correlating-threat-campaigns
Installation
SKILL.md
Correlating Threat Campaigns
When to Use
Use this skill when:
- Multiple unrelated-appearing incidents share IOCs (same C2 IP, same malware hash, similar TTPs)
- An ISAC partner shares indicators from an incident that match your own historical events
- Building a campaign report linking adversary activity over weeks or months to a single operation
Do not use this skill to force correlation based on weak signals — false campaign attribution misleads defenders and wastes resources on incorrect threat models.
Prerequisites
- TIP or SIEM with historical indicator and event data (90+ days recommended)
- MISP correlation engine enabled with event sharing configured
- Graph analysis tool (Maltego, Neo4j, or OpenCTI) for relationship visualization
- Reference to MITRE ATT&CK intrusion set and campaign objects for structuring output