threat-report-evaluation

# Threat Report Evaluation & IOC Analysis

Systematically evaluate threat reports to determine organizational impact and create comprehensive defense-in-depth detections.

---

## LimaCharlie Integration

> **Prerequisites**: Run `/init-lc` to initialize LimaCharlie context.

### API Access Pattern

All LimaCharlie API calls go through the `limacharlie-api-executor` sub-agent:

```
Task(
  subagent_type="lc-essentials:limacharlie-api-executor",
  model="sonnet",
  prompt="Execute LimaCharlie API call:
    - Function: <function-name>
    - Parameters: {<params>}
    - Return: RAW | <extraction instructions>
    - Script path: {skill_base_directory}/../../scripts/analyze-lc-result.sh"
)
```

### Critical Rules

| Rule | Wrong | Right |
|------|-------|-------|
| **MCP Access** | Call `mcp__*` directly | Use `limacharlie-api-executor` sub-agent |
| **LCQL Queries** | Write query syntax manually | Use `generate_lcql_query()` first |
| **D&R Rules** | Write YAML manually | Use `generate_dr_rule_*()` + `validate_dr_rule_components()` |
| **Timestamps** | Calculate epoch values | Use `date +%s` or `date -d '7 days ago' +%s` |
| **OID** | Use org name | Use UUID (call `list_user_orgs` if needed) |

---

## Architecture

This skill uses specialized sub-agents to reduce context usage and enable parallel processing:

```
Main Skill (Orchestrator)
├── Phase 0: Download report to /tmp/ (keeps content out of main context)
├── Phase 1: Spawn threat-report-parser → Get structured IOCs/behaviors
├── Phase 2: Platform check (lightweight API call)
├── Phase 3: Spawn ioc-hunter agents (parallel, one per org)
├── Phase 4: Spawn behavior-hunter agents (parallel, one per org)
├── Phase 5: User checkpoint - present findings
├── Phase 6: Spawn detection-builder agents (parallel, by layer)
├── Phase 7: User approval - confirm rules to deploy
├── Phase 8: Deploy approved rules
└── Phase 9: Generate final report from aggregated summaries
```

## Critical Principles

- Extract IOCs and behavior