threat intelligence

Performing Indicator Lifecycle Management

Indicator lifecycle management tracks IOCs from initial discovery through validation, enrichment, deployment, monitoring, and eventual retirement. This skill covers implementing systematic processes for IOC quality assessment, aging policies, confidence scoring decay, false positive tracking, hit-rate monitoring, and automated expiration to maintain a high-quality, actionable indicator database that minimizes analyst fatigue and maximizes detection efficacy.

ctiindicator-lifecycleiocioc-managementmitre-attackstixthreat-intelligence
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

Indicator lifecycle management tracks IOCs from initial discovery through validation, enrichment, deployment, monitoring, and eventual retirement. This skill covers implementing systematic processes for IOC quality assessment, aging policies, confidence scoring decay, false positive tracking, hit-rate monitoring, and automated expiration to maintain a high-quality, actionable indicator database that minimizes analyst fatigue and maximizes detection efficacy.

When to Use

  • When conducting security assessments that involve performing indicator lifecycle management
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing

Prerequisites

  • Python 3.9+ with pymisp, requests, stix2 libraries
  • MISP or OpenCTI instance for indicator storage
  • SIEM with IOC watchlist capabilities (Splunk, Elastic)
  • Understanding of IOC types, confidence scoring, and TLP classifications

Key Concepts

Indicator Lifecycle Phases

  1. Discovery: IOC first identified from threat intelligence, malware analysis, or incident response
  2. Validation: IOC verified against enrichment sources (VirusTotal, Shodan)
  3. Enrichment: Additional context added (WHOIS, passive DNS, threat actor attribution)
  4. Deployment: IOC pushed to detection systems (SIEM, IDS, firewall)
  5. Monitoring: Track hit rates, false positive rates, detection efficacy
  6. Review: Periodic assessment of IOC relevance and accuracy
  7. Retirement: IOC expired or removed based on aging policy

Confidence Decay

Indicator confidence decreases over time as adversaries rotate infrastructure. A time-based decay function reduces confidence scores automatically, ensuring old indicators do not generate excessive alerts. Typical half-life: IP addresses (30 days), domains (90 days), file hashes (365 days).

Quality Metrics

  • Hit Rate: Percentage of deployed IOCs generating true positive alerts
  • False Positive Rate: Percentage of IOC alerts that are benign
  • Coverage: Percentage of known threat techniques with IOC coverage
  • Freshness: Average age of active indicators in the database

Workflow

Step 1: Implement IOC Lifecycle State Machine

from datetime import datetime, timedelta
from enum import Enum
 
class IOCState(Enum):
    DISCOVERED = "discovered"
    VALIDATED = "validated"
    ENRICHED = "enriched"
    DEPLOYED = "deployed"
    MONITORING = "monitoring"
    UNDER_REVIEW = "under_review"
    RETIRED = "retired"
 
class IOCLifecycle:
    def __init__(self, ioc_type, value, source, initial_confidence=50):
        self.ioc_type = ioc_type
        self.value = value
        self.source = source
        self.confidence = initial_confidence
        self.state = IOCState.DISCOVERED
        self.created = datetime.utcnow()
        self.last_updated = datetime.utcnow()
        self.last_seen = None
        self.hit_count = 0
        self.false_positive_count = 0
        self.history = [{"state": "discovered", "timestamp": self.created.isoformat()}]
 
    def transition(self, new_state: IOCState, reason=""):
        self.state = new_state
        self.last_updated = datetime.utcnow()
        self.history.append({
            "state": new_state.value,
            "timestamp": self.last_updated.isoformat(),
            "reason": reason,
        })
 
    def apply_decay(self):
        """Apply confidence decay based on IOC type half-life."""
        half_lives = {"ip": 30, "domain": 90, "hash": 365, "url": 60}
        half_life = half_lives.get(self.ioc_type, 90)
        age_days = (datetime.utcnow() - self.created).days
        decay_factor = 0.5 ** (age_days / half_life)
        self.confidence = max(0, int(self.confidence * decay_factor))
 
