How do I install correlating-threat-campaigns?

Run `npx skills install mukul975/Anthropic-Cybersecurity-Skills/correlating-threat-campaigns` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does correlating-threat-campaigns support?

correlating-threat-campaigns works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is correlating-threat-campaigns free to use?

Yes. correlating-threat-campaigns is free to install and use. It is available from the open explainx.ai skill registry published by mukul975.

Where can I read ratings and reviews for correlating-threat-campaigns?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install correlating-threat-campaigns?

Run `npx skills install mukul975/Anthropic-Cybersecurity-Skills/correlating-threat-campaigns` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does correlating-threat-campaigns support?

correlating-threat-campaigns works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is correlating-threat-campaigns free to use?

Yes. correlating-threat-campaigns is free to install and use. It is available from the open explainx.ai skill registry published by mukul975.

Where can I read ratings and reviews for correlating-threat-campaigns?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install correlating-threat-campaigns?

Run `npx skills install mukul975/Anthropic-Cybersecurity-Skills/correlating-threat-campaigns` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does correlating-threat-campaigns support?

correlating-threat-campaigns works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is correlating-threat-campaigns free to use?

Yes. correlating-threat-campaigns is free to install and use. It is available from the open explainx.ai skill registry published by mukul975.

Where can I read ratings and reviews for correlating-threat-campaigns?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install correlating-threat-campaigns?

Run `npx skills install mukul975/Anthropic-Cybersecurity-Skills/correlating-threat-campaigns` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does correlating-threat-campaigns support?

correlating-threat-campaigns works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is correlating-threat-campaigns free to use?

Yes. correlating-threat-campaigns is free to install and use. It is available from the open explainx.ai skill registry published by mukul975.

Where can I read ratings and reviews for correlating-threat-campaigns?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install correlating-threat-campaigns?

Run `npx skills install mukul975/Anthropic-Cybersecurity-Skills/correlating-threat-campaigns` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does correlating-threat-campaigns support?

correlating-threat-campaigns works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is correlating-threat-campaigns free to use?

Yes. correlating-threat-campaigns is free to install and use. It is available from the open explainx.ai skill registry published by mukul975.

Where can I read ratings and reviews for correlating-threat-campaigns?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install correlating-threat-campaigns?

Run `npx skills install mukul975/Anthropic-Cybersecurity-Skills/correlating-threat-campaigns` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does correlating-threat-campaigns support?

correlating-threat-campaigns works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is correlating-threat-campaigns free to use?

Yes. correlating-threat-campaigns is free to install and use. It is available from the open explainx.ai skill registry published by mukul975.

Where can I read ratings and reviews for correlating-threat-campaigns?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install correlating-threat-campaigns?

Run `npx skills install mukul975/Anthropic-Cybersecurity-Skills/correlating-threat-campaigns` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does correlating-threat-campaigns support?

correlating-threat-campaigns works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is correlating-threat-campaigns free to use?

Yes. correlating-threat-campaigns is free to install and use. It is available from the open explainx.ai skill registry published by mukul975.

Where can I read ratings and reviews for correlating-threat-campaigns?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install correlating-threat-campaigns?

Run `npx skills install mukul975/Anthropic-Cybersecurity-Skills/correlating-threat-campaigns` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does correlating-threat-campaigns support?

correlating-threat-campaigns works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is correlating-threat-campaigns free to use?

Yes. correlating-threat-campaigns is free to install and use. It is available from the open explainx.ai skill registry published by mukul975.

Where can I read ratings and reviews for correlating-threat-campaigns?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install correlating-threat-campaigns?

Run `npx skills install mukul975/Anthropic-Cybersecurity-Skills/correlating-threat-campaigns` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does correlating-threat-campaigns support?

correlating-threat-campaigns works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is correlating-threat-campaigns free to use?

Yes. correlating-threat-campaigns is free to install and use. It is available from the open explainx.ai skill registry published by mukul975.

Where can I read ratings and reviews for correlating-threat-campaigns?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install correlating-threat-campaigns?

Run `npx skills install mukul975/Anthropic-Cybersecurity-Skills/correlating-threat-campaigns` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does correlating-threat-campaigns support?

correlating-threat-campaigns works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is correlating-threat-campaigns free to use?

Yes. correlating-threat-campaigns is free to install and use. It is available from the open explainx.ai skill registry published by mukul975.

Where can I read ratings and reviews for correlating-threat-campaigns?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install correlating-threat-campaigns?

