correlating-threat-campaigns
Correlates disparate security incidents, IOCs, and adversary behaviors across time and organizations to identify unified threat campaigns, attribute them to common threat actors, and extract shared indicators for improved detection. Use when multiple incidents exhibit overlapping indicators, when sector-wide attack campaigns require cross-organizational analysis, or when building campaign-level intelligence products. Activates for requests involving campaign analysis, incident clustering, cross-organizational IOC correlation, or MISP correlation engine.
Works with
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Install Skill
Run in your terminal
0
installs
0
this week
8.6K
stars
Installation Guide
How to use correlating-threat-campaigns on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your machine
- ›Node.js 16+ with npm — verify with
node --version - ›Active project directory where you want to add
correlating-threat-campaigns
Run the install command
Execute the skills CLI command in your project's root directory to begin installation:
Fetches correlating-threat-campaigns from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate correlating-threat-campaigns. Access via /correlating-threat-campaigns in your agent's command palette.
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Documentation
| name | correlating-threat-campaigns |
| description | 'Correlates disparate security incidents, IOCs, and adversary behaviors across time and organizations to identify unified threat campaigns, attribute them to common threat actors, and extract shared indicators for improved detection. Use when multiple incidents exhibit overlapping indicators, when sector-wide attack campaigns require cross-organizational analysis, or when building campaign-level intelligence products. Activates for requests involving campaign analysis, incident clustering, cross-organizational IOC correlation, or MISP correlation engine. ' |
| domain | cybersecurity |
| subdomain | threat-intelligence |
| tags | - campaign-analysis - correlation - MISP - ATT&CK - threat-actor - intrusion-set - clustering - CTI |
| version | 1.0.0 |
| author | team-cybersecurity |
| license | Apache-2.0 |
| nist_csf | - ID.RA-01 - ID.RA-05 - DE.CM-01 - DE.AE-02 |
Correlating Threat Campaigns
When to Use
Use this skill when:
- Multiple unrelated-appearing incidents share IOCs (same C2 IP, same malware hash, similar TTPs)
- An ISAC partner shares indicators from an incident that match your own historical events
- Building a campaign report linking adversary activity over weeks or months to a single operation
Do not use this skill to force correlation based on weak signals — false campaign attribution misleads defenders and wastes resources on incorrect threat models.
Prerequisites
- TIP or SIEM with historical indicator and event data (90+ days recommended)
- MISP correlation engine enabled with event sharing configured
- Graph analysis tool (Maltego, Neo4j, or OpenCTI) for relationship visualization
- Reference to MITRE ATT&CK intrusion set and campaign objects for structuring output
Workflow
Step 1: Collect and Normalize Events
Gather all candidate events for correlation from:
- Internal SIEM (raw events, alert history)
- TIP (historical indicators and events)
- ISAC sharing (partner-submitted events in MISP or TAXII)
- Commercial intelligence (Recorded Future, Mandiant, CrowdStrike reports)
Normalize all events to STIX 2.1 schema with consistent timestamp (UTC), indicator types, and confidence scores. Ensure all indicators have source attribution and collection date.
Step 2: Identify Correlation Pivot Points
Apply systematic pivot analysis across four dimensions:
Infrastructure pivots:
- Same IP address or /24 subnet across events
- Same domain registrant email or WHOIS organization
- Same ASN or hosting provider with same account fingerprint
- Same SSL certificate fingerprint or serial number across C2 domains
Capability pivots:
- Same malware hash or YARA signature match
- Same C2 communication protocol (Cobalt Strike beacon config, Sliver implant parameters)
- Same exploit code or weaponized document template
- Same obfuscation method or packer fingerprint
Temporal pivots:
- Events occurring within same time window (operational hours suggesting same timezone)
- Sequential events with logical kill chain progression
- Malware compilation timestamps clustering in same date range
Victimology pivots:
- Same target sector (healthcare, energy, financial)
- Same target geography
- Same targeted technology (specific ERP vendor, VPN appliance brand)
Step 3: Calculate Correlation Confidence
Apply weighted scoring for campaign attribution:
def calculate_campaign_confidence(events: list) -> float:
scores = []
# Infrastructure overlap (highest weight — most discriminating)
infra_overlap = count_shared_infra(events) / len(events)
scores.append(infra_overlap * 40)
# Capability overlap (high weight — TTPs are durable)
capability_overlap = count_shared_ttps(events) / len(events)
scores.append(capability_overlap * 35)
# Temporal proximity (moderate weight)
temporal_score = assess_temporal_clustering(events)
scores.append(temporal_score * 15)
# Victimology alignment (lower weight — many actors target same sector)
victim_score = assess_victim_pattern(events)
scores.append(victim_score * 10)
total = sum(scores)
if total >= 70: return "HIGH"
elif total >= 45: return "MEDIUM"
else: return "LOW"
Step 4: Build Campaign Graph
In OpenCTI or Maltego, construct campaign graph:
- Campaign object (STIX) as central node
- Intrusion Set → uses → Malware objects
- Intrusion Set → uses → Infrastructure objects
- Intrusion Set → targets → Identity objects (victim organizations/sectors)
- Campaign → attributed-to → Threat Actor (if attribution achieved)
- Indicators → indicates → Malware (linking technical observables to capabilities)
Label each relationship with evidence reference and confidence.
