00")
for pulse in pulses:
print(f"Pulse: {pulse['name']}")
print(f"Tags: {pulse['tags']}")
for indicator in pulse["indicators"]:
print(f" IOC: {indicator['indicator']} ({indicator['type']})")Abuse.ch Feodo Tracker (C2 IPs):
response = requests.get("https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.json")
c2_data = response.json()
for entry in c2_data:
print(f"IP: {entry['ip_address']}:{entry['port']}")
print(f"Malware: {entry['malware']}")
print(f"First Seen: {entry['first_seen']}")
print(f"Last Online: {entry['last_online']}")Step 4: Normalize and Deduplicate
Convert all feeds to STIX 2.1 format for standardization:
from stix2 import Indicator, Bundle
import hashlib
def create_stix_indicator(ioc_value, ioc_type, source, confidence=50):
"""Convert raw IOC to STIX 2.1 indicator"""
pattern_map = {
"ipv4": f"[ipv4-addr:value = '{ioc_value}']",
"domain": f"[domain-name:value = '{ioc_value}']",
"url": f"[url:value = '{ioc_value}']",
"sha256": f"[file:hashes.'SHA-256' = '{ioc_value}']",
"md5": f"[file:hashes.MD5 = '{ioc_value}']",
}
return Indicator(
name=f"{ioc_type}: {ioc_value}",
pattern=pattern_map[ioc_type],
pattern_type="stix",
valid_from="2024-03-15T00:00:00Z",
confidence=confidence,
labels=[source],
custom_properties={"x_source_feed": source}
)
# Deduplicate across sources
seen_iocs = set()
unique_indicators = []
for ioc in all_collected_iocs:
ioc_hash = hashlib.sha256(f"{ioc['type']}:{ioc['value']}".encode()).hexdigest()
if ioc_hash not in seen_iocs:
seen_iocs.add(ioc_hash)
unique_indicators.append(
create_stix_indicator(ioc["value"], ioc["type"], ioc["source"])
)
bundle = Bundle(objects=unique_indicators)
print(f"Unique indicators: {len(unique_indicators)}")Step 5: Push to SIEM Threat Intelligence Framework
Push to Splunk ES Threat Intelligence:
import requests
splunk_url = "https://splunk.company.com:8089"
headers = {"Authorization": f"Bearer {splunk_token}"}
for indicator in unique_indicators:
# Extract IOC value from STIX pattern
ioc_value = indicator.pattern.split("'")[1]
# Upload to Splunk ES threat intel collection
data = {
"ip": ioc_value,
"description": indicator.name,
"weight": indicator.confidence // 10,
"threat_key": indicator.id,
"source_feed": indicator.get("x_source_feed", "unknown")
}
requests.post(
f"{splunk_url}/services/data/threat_intel/item/ip_intel",
headers=headers, data=data,
verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true", # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments
)Push to MISP for centralized management:
from pymisp import PyMISP, MISPEvent, MISPAttribute
misp = PyMISP("https://misp.company.com", "YOUR_MISP_API_KEY")
# Create event for feed batch
event = MISPEvent()
event.info = f"TI Feed Import - {datetime.now().strftime('%Y-%m-%d')}"
event.threat_level_id = 2 # Medium
event.analysis = 2 # Completed
# Add indicators as attributes
for ioc in unique_indicators:
attr = MISPAttribute()
attr.type = "ip-dst" if "ipv4" in ioc.pattern else "domain"
attr.value = ioc.pattern.split("'")[1]
attr.to_ids = True
attr.comment = f"Source: {ioc.get('x_source_feed', 'mixed')}"
event.add_attribute(**attr)
result = misp.add_event(event)
print(f"MISP Event created: {result['Event']['id']}")Step 6: Monitor Feed Health and Quality
Track feed effectiveness metrics:
index=threat_intel sourcetype="threat_intel_manager"
| stats count AS total_iocs,
dc(threat_key) AS unique_iocs,
dc(source_feed) AS feed_count
by source_feed
| join source_feed [
search index=notable source="Threat Intelligence"
| stats count AS matches by source_feed
]
| eval match_rate = round(matches / unique_iocs * 100, 2)
| sort - match_rate
| table source_feed, unique_iocs, matches, match_rateKey Concepts
| Term | Definition |
|---|---|
| STIX 2.1 | Structured Threat Information Expression — standardized JSON format for sharing threat intelligence objects |
| TAXII | Trusted Automated eXchange of Indicator Information — transport protocol for sharing STIX data via REST API |
| TIP | Threat Intelligence Platform — centralized system for aggregating, scoring, and distributing threat intelligence |
| IOC Scoring | Process of assigning confidence values to indicators based on source reliability and corroboration |
| Feed Deduplication | Removing duplicate IOCs across multiple sources while preserving multi-source attribution |
| IOC Expiration | Time-to-live policy removing aged indicators (IP: 30 days, Domain: 90 days, Hash: 1 year) |
Tools & Systems
- MISP: Open-source threat intelligence platform for feed aggregation, correlation, and sharing
- AlienVault OTX: Free threat intelligence sharing platform with community pulse feeds
