correlate-ioc — SIEM alert correlation correlate-ioc, ai-runbooks, community, SIEM alert correlation, ide skills, Indicators of Compromise (IOCs) analysis, install correlate-ioc, Claude Code, Cursor, Windsurf

v1.0.0
GitHub

About this Skill

Perfect for Security Analysis Agents needing advanced threat detection and IOC correlation capabilities. correlate-ioc is a skill that correlates SIEM alerts with Indicators of Compromise (IOCs) to identify potential security threats

Features

Searches for alerts containing any IOC in the list using SIEM alert data
Supports optional lookback period for SIEM alerts via TIME_FRAME_HOURS parameter
Allows additional filtering for SOAR cases using SOAR_CASE_FILTER parameter
Correlates IOCs such as IP addresses (e.g., 198.51.100.10) and domains (e.g., evil-domain.com)

# Core Topics

SIEM alert correlation Indicators of Compromise (IOCs) analysis install correlate-ioc
dandye dandye
[0]
[0]
Updated: 3/8/2026

Agent Capability Analysis

The correlate-ioc skill by dandye is an open-source community AI agent skill for Claude Code and other IDE workflows, helping agents execute tasks with better context, repeatability, and domain-specific guidance. Optimized for SIEM alert correlation, Indicators of Compromise (IOCs) analysis, install correlate-ioc.

Ideal Agent Persona

Perfect for Security Analysis Agents needing advanced threat detection and IOC correlation capabilities.

Core Value

Empowers agents to correlate SIEM alerts with Indicators of Compromise (IOCs) such as IP addresses and domains, utilizing SOAR case filtering and customizable time frame analysis through parameters like TIME_FRAME_HOURS and SOAR_CASE_FILTER.

Capabilities Granted for correlate-ioc

Correlating IOCs with existing SIEM alerts
Automating threat detection workflows
Enhancing incident response with IOC-based alert filtering

! Prerequisites & Limits

  • Requires access to SIEM alerts and cases
  • Dependent on quality and completeness of IOC lists
Labs Demo

Browser Sandbox Environment

⚡️ Ready to unleash?

Experience this Agent in a zero-setup browser environment powered by WebContainers. No installation required.

Boot Container Sandbox

correlate-ioc

Install correlate-ioc, an AI agent skill for AI agent workflows and automation. Works with Claude Code, Cursor, and Windsurf with one-command setup.

SKILL.md
Readonly

Correlate IOC Skill

Check for existing SIEM alerts and cases related to specific Indicators of Compromise.

Inputs

  • IOC_LIST - Single IOC or list of IOCs (e.g., ["198.51.100.10", "evil-domain.com"])
  • (Optional) TIME_FRAME_HOURS - Lookback period for SIEM alerts (default: 168 = 7 days)
  • (Optional) SOAR_CASE_FILTER - Additional filter for SOAR cases (e.g., status="OPEN")

Workflow

Step 1: Correlate SIEM Alerts

Search for alerts containing any IOC in the list:

secops-mcp.get_security_alerts(
    query=IOC_based_query,
    hours_back=TIME_FRAME_HOURS
)

Store summary in RELATED_SIEM_ALERTS:

  • Alert count
  • Alert types/names
  • Severity distribution
  • Affected assets

Step 2: Correlate Cases

Search for cases containing any IOC:

secops-soar.list_cases(
    filter=IOC_based_filter + SOAR_CASE_FILTER
)

Store summary in RELATED_SOAR_CASES:

  • Case IDs and names
  • Case status
  • Case priority

Required Outputs

After completing this skill, you MUST report these outputs:

OutputDescription
RELATED_SIEM_ALERTSSummary of SIEM alerts related to the IOC(s)
RELATED_CASESSummary of cases related to the IOC(s)
CORRELATION_STATUSSuccess/failure status of the correlation
MALICIOUS_CONFIDENCEDerived confidence based on alert history: high, medium, low, or none

Use Cases

  1. Before Investigation - Check if IOC is already under investigation
  2. During Enrichment - Understand internal activity for an IOC
  3. Threat Hunt - Find all alerts/cases related to campaign indicators
  4. Incident Response - Identify scope of compromise across cases

Correlation Summary Template

IOC Correlation Summary for [IOC_LIST]:

SIEM Alerts (last [TIME_FRAME_HOURS] hours):
- Total alerts: [count]
- Alert types: [list]
- Affected hosts: [list]

Related Cases:
- Open cases: [count] - [IDs]
- Closed cases: [count]
- Related investigations: [summary]

FAQ & Installation Steps

These questions and steps mirror the structured data on this page for better search understanding.

? Frequently Asked Questions

What is correlate-ioc?

Perfect for Security Analysis Agents needing advanced threat detection and IOC correlation capabilities. correlate-ioc is a skill that correlates SIEM alerts with Indicators of Compromise (IOCs) to identify potential security threats

How do I install correlate-ioc?

Run the command: npx killer-skills add dandye/ai-runbooks/correlate-ioc. It works with Cursor, Windsurf, VS Code, Claude Code, and 19+ other IDEs.

What are the use cases for correlate-ioc?

Key use cases include: Correlating IOCs with existing SIEM alerts, Automating threat detection workflows, Enhancing incident response with IOC-based alert filtering.

Which IDEs are compatible with correlate-ioc?

This skill is compatible with Cursor, Windsurf, VS Code, Trae, Claude Code, OpenClaw, Aider, Codex, OpenCode, Goose, Cline, Roo Code, Kiro, Augment Code, Continue, GitHub Copilot, Sourcegraph Cody, and Amazon Q Developer. Use the Killer-Skills CLI for universal one-command installation.

Are there any limitations for correlate-ioc?

Requires access to SIEM alerts and cases. Dependent on quality and completeness of IOC lists.

How To Install

  1. 1. Open your terminal

    Open the terminal or command line in your project directory.

  2. 2. Run the install command

    Run: npx killer-skills add dandye/ai-runbooks/correlate-ioc. The CLI will automatically detect your IDE or AI agent and configure the skill.

  3. 3. Start using the skill

    The skill is now active. Your AI agent can use correlate-ioc immediately in the current project.

Related Skills

Looking for an alternative to correlate-ioc or another community skill for your workflow? Explore these related open-source skills.

View All

widget-generator

Logo of f
f

f.k.a. Awesome ChatGPT Prompts. Share, discover, and collect prompts from the community. Free and open source — self-host for your organization with complete privacy.

149.6k
0
AI

flags

Logo of vercel
vercel

flags is a Next.js feature management skill that enables developers to efficiently add or modify framework feature flags, streamlining React application development.

138.4k
0
Browser

zustand

Logo of lobehub
lobehub

The ultimate space for work and life — to find, build, and collaborate with agent teammates that grow with you. We are taking agent harness to the next level — enabling multi-agent collaboration, effortless agent team design, and introducing agents as the unit of work interaction.

72.8k
0
AI

data-fetching

Logo of lobehub
lobehub

The ultimate space for work and life — to find, build, and collaborate with agent teammates that grow with you. We are taking agent harness to the next level — enabling multi-agent collaboration, effortless agent team design, and introducing agents as the unit of work interaction.

72.8k
0
AI