- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
techniques), verified against MITRE ATT&CK v19.1 via the official
mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
Indicator lifecycle management tracks IOCs from initial discovery through validation, enrichment, deployment, monitoring, and eventual retirement. This skill covers implementing systematic processes f
cybersecurity
threat-intelligence
threat-intelligence
cti
ioc
mitre-attack
stix
indicator-lifecycle
ioc-management
1.0
mahipal
Apache-2.0
ID.RA-01
ID.RA-05
DE.CM-01
DE.AE-02
T1591
T1592
T1593
T1589
Performing Indicator Lifecycle Management
Overview
Indicator lifecycle management tracks IOCs from initial discovery through validation, enrichment, deployment, monitoring, and eventual retirement. This skill covers implementing systematic processes for IOC quality assessment, aging policies, confidence scoring decay, false positive tracking, hit-rate monitoring, and automated expiration to maintain a high-quality, actionable indicator database that minimizes analyst fatigue and maximizes detection efficacy.
When to Use
When conducting security assessments that involve performing indicator lifecycle management
When following incident response procedures for related security events
When performing scheduled security testing or auditing activities
When validating security controls through hands-on testing
Prerequisites
Python 3.9+ with pymisp, requests, stix2 libraries
MISP or OpenCTI instance for indicator storage
SIEM with IOC watchlist capabilities (Splunk, Elastic)
Understanding of IOC types, confidence scoring, and TLP classifications
Key Concepts
Indicator Lifecycle Phases
Discovery: IOC first identified from threat intelligence, malware analysis, or incident response
Validation: IOC verified against enrichment sources (VirusTotal, Shodan)
Enrichment: Additional context added (WHOIS, passive DNS, threat actor attribution)
Deployment: IOC pushed to detection systems (SIEM, IDS, firewall)
Monitoring: Track hit rates, false positive rates, detection efficacy
Review: Periodic assessment of IOC relevance and accuracy
Retirement: IOC expired or removed based on aging policy
Confidence Decay
Indicator confidence decreases over time as adversaries rotate infrastructure. A time-based decay function reduces confidence scores automatically, ensuring old indicators do not generate excessive alerts. Typical half-life: IP addresses (30 days), domains (90 days), file hashes (365 days).
Quality Metrics
Hit Rate: Percentage of deployed IOCs generating true positive alerts
False Positive Rate: Percentage of IOC alerts that are benign
Coverage: Percentage of known threat techniques with IOC coverage
Freshness: Average age of active indicators in the database
Workflow
Step 1: Implement IOC Lifecycle State Machine
fromdatetimeimportdatetime,timedeltafromenumimportEnumclassIOCState(Enum):DISCOVERED="discovered"VALIDATED="validated"ENRICHED="enriched"DEPLOYED="deployed"MONITORING="monitoring"UNDER_REVIEW="under_review"RETIRED="retired"classIOCLifecycle:def__init__(self,ioc_type,value,source,initial_confidence=50):self.ioc_type=ioc_typeself.value=valueself.source=sourceself.confidence=initial_confidenceself.state=IOCState.DISCOVEREDself.created=datetime.utcnow()self.last_updated=datetime.utcnow()self.last_seen=Noneself.hit_count=0self.false_positive_count=0self.history=[{"state":"discovered","timestamp":self.created.isoformat()}]deftransition(self,new_state:IOCState,reason=""):self.state=new_stateself.last_updated=datetime.utcnow()self.history.append({"state":new_state.value,"timestamp":self.last_updated.isoformat(),"reason":reason,})defapply_decay(self):"""Apply confidence decay based on IOC type half-life."""half_lives={"ip":30,"domain":90,"hash":365,"url":60}half_life=half_lives.get(self.ioc_type,90)age_days=(datetime.utcnow()-self.created).daysdecay_factor=0.5**(age_days/half_life)self.confidence=max(0,int(self.confidence*decay_factor))defrecord_hit(self,is_true_positive=True):self.hit_count+=1self.last_seen=datetime.utcnow()ifnotis_true_positive:self.false_positive_count+=1ifself.false_positive_count>3:self.transition(IOCState.UNDER_REVIEW,"Excessive false positives")defshould_retire(self):max_ages={"ip":90,"domain":180,"hash":730,"url":120}max_age=max_ages.get(self.ioc_type,180)age_days=(datetime.utcnow()-self.created).daysreturnage_days>max_ageandself.hit_count==0
Validation Criteria
IOC lifecycle state machine transitions correctly between phases
Confidence decay reduces scores based on IOC type half-life
Hit rate and false positive tracking functional
Aging policy automatically flags indicators for review/retirement
Quality metrics dashboard shows IOC database health