- Abuse.ch: Suite of free threat feeds (URLhaus, MalwareBazaar, Feodo Tracker, ThreatFox)
- OpenCTI: Open-source cyber threat intelligence platform supporting STIX 2.1 native storage
- TAXII2 Client: Python library for connecting to STIX/TAXII 2.1 servers for automated indicator retrieval
Common Scenarios
- New Feed Onboarding: Evaluate feed quality, map fields to STIX, configure automated ingestion pipeline
- Multi-SIEM Distribution: Push normalized IOCs from MISP to Splunk, Elastic, and Sentinel simultaneously
- False Positive Reduction: Score IOCs by source count and age, expire stale indicators automatically
- Feed Quality Audit: Compare detection match rates across feeds to identify highest-value sources
- Incident IOC Sharing: Package investigation IOCs as STIX bundle and share with ISACs via TAXII
Output Format
THREAT INTEL FEED STATUS — Daily Report
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Date: 2024-03-15
Total IOCs: 45,892 active indicators
Feed Health:
Feed IOCs Matches Match Rate Status
Abuse.ch URLhaus 12,340 47 0.38% HEALTHY
AlienVault OTX 18,567 23 0.12% HEALTHY
Abuse.ch Feodo 1,203 12 1.00% HEALTHY
CISA AIS 8,945 8 0.09% HEALTHY
CrowdStrike Intel 4,837 31 0.64% HEALTHY
Actions Today:
New IOCs ingested: 1,247
IOCs expired: 892
Duplicates removed: 156
SIEM matches: 121 notable events generated
False positives: 3 (CDN IPs removed from feed)References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.1 KB
API Reference: Threat Intelligence Feed Integration Agent
Overview
Ingests threat intelligence from TAXII 2.1 servers, Abuse.ch URLhaus, and Feodo Tracker. Normalizes all indicators to STIX 2.1 format, deduplicates, and exports as a STIX bundle.
Dependencies
| Package | Version | Purpose |
|---|---|---|
| requests | >=2.28 | HTTP API calls |
| taxii2-client | >=2.3 | TAXII 2.1 server communication |
| stix2 | >=3.0 | STIX 2.1 object creation and serialization |
CLI Usage
# Ingest from multiple sources
python agent.py --urlhaus --feodo --output ti_bundle.json
# Ingest from TAXII feed
python agent.py --taxii-url https://taxii.example.com/taxii2/ \
--taxii-collection https://taxii.example.com/taxii2/collections/abc/ \
--taxii-user user --taxii-pass passKey Functions
ingest_taxii_feed(taxii_url, collection_url, username, password, hours_back)
Connects to a TAXII 2.1 collection and retrieves indicators added within the specified time window.
ingest_urlhaus_feed()
Fetches recent malicious URLs from the URLhaus API (https://urlhaus-api.abuse.ch/v1/urls/recent/).
ingest_feodotracker()
Downloads the Feodo Tracker recommended C2 IP blocklist in JSON format.
normalize_to_stix(indicators)
Converts raw indicators to STIX 2.1 Indicator objects with proper patterns for ipv4, domain, url, and sha256 types.
deduplicate(indicators)
Removes duplicate indicators across feeds using SHA-256 hash of type:value.
export_stix_bundle(stix_objects, output_path)
Serializes STIX objects into a Bundle and writes to a JSON file.
push_to_splunk_ti(splunk_url, session_key, indicators)
Pushes indicators to the Splunk ES threat intelligence framework via REST API.
External APIs Used
| API | Endpoint | Auth | Purpose |
|---|---|---|---|
| TAXII 2.1 | Configurable | Basic auth | STIX indicator ingestion |
| URLhaus | https://urlhaus-api.abuse.ch/v1/ |
None | Malicious URL feed |
| Feodo Tracker | https://feodotracker.abuse.ch/downloads/ |
None | C2 IP blocklist |
| Splunk REST | /services/data/threat_intel/item/ip_intel |
Session key | TI push |
Scripts 1
agent.py6.2 KB
#!/usr/bin/env python3
"""Threat Intelligence Feed Integration Agent - Ingests STIX/TAXII and open-source TI feeds."""
import json
import logging
import os
import argparse
import hashlib
from datetime import datetime, timedelta
import requests
from taxii2client.v21 import Collection
from stix2 import Indicator, Bundle, parse
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
def ingest_taxii_feed(taxii_url, collection_url, username, password, hours_back=24):
"""Ingest indicators from a TAXII 2.1 server collection."""
added_after = (datetime.utcnow() - timedelta(hours=hours_back)).strftime(
"%Y-%m-%dT%H:%M:%S.000Z"
)
collection = Collection(collection_url, user=username, password=password)
response = collection.get_objects(added_after=added_after, type=["indicator"])
indicators = []
for obj in response.get("objects", []):
indicator = parse(obj)
indicators.append({
"id": str(indicator.id),
"pattern": indicator.pattern,
"valid_from": str(indicator.valid_from),
"source": "taxii",
})
logger.info("Ingested %d indicators from TAXII feed", len(indicators))
return indicators
def ingest_urlhaus_feed():
"""Ingest recent malicious URLs from Abuse.ch URLhaus."""