    def record_hit(self, is_true_positive=True):
        self.hit_count += 1
        self.last_seen = datetime.utcnow()
        if not is_true_positive:
            self.false_positive_count += 1
            if self.false_positive_count > 3:
                self.transition(IOCState.UNDER_REVIEW, "Excessive false positives")
 
    def should_retire(self):
        max_ages = {"ip": 90, "domain": 180, "hash": 730, "url": 120}
        max_age = max_ages.get(self.ioc_type, 180)
        age_days = (datetime.utcnow() - self.created).days
        return age_days > max_age and self.hit_count == 0

Validation Criteria

  • IOC lifecycle state machine transitions correctly between phases
  • Confidence decay reduces scores based on IOC type half-life
  • Hit rate and false positive tracking functional
  • Aging policy automatically flags indicators for review/retirement
  • Quality metrics dashboard shows IOC database health

References

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md1.6 KB

API Reference — Performing Indicator Lifecycle Management

Libraries Used

  • csv: Parse IOC feed CSV files
  • re: Pattern matching for IOC extraction (IP, domain, hash, URL, email, CVE)
  • pathlib: Read text reports for IOC extraction

CLI Interface

python agent.py extract --file threat_report.txt
python agent.py ingest --csv ioc_feed.csv
python agent.py expire --csv ioc_db.csv [--ttl 90]
python agent.py dedup --csv ioc_feed.csv
python agent.py report --csv ioc_db.csv [--ttl 90]

Core Functions

extract_iocs(text_file) — Extract IOCs from unstructured text

Regex patterns for: IPv4, domain, MD5, SHA1, SHA256, URL, email, CVE.

ingest_ioc_feed(csv_file) — Normalize IOC feed data

Auto-detects IOC type if not specified. Normalizes column names across feed formats.

check_expiration(ioc_db_file, ttl_days) — Identify expired indicators

Compares first_seen date against TTL threshold (default 90 days).

deduplicate_iocs(csv_file) — Merge duplicate IOCs

Groups by indicator value, tracks source attribution and occurrence count.

generate_lifecycle_report(csv_file, ttl_days) — Full lifecycle status

Combines ingestion, deduplication, and expiration into single report.

IOC Pattern Types

Type Example
ipv4 192.168.1.1
domain evil.example.com
md5 d41d8cd98f00b204e9800998ecf8427e
sha256 e3b0c44298fc1c149afbf4c8996fb924...
url https://malware.example.com/payload
cve CVE-2024-12345

Dependencies

No external packages — Python standard library only.

standards.md1.1 KB

Standards and Frameworks Reference

Applicable Standards

  • STIX 2.1: Structured Threat Information eXpression for CTI data representation
  • TAXII 2.1: Transport protocol for sharing CTI over HTTPS
  • MITRE ATT&CK: Adversary tactics, techniques, and procedures taxonomy
  • Diamond Model: Intrusion analysis framework (Adversary, Capability, Infrastructure, Victim)
  • Traffic Light Protocol (TLP): Information sharing classification (CLEAR, GREEN, AMBER, RED)

MITRE ATT&CK Relevance

  • Technique mapping for threat actor behavior classification
  • Data sources for detection capability assessment
  • Mitigation strategies linked to specific techniques

Industry Frameworks

  • NIST Cybersecurity Framework (CSF) 2.0 - Identify function
  • ISO 27001:2022 - A.5.7 Threat Intelligence
  • FIRST Standards - TLP, CSIRT, vulnerability coordination

References

workflows.md1.4 KB

Indicator Lifecycle Management Workflows

Workflow 1: Collection and Analysis

[Intelligence Sources] --> [Data Collection] --> [Analysis] --> [Reporting]
        |                        |                   |               |
        v                        v                   v               v
  OSINT/HUMINT/SIGINT    Normalize/Enrich    Assess/Correlate  Disseminate

Steps:

