ioc-analysis

Purpose

This skill enables the analysis of indicators of compromise (IOCs), such as IP addresses, domains, file hashes, and URLs, to identify potential threats, correlate them with known attack patterns, and generate actionable insights for cybersecurity defense.

When to Use

• Use during incident response when a suspicious artifact (e.g., an IP from a log) needs immediate verification.
• Apply in proactive threat hunting to scan for IOCs in network traffic or endpoint data.
• Integrate into automated workflows for daily security monitoring of external feeds.

Key Capabilities

• Parse and enrich IOCs using threat intelligence databases, including IP geolocation, domain reputation, and hash matching.
• Detect anomalies by cross-referencing IOCs against predefined threat feeds or custom rulesets.
• Generate reports with severity scores, related threats, and recommended mitigations.
• Support bulk analysis for processing multiple IOCs in a single operation.
• Integrate with logging systems to automate alerts based on analysis results.

Usage Patterns

Always initialize the skill with authentication via the $OPENCLAW_API_KEY environment variable. Use the CLI for quick queries or the API for programmatic integration. For CLI, pipe inputs from files; for API, handle requests in loops for batch processing. Validate IOC formats before submission (e.g., IPv4 as dotted decimal). Structure workflows to check for errors after each call and retry transient failures.