url = "https://urlhaus-api.abuse.ch/v1/urls/recent/limit/100/"
resp = requests.post(url, timeout=30)
data = resp.json()
indicators = []
for entry in data.get("urls", []):
indicators.append({
"type": "url",
"value": entry["url"],
"threat": entry.get("threat", "unknown"),
"status": entry.get("url_status", "unknown"),
"tags": entry.get("tags", []),
"source": "urlhaus",
})
logger.info("Ingested %d URLs from URLhaus", len(indicators))
return indicators
def ingest_feodotracker():
"""Ingest C2 IP blocklist from Abuse.ch Feodo Tracker."""
url = "https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.json"
resp = requests.get(url, timeout=30)
indicators = []
for entry in resp.json():
indicators.append({
"type": "ipv4",
"value": entry["ip_address"],
"port": entry.get("port"),
"malware": entry.get("malware", "unknown"),
"first_seen": entry.get("first_seen"),
"source": "feodotracker",
})
logger.info("Ingested %d C2 IPs from Feodo Tracker", len(indicators))
return indicators
def normalize_to_stix(indicators):
"""Convert raw indicators to STIX 2.1 Indicator objects."""
pattern_map = {
"ipv4": lambda v: f"[ipv4-addr:value = '{v}']",
"domain": lambda v: f"[domain-name:value = '{v}']",
"url": lambda v: f"[url:value = '{v}']",
"sha256": lambda v: f"[file:hashes.'SHA-256' = '{v}']",
}
stix_objects = []
for ioc in indicators:
ioc_type = ioc.get("type", "url")
pattern_fn = pattern_map.get(ioc_type, pattern_map["url"])
stix_ind = Indicator(
name=f"{ioc_type}: {ioc['value']}",
pattern=pattern_fn(ioc["value"]),
pattern_type="stix",
valid_from=datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ"),
labels=[ioc.get("source", "unknown")],
)
stix_objects.append(stix_ind)
logger.info("Normalized %d indicators to STIX 2.1", len(stix_objects))
return stix_objects
def deduplicate(indicators):
"""Deduplicate indicators across feeds by type:value hash."""
seen = set()
unique = []
for ioc in indicators:
key = hashlib.sha256(f"{ioc.get('type', '')}:{ioc['value']}".encode()).hexdigest()
if key not in seen:
seen.add(key)
unique.append(ioc)
logger.info("Deduplicated: %d -> %d unique indicators", len(indicators), len(unique))
return unique
def export_stix_bundle(stix_objects, output_path):
"""Export STIX 2.1 bundle to JSON file."""
bundle = Bundle(objects=stix_objects)
with open(output_path, "w") as f:
f.write(bundle.serialize(pretty=True))
logger.info("STIX bundle exported to %s (%d indicators)", output_path, len(stix_objects))
def push_to_splunk_ti(splunk_url, session_key, indicators):
"""Push indicators to Splunk ES threat intelligence framework."""
headers = {"Authorization": f"Splunk {session_key}"}
pushed = 0
for ioc in indicators:
data = {"ip": ioc["value"], "description": f"{ioc.get('source')}: {ioc['value']}"}
resp = requests.post(
f"{splunk_url}/services/data/threat_intel/item/ip_intel",
headers=headers, data=data,
verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true", # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments
timeout=30,
)
if resp.status_code == 201:
pushed += 1
logger.info("Pushed %d indicators to Splunk TI", pushed)
def main():
parser = argparse.ArgumentParser(description="Threat Intelligence Feed Integration Agent")
parser.add_argument("--taxii-url", help="TAXII 2.1 server URL")
parser.add_argument("--taxii-collection", help="TAXII collection URL")
parser.add_argument("--taxii-user", help="TAXII username")
parser.add_argument("--taxii-pass", help="TAXII password")
parser.add_argument("--urlhaus", action="store_true", help="Ingest URLhaus feed")
parser.add_argument("--feodo", action="store_true", help="Ingest Feodo Tracker feed")
parser.add_argument("--output", default="ti_bundle.json", help="STIX bundle output")
args = parser.parse_args()
all_indicators = []
if args.taxii_url and args.taxii_collection:
taxii_iocs = ingest_taxii_feed(
args.taxii_url, args.taxii_collection, args.taxii_user, args.taxii_pass
)
all_indicators.extend(taxii_iocs)
if args.urlhaus:
all_indicators.extend(ingest_urlhaus_feed())
if args.feodo:
all_indicators.extend(ingest_feodotracker())
unique = deduplicate(all_indicators)
stix_objects = normalize_to_stix(unique)
export_stix_bundle(stix_objects, args.output)
logger.info("Feed integration complete: %d total indicators", len(unique))
if __name__ == "__main__":
main()