  1. Planning: Define intelligence requirements and collection priorities
  2. Collection: Gather data from relevant sources
  3. Processing: Normalize data formats and filter noise
  4. Analysis: Apply analytical frameworks and correlate findings
  5. Production: Generate intelligence products and reports
  6. Dissemination: Share with stakeholders via appropriate channels
  7. Feedback: Collect consumer feedback to refine future collection

Workflow 2: Continuous Monitoring

[Watchlist] --> [Automated Monitoring] --> [Change Detection] --> [Alert/Update]

Steps:

  1. Define Watchlist: Identify indicators, actors, and topics to monitor
  2. Configure Monitoring: Set up automated collection from relevant sources
  3. Change Detection: Identify new or changed intelligence
  4. Assessment: Evaluate significance of changes
  5. Alerting: Notify stakeholders of significant intelligence updates
  6. Archive: Store intelligence for historical analysis and trending

Scripts 2

agent.py6.4 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for performing indicator of compromise (IOC) lifecycle management."""

import json
import argparse
import csv
import re
from datetime import datetime
from pathlib import Path


IOC_PATTERNS = {
    "ipv4": re.compile(r"\b(?:\d{1,3}\.){3}\d{1,3}\b"),
    "domain": re.compile(r"\b(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}\b"),
    "md5": re.compile(r"\b[a-f0-9]{32}\b", re.I),
    "sha256": re.compile(r"\b[a-f0-9]{64}\b", re.I),
    "sha1": re.compile(r"\b[a-f0-9]{40}\b", re.I),
    "url": re.compile(r"https?://[^\s<>\"']+"),
    "email": re.compile(r"\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\b"),
    "cve": re.compile(r"CVE-\d{4}-\d{4,}", re.I),
}


def extract_iocs(text_file):
    """Extract IOCs from a text file or report."""
    text = Path(text_file).read_text(encoding="utf-8", errors="replace")
    extracted = {}
    for ioc_type, pattern in IOC_PATTERNS.items():
        matches = list(set(pattern.findall(text)))
        if matches:
            extracted[ioc_type] = matches[:100]
    total = sum(len(v) for v in extracted.values())
    return {"source": text_file, "total_iocs": total, "by_type": {k: len(v) for k, v in extracted.items()}, "indicators": extracted}


def ingest_ioc_feed(csv_file):
    """Ingest IOC feed from CSV and normalize."""
    with open(csv_file, "r", encoding="utf-8", errors="replace") as f:
        reader = csv.DictReader(f)
        rows = list(reader)
    iocs = []
    for row in rows:
        indicator = row.get("indicator", row.get("ioc", row.get("value", row.get("Indicator", ""))))
        ioc_type = row.get("type", row.get("ioc_type", row.get("Type", "")))
        if not ioc_type:
            for t, p in IOC_PATTERNS.items():
                if p.fullmatch(indicator.strip()):
                    ioc_type = t
                    break
        iocs.append({
            "indicator": indicator.strip(),
            "type": ioc_type,
            "source": row.get("source", row.get("feed", "")),
            "confidence": row.get("confidence", row.get("score", "")),
            "first_seen": row.get("first_seen", row.get("date", "")),
            "tags": row.get("tags", row.get("malware_family", "")),
        })
    return {"total_ingested": len(iocs), "by_type": _count_field(iocs, "type"), "iocs": iocs[:50]}


def check_expiration(ioc_db_file, ttl_days=90):
    """Check IOC database for expired indicators based on TTL."""
    with open(ioc_db_file, "r", encoding="utf-8", errors="replace") as f:
        reader = csv.DictReader(f)
        rows = list(reader)
    now = datetime.utcnow()
    expired = []
    active = []
    for row in rows:
        date_str = row.get("first_seen", row.get("date", row.get("added", "")))
        try:
            added = datetime.fromisoformat(date_str.replace("Z", "+00:00").replace("+00:00", ""))
        except (ValueError, AttributeError):
            active.append(row)
            continue
        age_days = (now - added).days
        if age_days > ttl_days:
            expired.append({**row, "age_days": age_days})
        else:
            active.append(row)
    return {
        "total": len(rows), "active": len(active), "expired": len(expired),
        "ttl_days": ttl_days, "expired_indicators": expired[:30],
    }


