askill
enrich-ioc

enrich-iocSafety --Repository

Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status.

enrich-iocdandye
85 stars
1.7k downloads
Updated 2/4/2026

Package Files

Loading files...
SKILL.md

Enrich IOC Skill

Perform standardized enrichment for a single Indicator of Compromise (IOC) using Google Threat Intelligence (GTI) and Chronicle SIEM.

Inputs

  • IOC_VALUE - The indicator value (e.g., "198.51.100.10", "evil-domain.com", "abcdef123456...", "http://bad.url/path")
  • IOC_TYPE - The type: "IP Address", "Domain", "File Hash", or "URL"

Workflow

Step 1: GTI Enrichment

Based on IOC_TYPE, call the appropriate GTI tool:

IOC TypeToolExample
IP Addressgti-mcp.get_ip_address_reportget_ip_address_report(ip_address="198.51.100.10")
Domaingti-mcp.get_domain_reportget_domain_report(domain="evil-domain.com")
File Hashgti-mcp.get_file_reportget_file_report(hash="abcdef123...")
URLgti-mcp.get_url_reportget_url_report(url="http://bad.url/path")

Store key findings in GTI_FINDINGS:

  • Reputation score
  • Classification (malicious, suspicious, clean)
  • Key relationships (contacted domains, IPs, etc.)
  • Associated malware families or campaigns

Error Handling: If GTI fails (quota exceeded, IOC not found), note the limitation and proceed with SIEM enrichment.

Step 2: SIEM Entity Lookup

secops-mcp.lookup_entity(entity_value=IOC_VALUE)

Store in SIEM_ENTITY_SUMMARY:

  • First/last seen timestamps
  • Related alerts
  • Associated assets/users

Step 3: SIEM IOC Match Check

secops-mcp.get_ioc_matches()

Check if IOC_VALUE appears in results. Store Yes/No in SIEM_IOC_MATCH_STATUS.

Required Outputs

After completing this skill, you MUST report these outputs:

OutputDescription
GTI_FINDINGSSummary of GTI report (reputation, classification, relationships)
SIEM_SUMMARYSIEM entity context (first/last seen, related alerts)
IOC_MATCH_STATUSYes/No - whether IOC appears in recent threat feed matches
THREAT_SCORENumerical threat score (0-100) based on GTI reputation
MALICIOUS_CONFIDENCEConfidence level: high, medium, low, or none

Quick Reference

GTI Tools:

  • get_ip_address_report(ip_address)
  • get_domain_report(domain)
  • get_file_report(hash)
  • get_url_report(url)

SIEM Tools:

  • lookup_entity(entity_value)
  • get_ioc_matches()

Install

Download ZIP
Requires askill CLI v1.0+

AI Quality Score

AI review pending.

Metadata

Licenseunknown
Version-
Updated2/4/2026
Publisherdandye

Tags

apigithub-actions