Step 5: Produce Campaign Intelligence Report
Structure the campaign report:
- Campaign name: Assign descriptive codename based on targeting theme or tooling
- Timeline: First/last observed dates with activity phases
- Attribution: Suspected threat actor with confidence level
- Target profile: Industry verticals, geographies, organization sizes
- TTPs summary: ATT&CK Navigator heatmap for campaign-specific techniques
- Shared indicators: IOCs that span multiple incidents (highest confidence for blocking)
- Detection guidance: Sigma/YARA rules specific to this campaign
Key Concepts
| Term | Definition |
|---|---|
| Campaign | STIX object representing a grouping of adversarial behaviors with common objectives over a defined time period |
| Intrusion Set | STIX object grouping related intrusion activity by common objectives, even when actor identity is uncertain |
| Pivot | Using a single data point (IOC, infrastructure, TTP) to discover related events or adversary artifacts |
| Clustering | Machine learning or manual grouping of incidents based on feature similarity to identify campaign boundaries |
| False Correlation | Incorrect linking of unrelated incidents due to shared infrastructure (CDNs, shared hosting) or common tools |
Tools & Systems
- MISP Correlation Engine: Automatic correlation of events sharing attribute values across the MISP instance and federated instances
- OpenCTI Graph: Interactive relationship graph for visualizing campaign linkages with STIX object types
- Maltego: Link analysis for infrastructure and capability pivoting across multiple data sources
- Neo4j: Graph database with Cypher queries for large-scale campaign correlation (millions of events)
Common Pitfalls
- CDN/Shared hosting false positives: Cloudflare, AWS CloudFront, and bulletproof hosters serve multiple threat actors. Shared IP alone does not establish campaign linkage.
- Common malware conflation: Multiple threat actors use Cobalt Strike. Shared capability does not indicate same actor without additional corroboration.
- Premature attribution: Forcing campaign-to-actor attribution before evidence threshold is reached produces incorrect intelligence that persists in reports.
- Missing temporal analysis: Events from different years may share infrastructure that was recycled by a different actor, not the same campaign.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Steps
- 1Install skill using provided installation command
- 2Test with simple use case relevant to your work
- 3Evaluate output quality and relevance
- 4Iterate on prompts to improve results
- 5Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Related Skills
generating-threat-intelligence-reports
2mukul975/Anthropic-Cybersecurity-Skills
performing-cryptographic-audit-of-application
5mukul975/Anthropic-Cybersecurity-Skills
implementing-soar-playbook-with-palo-alto-xsoar
3mukul975/Anthropic-Cybersecurity-Skills
exploiting-deeplink-vulnerabilities
3mukul975/Anthropic-Cybersecurity-Skills
analyzing-network-traffic-with-wireshark
2mukul975/Anthropic-Cybersecurity-Skills
scanning-docker-images-with-trivy
2mukul975/Anthropic-Cybersecurity-Skills
Reviews
- MMichael Johnson★★★★★Dec 16, 2024
correlating-threat-campaigns is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- AAisha Srinivasan★★★★★Dec 12, 2024
correlating-threat-campaigns fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- CCamila Reddy★★★★★Dec 4, 2024
Keeps context tight: correlating-threat-campaigns is the kind of skill you can hand to a new teammate without a long onboarding doc.
- AAisha Iyer★★★★★Nov 23, 2024
correlating-threat-campaigns has been reliable in day-to-day use. Documentation quality is above average for community skills.
- AAmina White★★★★★Nov 7, 2024
Solid pick for teams standardizing on skills: correlating-threat-campaigns is focused, and the summary matches what you get after install.
- AArjun Brown★★★★★Nov 3, 2024
Keeps context tight: correlating-threat-campaigns is the kind of skill you can hand to a new teammate without a long onboarding doc.
- TTariq Haddad★★★★★Oct 26, 2024
correlating-threat-campaigns has been reliable in day-to-day use. Documentation quality is above average for community skills.
- AArya Agarwal★★★★★Oct 22, 2024
correlating-threat-campaigns is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- IIsabella Kim★★★★★Oct 14, 2024
Solid pick for teams standardizing on skills: correlating-threat-campaigns is focused, and the summary matches what you get after install.
- SSakshi Patil★★★★★Sep 21, 2024
correlating-threat-campaigns is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
showing 1-10 of 37
Discussion
Comments — not star reviews- No comments yet — start the thread.