def deduplicate_iocs(csv_file):
    """Deduplicate IOCs and merge metadata from multiple sources."""
    with open(csv_file, "r", encoding="utf-8", errors="replace") as f:
        reader = csv.DictReader(f)
        rows = list(reader)
    seen = {}
    for row in rows:
        key = row.get("indicator", row.get("ioc", row.get("value", ""))).strip().lower()
        if key in seen:
            seen[key]["sources"].add(row.get("source", ""))
            seen[key]["count"] += 1
        else:
            seen[key] = {"indicator": key, "type": row.get("type", ""), "sources": {row.get("source", "")}, "count": 1, "first_row": row}
    unique = [{"indicator": v["indicator"], "type": v["type"], "sources": list(v["sources"]), "occurrences": v["count"]}
              for v in seen.values()]
    return {
        "original_count": len(rows), "unique_count": len(unique),
        "duplicates_removed": len(rows) - len(unique),
        "multi_source": [u for u in unique if u["occurrences"] > 1][:20],
        "unique_iocs": unique[:50],
    }


def generate_lifecycle_report(csv_file, ttl_days=90):
    """Generate full IOC lifecycle status report."""
    ingested = ingest_ioc_feed(csv_file)
    expiration = check_expiration(csv_file, ttl_days)
    dedup = deduplicate_iocs(csv_file)
    return {
        "generated": datetime.utcnow().isoformat(),
        "total_iocs": ingested["total_ingested"],
        "unique_iocs": dedup["unique_count"],
        "duplicates": dedup["duplicates_removed"],
        "active": expiration["active"],
        "expired": expiration["expired"],
        "by_type": ingested["by_type"],
        "ttl_days": ttl_days,
    }


def _count_field(items, field):
    counts = {}
    for item in items:
        val = item.get(field, "unknown")
        counts[val] = counts.get(val, 0) + 1
    return counts


def main():
    parser = argparse.ArgumentParser(description="IOC Lifecycle Management Agent")
    sub = parser.add_subparsers(dest="command")
    e = sub.add_parser("extract", help="Extract IOCs from text")
    e.add_argument("--file", required=True)
    i = sub.add_parser("ingest", help="Ingest IOC feed CSV")
    i.add_argument("--csv", required=True)
    x = sub.add_parser("expire", help="Check IOC expiration")
    x.add_argument("--csv", required=True)
    x.add_argument("--ttl", type=int, default=90, help="TTL in days")
    d = sub.add_parser("dedup", help="Deduplicate IOCs")
    d.add_argument("--csv", required=True)
    r = sub.add_parser("report", help="Full lifecycle report")
    r.add_argument("--csv", required=True)
    r.add_argument("--ttl", type=int, default=90)
    args = parser.parse_args()
    if args.command == "extract":
        result = extract_iocs(args.file)
    elif args.command == "ingest":
        result = ingest_ioc_feed(args.csv)
    elif args.command == "expire":
        result = check_expiration(args.csv, args.ttl)
    elif args.command == "dedup":
        result = deduplicate_iocs(args.csv)
    elif args.command == "report":
        result = generate_lifecycle_report(args.csv, args.ttl)
    else:
        parser.print_help()
        return
    print(json.dumps(result, indent=2, default=str))


if __name__ == "__main__":
    main()
process.py4.4 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Indicator Lifecycle Management Script

Manages IOC lifecycle: discovery, validation, deployment, monitoring, retirement.

