Best use case
forensics-ioc is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
It is a strong fit for teams already working in Codex.
Extract and enrich indicators of compromise
Teams using forensics-ioc should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/forensics-ioc/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How forensics-ioc Compares
| Feature / Agent | forensics-ioc | Standard Approach |
|---|---|---|
| Platform Support | Codex | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Extract and enrich indicators of compromise
Which AI agents support this skill?
This skill is designed for Codex.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
SKILL.md Source
# /forensics-ioc Extract indicators of compromise (IOCs) from forensic findings, enrich them with threat intelligence lookups, and map them to STIX 2.1 observables. Produces a structured IOC register suitable for detection rule generation, MISP import, or threat intelligence sharing. ## Usage `/forensics-ioc <findings-path> [options]` ## Arguments | Argument | Required | Description | |----------|----------|-------------| | findings-path | Yes | Path to findings directory or specific finding file | | --enrich | No | Perform threat intelligence enrichment lookups | | --stix | No | Generate STIX 2.1 bundle alongside IOC register | | --output | No | Output path (default: `.aiwg/forensics/ioc/ioc-register.md`) | | --format | No | Output format: `markdown` (default), `json`, `stix`, `misp` | | --types | No | IOC types to extract: `ip`, `domain`, `hash`, `url`, `email`, `all` (default: `all`) | | --confidence | No | Minimum confidence threshold for inclusion: `low`, `medium`, `high` (default: `low`) | | --no-private | No | Exclude RFC-1918 and loopback addresses | ## Behavior When invoked, this command: 1. **Scan Findings for Observables** - Read all finding documents in the specified path - Parse timeline artifacts, triage summaries, and analysis outputs - Extract raw observable strings matching IOC patterns 2. **IOC Extraction by Type** | Type | Sources | Pattern | |------|---------|---------| | IPv4/IPv6 | Network analysis, auth logs, connections | Address notation | | Domain/FQDN | DNS queries, connection targets, configs | Domain pattern | | File hash (MD5/SHA1/SHA256) | Acquisition checksums, malware artifacts | Hex string | | URL | Web logs, process command lines, configs | HTTP/HTTPS URL | | Email address | Auth logs, user accounts | Email pattern | | File path | Persistence findings, process analysis | Suspicious paths | | Process name | Triage process list, persistence | Masquerading names | | User agent | Web logs | Browser/tool strings | 3. **Deduplication and Normalization** - Remove duplicate IOCs of the same type and value - Normalize IP addresses (strip ports, consolidate subnets) - Lowercase domain names - Uppercase file hashes - Apply `--no-private` filtering if specified 4. **Confidence Scoring** - Score each IOC based on context and repetition - HIGH: IOC observed in multiple independent sources or directly linked to attack - MEDIUM: IOC appears in findings with indirect correlation - LOW: IOC extracted from context; may require validation - Mark false-positive candidates (CDN IPs, common system paths) 5. **Threat Intelligence Enrichment** (when `--enrich` specified) - Query VirusTotal, AbuseIPDB, or configured TI feeds for IP/domain/hash IOCs - Record reputation score, malware family, and associated threat actor - Note prior sightings and first/last seen dates - Attach TI source attribution 6. **STIX 2.1 Mapping** (when `--stix` specified) - Map each IOC to appropriate STIX Observable object type - Create STIX Indicator objects with detection patterns - Bundle into STIX 2.1 JSON bundle - Link observables to Threat Actor and Malware objects where applicable 7. **Detection Rule Suggestions** - Generate Sigma rule stubs for network IOCs - Generate firewall rule suggestions for IP/CIDR blocks - Generate YARA rule stubs for file hashes - Note which IOCs are suitable for automated blocking vs. monitoring 8. **IOC Register Output** - Write structured IOC register with all extracted indicators - Include context, confidence, enrichment data, and MITRE mapping - Export STIX bundle if requested - Update investigation state with IOC count ## Examples ### Example 1: Extract IOCs from findings directory ```bash /forensics-ioc .aiwg/forensics/findings/ ``` ### Example 2: Extract and enrich with threat intel ```bash /forensics-ioc .aiwg/forensics/findings/ --enrich ``` ### Example 3: STIX 2.1 output ```bash /forensics-ioc .aiwg/forensics/ --stix --format stix ``` ### Example 4: High confidence only, exclude private IPs ```bash /forensics-ioc .aiwg/forensics/ --confidence high --no-private ``` ### Example 5: MISP import format ```bash /forensics-ioc .aiwg/forensics/ --enrich --format misp ``` ## Output Artifacts are saved to `.aiwg/forensics/ioc/`: ``` .aiwg/forensics/ioc/ ├── ioc-register.md # Human-readable IOC register ├── ioc-register.json # Machine-readable IOC list ├── stix-bundle.json # STIX 2.1 bundle (if --stix) ├── detection-rules/ │ ├── network-ioc.sigma # Sigma rule stubs │ └── file-ioc.yara # YARA rule stubs └── enrichment-cache.json # TI lookup results cache ``` ### Sample IOC Register ``` IOC Register: INV-2026-02-27-web01 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Extraction complete: 12 IOCs (4 enriched) --- Network IOCs --- | Type | Value | Confidence | Context | TI Result | |---------|----------------------|------------|--------------------------------|------------------------| | IPv4 | 185.220.101.42 | HIGH | SSH brute force source; C2 | Known Tor exit node | | Domain | update-check.net | HIGH | DNS query from /tmp/.update | Malware C2 (VirusTotal)| | IPv4 | 10.0.0.15 | MEDIUM | Lateral movement destination | Internal host | --- File IOCs --- | Type | Value | Confidence | Context | |----------|-------------------------|------------|-------------------------------| | SHA256 | a1b2c3d4e5f6... | HIGH | /tmp/.update - C2 implant | | Path | /tmp/.update | HIGH | Malicious cron-executed binary| | Path | /dev/shm/.x | MEDIUM | Hidden file in tmpfs | --- Account IOCs --- | Type | Value | Confidence | Context | |------|---------|------------|------------------------------------------| | User | deploy | HIGH | Compromised account (brute forced) | Total: 7 network, 3 file, 2 account IOCs STIX bundle: .aiwg/forensics/ioc/stix-bundle.json ``` ## References - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/ioc-analyst.md - IOC Analyst - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/templates/ioc-register.md - Register template - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-report.md - Include IOCs in report - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-timeline.md - Timeline correlation
Related Skills
supply-chain-forensics
SBOM analysis, build pipeline forensics, and dependency verification covering package integrity, build reproducibility, and CI/CD pipeline tampering
memory-forensics
Volatility 3 memory forensics workflows covering acquisition with LiME and WinPmem, and structured analysis using Volatility 3 plugin reference
linux-forensics
Generalized Linux incident response and forensic analysis covering Debian/Ubuntu, RHEL/CentOS/Rocky, and SUSE families
forensics-triage
Quick triage investigation following RFC 3227 volatility order
forensics-timeline
Build correlated event timeline from multiple sources
forensics-status
Show investigation status dashboard
forensics-report
Generate forensic investigation report
forensics-profile
Build target system profile via SSH or cloud API enumeration
forensics-investigate
Full multi-agent investigation workflow
forensics-hunt
Threat hunt using Sigma rules against log sources
forensics-acquire
Evidence acquisition with chain of custody and hash verification
container-forensics
Docker, containerd/CRI-O, and Kubernetes forensic investigation covering container inventory (docker and crictl), privilege checks, image verification, layer analysis (dive), escape detection, eBPF runtime monitoring (Falco, Tetragon, Tracee), K8s RBAC audit, etcd security audit, and API server audit log analysis