Run `npx skills install mukul975/Anthropic-Cybersecurity-Skills/correlating-threat-campaigns` in your terminal. You need to have run `npx skills init` once in your project first.

correlating-threat-campaigns

correlating-threat-campaigns▌

mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/correlating-threat-campaigns

0 commentsdiscussion

summary

Correlates disparate security incidents, IOCs, and adversary behaviors across time and organizations to identify unified threat campaigns, attribute them to common threat actors, and extract shared indicators for improved detection. Use when multiple incidents exhibit overlapping indicators, when sector-wide attack campaigns require cross-organizational analysis, or when building campaign-level intelligence products. Activates for requests involving campaign analysis, incident clustering, cross-organizational IOC correlation, or MISP correlation engine.

skill.md

name	correlating-threat-campaigns
description	'Correlates disparate security incidents, IOCs, and adversary behaviors across time and organizations to identify unified threat campaigns, attribute them to common threat actors, and extract shared indicators for improved detection. Use when multiple incidents exhibit overlapping indicators, when sector-wide attack campaigns require cross-organizational analysis, or when building campaign-level intelligence products. Activates for requests involving campaign analysis, incident clustering, cross-organizational IOC correlation, or MISP correlation engine. '
domain	cybersecurity
subdomain	threat-intelligence
tags	- campaign-analysis - correlation - MISP - ATT&CK - threat-actor - intrusion-set - clustering - CTI
version	1.0.0
author	team-cybersecurity
license	Apache-2.0
nist_csf	- ID.RA-01 - ID.RA-05 - DE.CM-01 - DE.AE-02

Correlating Threat Campaigns

When to Use

Use this skill when:

Multiple unrelated-appearing incidents share IOCs (same C2 IP, same malware hash, similar TTPs)
An ISAC partner shares indicators from an incident that match your own historical events
Building a campaign report linking adversary activity over weeks or months to a single operation

Do not use this skill to force correlation based on weak signals — false campaign attribution misleads defenders and wastes resources on incorrect threat models.

Prerequisites

TIP or SIEM with historical indicator and event data (90+ days recommended)
MISP correlation engine enabled with event sharing configured
Graph analysis tool (Maltego, Neo4j, or OpenCTI) for relationship visualization
Reference to MITRE ATT&CK intrusion set and campaign objects for structuring output

Workflow

Step 1: Collect and Normalize Events

Gather all candidate events for correlation from:

Internal SIEM (raw events, alert history)
TIP (historical indicators and events)
ISAC sharing (partner-submitted events in MISP or TAXII)
Commercial intelligence (Recorded Future, Mandiant, CrowdStrike reports)

Normalize all events to STIX 2.1 schema with consistent timestamp (UTC), indicator types, and confidence scores. Ensure all indicators have source attribution and collection date.

Step 2: Identify Correlation Pivot Points

Apply systematic pivot analysis across four dimensions:

Infrastructure pivots:

Same IP address or /24 subnet across events
Same domain registrant email or WHOIS organization
Same ASN or hosting provider with same account fingerprint
Same SSL certificate fingerprint or serial number across C2 domains

Capability pivots:

Same malware hash or YARA signature match
Same C2 communication protocol (Cobalt Strike beacon config, Sliver implant parameters)
Same exploit code or weaponized document template
Same obfuscation method or packer fingerprint

Temporal pivots:

Events occurring within same time window (operational hours suggesting same timezone)
Sequential events with logical kill chain progression
Malware compilation timestamps clustering in same date range

Victimology pivots:

Same target sector (healthcare, energy, financial)
Same target geography
Same targeted technology (specific ERP vendor, VPN appliance brand)

Step 3: Calculate Correlation Confidence

Apply weighted scoring for campaign attribution:

def calculate_campaign_confidence(events: list) -> float:
    scores = []

    # Infrastructure overlap (highest weight — most discriminating)
    infra_overlap = count_shared_infra(events) / len(events)
    scores.append(infra_overlap * 40)

    # Capability overlap (high weight — TTPs are durable)
    capability_overlap = count_shared_ttps(events) / len(events)
    scores.append(capability_overlap * 35)

    # Temporal proximity (moderate weight)
    temporal_score = assess_temporal_clustering(events)
    scores.append(temporal_score * 15)

    # Victimology alignment (lower weight — many actors target same sector)
    victim_score = assess_victim_pattern(events)
    scores.append(victim_score * 10)

    total = sum(scores)
    if total >= 70: return "HIGH"
    elif total >= 45: return "MEDIUM"
    else: return "LOW"

Step 4: Build Campaign Graph

In OpenCTI or Maltego, construct campaign graph:

Campaign object (STIX) as central node
Intrusion Set → uses → Malware objects
Intrusion Set → uses → Infrastructure objects
Intrusion Set → targets → Identity objects (victim organizations/sectors)
Campaign → attributed-to → Threat Actor (if attribution achieved)
Indicators → indicates → Malware (linking technical observables to capabilities)

Label each relationship with evidence reference and confidence.

