Scans investigation artifacts — log files, memory analysis output, findings documents, and raw captures — to extract indicators of compromise. Classifies each indicator by type, deduplicates, and produces a STIX 2.1 observable bundle alongside a flat IOC list for import into SIEMs and threat intelligence platforms.

Triggers

Alternate expressions and non-obvious activations (primary phrases are matched automatically from the skill description):

"IOCs" / "indicators" → Indicator of Compromise extraction
"STIX" / "STIX 2.1" → structured threat intelligence output
"pull indicators" → IOC extraction shorthand

Purpose

IOCs extracted during investigation have value beyond the current case: they feed detection rules, threat intelligence platforms, and network blocklists. Raw extraction without classification and deduplication produces noise. This skill applies consistent extraction patterns and maps output to STIX 2.1 so findings integrate with standard threat intelligence tooling.

Behavior

When triggered, this skill:

Triggers

Alternate expressions and non-obvious activations (primary phrases are matched automatically from the skill description):

"IOCs" / "indicators" → Indicator of Compromise extraction
"STIX" / "STIX 2.1" → structured threat intelligence output
"pull indicators" → IOC extraction shorthand

Purpose

Behavior

When triggered, this skill:

Ioc Extraction

Triggers

Purpose

Behavior

Ioc Extraction

Triggers

Purpose

Behavior

Usage Examples

Example 1 — Scan all forensics artifacts

Example 2 — Scan specific file

Example 3 — With custom allowlist

Output Locations

Configuration

References

Database Migrations Migration Observability

Computer Vision Expert

Ai Studio Image

Astropy

Performance Engineer

Cosmosdb Datamodeling