Requirements: pip install requests

Usage:
    python process.py --import-iocs iocs.csv --output lifecycle_db.json
    python process.py --decay --db lifecycle_db.json
    python process.py --review --db lifecycle_db.json --output review_report.json
"""

import argparse
import csv
import json
import sys
from datetime import datetime, timedelta


class IOCLifecycleManager:
    def __init__(self):
        self.indicators = {}

    def add_indicator(self, ioc_type, value, source, confidence=50):
        key = f"{ioc_type}:{value}"
        self.indicators[key] = {
            "type": ioc_type, "value": value, "source": source,
            "confidence": confidence, "state": "discovered",
            "created": datetime.utcnow().isoformat(),
            "last_updated": datetime.utcnow().isoformat(),
            "hit_count": 0, "fp_count": 0, "last_seen": None,
        }

    def apply_decay(self):
        half_lives = {"ip": 30, "domain": 90, "hash": 365, "url": 60, "email": 180}
        for key, ioc in self.indicators.items():
            if ioc["state"] == "retired":
                continue
            hl = half_lives.get(ioc["type"], 90)
            age = (datetime.utcnow() - datetime.fromisoformat(ioc["created"])).days
            decay = 0.5 ** (age / hl)
            ioc["confidence"] = max(0, int(ioc["confidence"] * decay))
            if ioc["confidence"] < 10:
                ioc["state"] = "under_review"

    def review_indicators(self):
        review = {"retire": [], "keep": [], "boost": []}
        for key, ioc in self.indicators.items():
            age = (datetime.utcnow() - datetime.fromisoformat(ioc["created"])).days
            max_ages = {"ip": 90, "domain": 180, "hash": 730, "url": 120}
            max_age = max_ages.get(ioc["type"], 180)

            if age > max_age and ioc["hit_count"] == 0:
                review["retire"].append(key)
                ioc["state"] = "retired"
            elif ioc["fp_count"] > 3:
                review["retire"].append(key)
                ioc["state"] = "retired"
            elif ioc["hit_count"] > 5:
                review["boost"].append(key)
                ioc["confidence"] = min(100, ioc["confidence"] + 10)
            else:
                review["keep"].append(key)
        return review

    def get_stats(self):
        states = {}
        for ioc in self.indicators.values():
            states[ioc["state"]] = states.get(ioc["state"], 0) + 1
        return {
            "total": len(self.indicators),
            "by_state": states,
            "avg_confidence": (
                sum(i["confidence"] for i in self.indicators.values()) / len(self.indicators)
                if self.indicators else 0
            ),
        }

    def load(self, filepath):
        with open(filepath) as f:
            self.indicators = json.load(f)

    def save(self, filepath):
        with open(filepath, "w") as f:
            json.dump(self.indicators, f, indent=2)


def main():
    parser = argparse.ArgumentParser(description="IOC Lifecycle Manager")
    parser.add_argument("--import-iocs", help="CSV file with IOCs")
    parser.add_argument("--decay", action="store_true", help="Apply confidence decay")
    parser.add_argument("--review", action="store_true", help="Review indicators")
    parser.add_argument("--stats", action="store_true", help="Show statistics")
    parser.add_argument("--db", default="lifecycle_db.json", help="Database file")
    parser.add_argument("--output", default="lifecycle_report.json")
    args = parser.parse_args()

    mgr = IOCLifecycleManager()
    try:
        mgr.load(args.db)
    except FileNotFoundError:
        pass

    if args.import_iocs:
        with open(args.import_iocs) as f:
            reader = csv.DictReader(f)
            for row in reader:
                mgr.add_indicator(
                    row.get("type", "ip"), row.get("value", ""),
                    row.get("source", "import"), int(row.get("confidence", 50)),
                )
        mgr.save(args.db)

    if args.decay:
        mgr.apply_decay()
        mgr.save(args.db)

    if args.review:
        result = mgr.review_indicators()
        mgr.save(args.db)
        print(json.dumps(result, indent=2))

    if args.stats:
        print(json.dumps(mgr.get_stats(), indent=2))


if __name__ == "__main__":
    main()

Assets 1

template.mdtext/markdown · 1.0 KB
Keep exploring