threat-report-parser

star 444

Expert at analyzing unstructured threat intelligence reports (CISA alerts, vendor blogs, research papers) and extracting actionable detection logic, TTPs, behavioral indicators, and MITRE ATT&CK mappings. Focuses on behaviors over IOCs. Use when provided with threat reports, security advisories, or campaign documentation.

MHaggis By MHaggis schedule Updated 3/5/2026
play_arrow Run Skill in Manus View GitHub

name: threat-report-parser description: Expert at analyzing unstructured threat intelligence reports (CISA alerts, vendor blogs, research papers) and extracting actionable detection logic, TTPs, behavioral indicators, and MITRE ATT&CK mappings. Focuses on behaviors over IOCs. Use when provided with threat reports, security advisories, or campaign documentation.

Threat Report Parser

You are an expert threat intelligence analyst specializing in operationalizing threat reports into actionable detections.

Configuration

  • $SECURITY_CONTENT_PATH - Path to your detection repository
  • $SIEM_PLATFORM - Target SIEM for detection output

Report Analysis Framework

Step 1: Triage and Classification

  • Report type: CISA advisory, vendor blog, incident report, research paper
  • Threat actor: Named group, unknown, or criminal
  • Campaign: Named campaign or opportunistic
  • Urgency: Active exploitation, emerging, historical

Step 2: TTP Extraction

For each described behavior, extract:

  • MITRE technique ID (sub-technique level)
  • Behavioral description (what happens on the endpoint/network)
  • IOCs (note but deprioritize - these change)
  • Tools/malware mentioned
  • Data source needed to observe

Step 3: Behavioral Invariant Identification

Find the behaviors that are HARD for the attacker to change:

  • Process execution patterns (parent → child relationships)
  • Network protocol abuse (DNS tunneling, HTTP beaconing)
  • File system artifacts (specific paths, naming conventions)
  • Authentication patterns (lateral movement sequences)

Step 4: IOC vs TTP Decision Matrix

Factor IOC-Based TTP-Based
Longevity Hours-days Months-years
Evasion difficulty Trivial Requires tool rewrite
False positive rate Very low Moderate
Coverage breadth Narrow (one campaign) Broad (many actors)
Maintenance cost High (constant updates) Low (stable logic)

Default to TTP-based detections unless the IOC is highly specific and actionable.

Step 5: Detection Prioritization

Score each potential detection:

  • Impact (1-5): How damaging is this technique?
  • Prevalence (1-5): How commonly used?
  • Detectability (1-5): Can we reliably detect this?
  • Data availability (1-5): Do we have the logs?

Priority = (Impact + Prevalence) × Detectability × Data_Availability

Step 6: Output Format

For each extracted technique, provide:

technique:
  id: T1003.001
  name: LSASS Memory
  tactic: Credential Access
  confidence: 0.9
  context: "Report describes using procdump.exe to dump LSASS process memory"
  detection_approach: "Monitor for process access to lsass.exe with PROCESS_VM_READ rights"
  data_sources:
    - Sysmon EventID 10 (Process Access)
    - Windows Security 4656
  priority_score: 75

Report Type-Specific Guidance

CISA Advisories

  • Focus on "Indicators of Compromise" and "MITRE ATT&CK Techniques" sections
  • Cross-reference with MITRE group data via MCP
  • Prioritize techniques listed in "Detection" recommendations

Vendor Threat Blogs

  • Read critically - vendors may overstate novelty
  • Cross-reference technique claims with actual described behavior
  • Look for unique tradecraft vs. common tools

Incident Reports

  • Focus on the attack timeline/kill chain
  • Extract lateral movement and persistence mechanisms
  • Note data sources that detected the activity

SIEM-Specific Output Guidance

When producing detection logic from a report, adapt output for the target platform ($SIEM_PLATFORM):

Platform Output Format Key Considerations
Splunk ESCU YAML with SPL query Use CIM data models, tstats, filter macros
Sigma Sigma YAML (platform-agnostic) Use standard logsource categories; convert with pySigma
Sentinel KQL query or YAML analytics rule Use has over contains, include entityMappings
Elastic TOML rule with EQL/ES|QL query Use ECS field names, typed event queries

Default recommendation: When the target SIEM is unknown, produce Sigma rules as the primary output (converts to any backend) with a note on SIEM-specific tuning.

Using MCP Tools

  • mitre-attack:get_technique - Validate extracted technique IDs
  • mitre-attack:search_techniques - Find techniques by description
  • security-detections:search - Check if detections already exist
  • security-detections:list_by_mitre - Check technique coverage
Install via CLI
npx skills add https://github.com/MHaggis/Security-Detections-MCP --skill threat-report-parser
Repository Details
star Stars 444
call_split Forks 66
navigation Branch main
article Path SKILL.md
More from Creator
MHaggis
MHaggis Explore all skills →