Stats
Actions
Tags
Manages IOC lifecycle in threat intelligence from discovery to retirement, with validation, enrichment, deployment, monitoring, confidence decay, hit/false positive tracking, and auto-expiration using Python state machine.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:performing-indicator-lifecycle-managementThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
指标生命周期管理跟踪 IOC 从初始发现到验证、富化、部署、监控和最终停用的全过程。本技能涵盖实施 IOC 质量评估、老化策略、置信度衰减评分、误报跟踪、命中率监控和自动到期的系统化流程,以维护高质量、可操作的指标数据库,最大限度减少分析师疲劳并提高检测效能。
指标生命周期管理跟踪 IOC 从初始发现到验证、富化、部署、监控和最终停用的全过程。本技能涵盖实施 IOC 质量评估、老化策略、置信度衰减评分、误报跟踪、命中率监控和自动到期的系统化流程,以维护高质量、可操作的指标数据库,最大限度减少分析师疲劳并提高检测效能。
pymisp、requests、stix2 库指标置信度随时间降低,因为对手会轮换基础设施。基于时间的衰减函数自动降低置信度评分,确保旧指标不会产生过多告警。典型半衰期:IP 地址(30 天)、域名(90 天)、文件哈希(365 天)。
from datetime import datetime, timedelta
from enum import Enum
class IOCState(Enum):
DISCOVERED = "discovered" # 已发现
VALIDATED = "validated" # 已验证
ENRICHED = "enriched" # 已富化
DEPLOYED = "deployed" # 已部署
MONITORING = "monitoring" # 监控中
UNDER_REVIEW = "under_review" # 审查中
RETIRED = "retired" # 已停用
class IOCLifecycle:
def __init__(self, ioc_type, value, source, initial_confidence=50):
self.ioc_type = ioc_type
self.value = value
self.source = source
self.confidence = initial_confidence
self.state = IOCState.DISCOVERED
self.created = datetime.utcnow()
self.last_updated = datetime.utcnow()
self.last_seen = None
self.hit_count = 0
self.false_positive_count = 0
self.history = [{"state": "discovered", "timestamp": self.created.isoformat()}]
def transition(self, new_state: IOCState, reason=""):
self.state = new_state
self.last_updated = datetime.utcnow()
self.history.append({
"state": new_state.value,
"timestamp": self.last_updated.isoformat(),
"reason": reason,
})
def apply_decay(self):
"""根据 IOC 类型半衰期应用置信度衰减。"""
half_lives = {"ip": 30, "domain": 90, "hash": 365, "url": 60}
half_life = half_lives.get(self.ioc_type, 90)
age_days = (datetime.utcnow() - self.created).days
decay_factor = 0.5 ** (age_days / half_life)
self.confidence = max(0, int(self.confidence * decay_factor))
def record_hit(self, is_true_positive=True):
self.hit_count += 1
self.last_seen = datetime.utcnow()
if not is_true_positive:
self.false_positive_count += 1
if self.false_positive_count > 3:
self.transition(IOCState.UNDER_REVIEW, "误报过多")
def should_retire(self):
max_ages = {"ip": 90, "domain": 180, "hash": 730, "url": 120}
max_age = max_ages.get(self.ioc_type, 180)
age_days = (datetime.utcnow() - self.created).days
return age_days > max_age and self.hit_count == 0
npx claudepluginhub killvxk/cybersecurity-skills-zhImplements IOC lifecycle management for threat intelligence: tracks indicators from discovery via validation, enrichment, deployment, monitoring to retirement with confidence decay, hit-rate tracking, and automated expiration.
Manages IOC lifecycle from discovery through retirement with state machines, confidence decay, quality metrics, and automated expiration for threat intelligence workflows.
Manages IOC lifecycle from discovery through retirement with state machines, confidence decay, quality metrics, and automated expiration for threat intelligence workflows.