Step 5: Produce Campaign Intelligence Report

Structure the campaign report:

Campaign name: Assign descriptive codename based on targeting theme or tooling
Timeline: First/last observed dates with activity phases
Attribution: Suspected threat actor with confidence level
Target profile: Industry verticals, geographies, organization sizes
TTPs summary: ATT&CK Navigator heatmap for campaign-specific techniques
Shared indicators: IOCs that span multiple incidents (highest confidence for blocking)
Detection guidance: Sigma/YARA rules specific to this campaign

Key Concepts

Term	Definition
Campaign	STIX object representing a grouping of adversarial behaviors with common objectives over a defined time period
Intrusion Set	STIX object grouping related intrusion activity by common objectives, even when actor identity is uncertain
Pivot	Using a single data point (IOC, infrastructure, TTP) to discover related events or adversary artifacts
Clustering	Machine learning or manual grouping of incidents based on feature similarity to identify campaign boundaries
False Correlation	Incorrect linking of unrelated incidents due to shared infrastructure (CDNs, shared hosting) or common tools

Tools & Systems

MISP Correlation Engine: Automatic correlation of events sharing attribute values across the MISP instance and federated instances
OpenCTI Graph: Interactive relationship graph for visualizing campaign linkages with STIX object types
Maltego: Link analysis for infrastructure and capability pivoting across multiple data sources
Neo4j: Graph database with Cypher queries for large-scale campaign correlation (millions of events)

Common Pitfalls

CDN/Shared hosting false positives: Cloudflare, AWS CloudFront, and bulletproof hosters serve multiple threat actors. Shared IP alone does not establish campaign linkage.
Common malware conflation: Multiple threat actors use Cobalt Strike. Shared capability does not indicate same actor without additional corroboration.
Premature attribution: Forcing campaign-to-actor attribution before evidence threshold is reached produces incorrect intelligence that persists in reports.
Missing temporal analysis: Events from different years may share infrastructure that was recycled by a different actor, not the same campaign.

how to use correlating-threat-campaigns

How to use correlating-threat-campaigns on Cursor

AI-first code editor with Composer

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

›Cursor installed and configured on your development machine
›Node.js version 16.0+ with npm package manager (verify with node --version)
›Active project directory or workspace where you want to add correlating-threat-campaigns

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/correlating-threat-campaigns

The skills CLI fetches correlating-threat-campaigns from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?

│

│ ── Universal (.agents/skills) ── always included ────

│ • Amp

│ • Antigravity

│ • Cline

│ • Codex

│ ●Cursor(selected)

│ • Cursor

│ • Windsurf

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/correlating-threat-campaigns

Reload or restart Cursor to activate correlating-threat-campaigns. Access the skill through slash commands (e.g., /correlating-threat-campaigns) or your agent's skill management interface.

⚠

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

›View source code on GitHub ›Skills CLI documentation ›Learn more about Cursor ›What are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases▌

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

✓

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

✓

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

✓

Improve work quality by 30-40% with less effort

Implementation Guide▌

Prerequisites

›Claude Desktop or compatible AI client with skill support
›Clear understanding of task or problem to solve
›Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

1.Install skill using provided installation command
2.Test with simple use case relevant to your work
3.Evaluate output quality and relevance
4.Iterate on prompts to improve results
5.Integrate into regular workflow if valuable

Common Pitfalls

⚠Expecting perfect results without iteration
⚠Not providing enough context in prompts
⚠Using skill for tasks outside its intended scope
⚠Accepting outputs without review and validation

Best Practices▌

✓ Do

+Start with clear, specific prompts
+Provide relevant context and constraints
+Review and refine all outputs before using
+Iterate to improve output quality
+Document successful prompt patterns

✗ Don't

−Don't use without understanding skill limitations
−Don't skip validation of outputs
−Don't share sensitive information in prompts
−Don't expect skill to replace human judgment

💡 Pro Tips

★Be specific about desired format and style
★Ask for multiple options to choose from
★Request explanations to understand reasoning
★Combine AI efficiency with human expertise

When to Use This▌

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path▌

1Familiarize yourself with skill capabilities and limitations
2Start with low-risk, non-critical tasks
3Progress to more complex and valuable use cases
4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)

No comments yet — start the thread.

general reviews

Ratings

4.5★★★★★37 reviews

★★★★★Michael Johnson· Dec 16, 2024
correlating-threat-campaigns is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
★★★★★Aisha Srinivasan· Dec 12, 2024
correlating-threat-campaigns fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
★★★★★Camila Reddy· Dec 4, 2024
Keeps context tight: correlating-threat-campaigns is the kind of skill you can hand to a new teammate without a long onboarding doc.
★★★★★Aisha Iyer· Nov 23, 2024
correlating-threat-campaigns has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Amina White· Nov 7, 2024
Solid pick for teams standardizing on skills: correlating-threat-campaigns is focused, and the summary matches what you get after install.
★★★★★Arjun Brown· Nov 3, 2024
Keeps context tight: correlating-threat-campaigns is the kind of skill you can hand to a new teammate without a long onboarding doc.
★★★★★Tariq Haddad· Oct 26, 2024
correlating-threat-campaigns has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Arya Agarwal· Oct 22, 2024
correlating-threat-campaigns is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
★★★★★Isabella Kim· Oct 14, 2024
Solid pick for teams standardizing on skills: correlating-threat-campaigns is focused, and the summary matches what you get after install.
★★★★★Sakshi Patil· Sep 21, 2024
correlating-threat-campaigns is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

showing 1-10 of 37

1 / 4