Stats
Actions
Tags
From dfir
Extract and operationalize indicators (IOCs) and behaviors (IOAs) from an incident or sample — atomic, computed, and behavioral — and prepare them for detection, blocking, and intel sharing. Use after/within an investigation to turn findings into defensive value.
How this skill is triggered — by the user, by Claude, or both
Slash command
/dfir:ioc-developmentThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
A structured, prioritized indicator set that drives detection and containment, with
A structured, prioritized indicator set that drives detection and containment, with behaviors (not just atomic indicators) captured so the adversary pays to evade.
detection-engineering:detection-rule-development.threat-intelligence), ideally STIX-friendly.An indicator set: indicator · type · context · confidence · block/monitor · ATT&CK
mapping. Feeds detection-engineering and threat-intelligence.
Atomic indicators are cheap to rotate — lead with behavioral indicators for durable defense. Always validate before blocking: a shared IP or common binary on a blocklist causes outages and alert fatigue. Record confidence so downstream consumers can weigh each indicator.
Provides behavioral guidelines to reduce common LLM coding mistakes, focusing on simplicity, surgical changes, assumption surfacing, and verifiable success criteria.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
npx claudepluginhub jassics/awesome-claude-security --plugin dfir