Does this skill require specific permissions?

Yes, it requires chronicle.viewer roles for SIEM access and chronicle.editor roles for SOAR case lookups.

What is the primary purpose of the correlate-ioc skill?

It is designed to help security analysts quickly determine if a specific indicator of compromise (IOC) has appeared in previous security alerts or is currently being handled in a SOAR case.

How does the skill determine malicious confidence?

It derives a high, medium, low, or none confidence level based on the frequency, severity, and status of related SIEM alerts and existing security cases.

Which security platforms does this skill interact with?

This skill is configured to work with Google SecOps (Chronicle) SIEM for alert searching and SOAR for case management.

Can I search for multiple IOCs at once?

Yes, the skill accepts an IOC_LIST which can contain a single indicator or a list of multiple indicators like IPs, domains, or hashes.

Security IOC Correlation

Name: Security IOC Correlation
Author: dandye

bydandye

•

安全与测试

Automates the identification and cross-referencing of Indicators of Compromise (IOCs) across SIEM alerts and SOAR cases.

This skill empowers security teams by enabling Claude to automatically query security operations platforms like Google Chronicle to identify if specific indicators, such as IP addresses or domains, have triggered historical alerts or are linked to active investigations. By correlating data between SIEM logs and SOAR case management systems, it provides a unified view of security context, helping analysts determine the scope of a threat and derive a confidence level for malicious activity without manual searching.

主要功能

01Calculates malicious confidence scores based on alert history

02Generates unified correlation summaries for rapid triage

03Supports customizable lookback periods for historical analysis

04Cross-references IOCs with historical SIEM security alerts

0587 GitHub stars

06Searches SOAR platforms for existing or closed incident cases

使用场景

01Determining if a suspicious indicator is already part of an ongoing investigation

02Enriching threat hunting leads with internal organizational context

03Identifying the scope of a campaign during active incident response

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add dandye/ai-runbooks correlate-ioc

For use in Claude.ai and ChatGPT

Download Skill