analyzing-threat-landscape-with-misp
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/analyzing-threat-landscape-with-mispQuery MISP to map evolving threats and detect attack patterns.
- Reveals hidden threat actors and malware families behind incidents.
- Depends on PyMISP API and MISP event databases for data.
- Computes temporal trends and attribute distributions from raw events.
- Outputs structured reports with statistical breakdowns and visual trends.
SKILL.md
.github/skills/analyzing-threat-landscape-with-mispView on GitHub ↗
--- name: analyzing-threat-landscape-with-misp description: >- Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics, attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal trends. domain: cybersecurity subdomain: threat-intelligence tags: [analyzing, threat, landscape, with] version: "1.0" author: mahipal license: Apache-2.0 --- # Analyzing Threat Landscape with MISP ## When to Use - When investigating security incidents that require analyzing threat landscape with misp - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Familiarity with threat intelligence concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions 1. Install dependencies: `pip install pymisp` 2. Configure MISP URL and API key. 3. Run the agent to generate threat landscape analysis: - Pull event statistics by threat level and date range - Analyze attribute type distributions (IP, domain, hash, URL) - Identify top MITRE ATT&CK techniques from event tags - Track threat actor activity via galaxy clusters - Generate temporal trend analysis of IOC submissions ```bash python scripts/agent.py --misp-url https://misp.local --api-key YOUR_KEY --days 90 --output landscape_report.json ``` ## Examples ### Threat Landscape Summary ``` Period: Last 90 days Events analyzed: 1,247 Top threat level: High (43%) Top attribute type: ip-dst (31%), domain (22%), sha256 (18%) Top MITRE technique: T1566 Phishing (89 events) Top threat actor: APT28 (34 events) ```
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.