crybaby445/Threat-Intel

# Threat-Intel A repeatable, Claude Code–driven workflow for **threat intelligence analysis** — from ingesting threat reports through TTP extraction, simulation planning, and **multi-source log correlation** across endpoint and cloud telemetry. This repository is designed to be driven interactively with [Claude Code](https://claude.com/claude-code). Project guidance for the agent lives in [`CLAUDE.md`](CLAUDE.md); this README is the human-facing guide. ## What it does Two core workflows: 1. **Threat Intel Processing** — ingest a threat-intel report URL → extract TTPs (mapped to MITRE ATT&CK) and IOCs → produce an Atomic Red Team simulation plan for validation and detection engineering. 2. **Multi-Source Investigation** — correlate endpoint (Windows Security, Sysmon) and cloud (Azure AD / Entra sign-in, audit, risk) telemetry to reconstruct an incident across host and identity sources. ### Supported log sources | Source | Type | |---|---| | Windows Security Events | Endpoint / host | | Sysmon Events | Endpoint / host (process, network, file) | | Azure AD Sign-in Logs | Identity / cloud | | Azure AD Audit Logs | Identity / cloud | ## Prerequisites & setup The project runs inside a **VS Code Dev Container** (Ubuntu 24.04 + Node.js): - Base image: `mcr.microsoft.com/devcontainers/base:ubuntu-24.04` - Node.js via `ghcr.io/devcontainers/features/node:1` - The Claude Code CLI is installed automatically on container start (`npm install -g @anthropic-ai/claude-code`, defined in `.ona/automations.yaml`). Open the repo in the dev container and you're ready. Add any extra tools to `.devcontainer/Dockerfile`. ## Repository layout | Path | Purpose | |---|---| | `CLAUDE.md` | Agent-facing project guidance (conventions, gotchas, artifact index) | | `analysis/` | Generated TI / IR / correlation markdown outputs | | `sample/` | Synthetic telemetry datasets for investigation & detection testing | | `.claude/commands/` | Slash commands (e.g. `/ingest-ti`) | | `.claude/agents/` | Project subagents (`endpoint-analyst`, `cloud-analyst`) | | `.ona/automations.yaml` | Container-start automation | ## Usage ### Workflow 1 — Ingest a threat-intel report Run the slash command in Claude Code with a report URL: /ingest-ti https://example.com/threat-report This will: 1. Extract clean content from the URL (`defuddle parse … --markdown`). 2. Identify the threat overview, map observed behavior to **MITRE ATT&CK** TTPs (with confidence levels), and extract IOCs (IPs, domains, hashes, emails, etc.). 3. Suggest **Atomic Red Team** tests, prioritized by confidence and test availability. 4. Write a structured report to `analysis/ti-[date]-[name].md`. ### Workflow 2 — Multi-source investigation Point the two analysis subagents at the relevant logs, then correlate. Example using the bundled sample data: Use the endpoint-analyst agent to analyze sample/sysmon_session_hijack.json Use the cloud-analyst agent to analyze sample/azure_*.json Then correlate the findings into a unified picture. The subagents are read-only and designed to hand off to each other: | Subagent | Scope | Output ends with | |---|---|---| | `endpoint-analyst` | Windows Security + Sysmon | **Questions / gaps** for other sources | | `cloud-analyst` | Azure AD sign-in / audit / risk | **Correlation Hints** for endpoint logs | A correlation pass produces a unified timeline, attack-chain reconstruction, confidence assessment, and gap analysis (see the worked example in `analysis/correlation.md`). ## Sample dataset `sample/` contains a complete synthetic incident — **"Entra session hijacking via browser cookie theft"** — for exercising the investigation workflow and testing detections: | File | Source | Events | |---|---|---| | `sysmon_session_hijack.json` | Sysmon | 11 | | `azure_signin_logs.json` | Entra sign-in | 3 | | `azure_audit_logs.json` | Entra audit | 3 | | `azure_risk_detections.json` | Entra ID Protection | 2 | | `README.md` | Scenario, entities, ATT&CK map, timeline | — | Subject of the scenario: `jordan.miller@contoso.com` on host `FIN-WS-0427`. ## Conventions - **Analysis outputs** go in `analysis/` and are named `ti-[date]-[name].md` (threat-intel) or `ir-[date]-[name].md` (incident report); supporting notes as `endpoint.md` / `cloud.md` / `correlation.md`. - **All findings derive from raw log fields**, not from any embedded labels. - See [`CLAUDE.md`](CLAUDE.md) for the agent-facing details and the current artifact index. ## Disclaimer All telemetry, indicators, hostnames, IPs, and identities in this repository are **synthetic** and for analysis/training purposes only. They are not real indicators of compromise.