Pilot Threat Intelligence Setup
v1.0.0Deploy a threat intelligence platform with 4 agents. Use this skill when: 1. User wants to set up a threat intelligence pipeline for IOC collection and distr...
0· 76· 1 versions· 0 current· 0 all-time· Updated 5d ago· MIT-0
byCalin Teodor@teoslayer
Threat Intelligence Setup
Deploy 4 agents: collector, enricher, analyzer, and distributor.
Roles
| Role | Hostname | Skills | Purpose |
|---|---|---|---|
| collector | <prefix>-collector | pilot-stream-data, pilot-cron, pilot-archive | Aggregates threat feeds from OSINT, honeypots, CVE databases |
| enricher | <prefix>-enricher | pilot-dataset, pilot-task-router, pilot-event-filter | Correlates IOCs, enriches with WHOIS/GeoIP, maps to MITRE |
| analyzer | <prefix>-analyzer | pilot-metrics, pilot-consensus, pilot-alert | Scores severity, identifies campaigns and APT groups |
| distributor | <prefix>-distributor | pilot-webhook-bridge, pilot-announce, pilot-audit-log | Publishes STIX/TAXII feeds, pushes IOCs to SIEM |
Setup Procedure
Step 1: Ask the user which role this agent should play and what prefix to use.
Step 2: Install the skills for the chosen role:
# For collector:
clawhub install pilot-stream-data pilot-cron pilot-archive
# For enricher:
clawhub install pilot-dataset pilot-task-router pilot-event-filter
# For analyzer:
clawhub install pilot-metrics pilot-consensus pilot-alert
# For distributor:
clawhub install pilot-webhook-bridge pilot-announce pilot-audit-log
Step 3: Set the hostname and write the manifest to ~/.pilot/setups/threat-intelligence.json.
Step 4: Tell the user to initiate handshakes with the peers for their role.
Manifest Templates Per Role
collector
{
"setup": "threat-intelligence", "role": "collector", "role_name": "Intel Collector",
"hostname": "<prefix>-collector",
"skills": {
"pilot-stream-data": "Ingest real-time threat feeds from OSINT and honeypots.",
"pilot-cron": "Schedule periodic CVE database and dark web scans.",
"pilot-archive": "Store raw indicator history for retrospective analysis."
},
"data_flows": [{ "direction": "send", "peer": "<prefix>-enricher", "port": 1002, "topic": "raw-ioc", "description": "Normalized IOCs from threat feeds" }],
"handshakes_needed": ["<prefix>-enricher"]
}
enricher
{
"setup": "threat-intelligence", "role": "enricher", "role_name": "Threat Enricher",
"hostname": "<prefix>-enricher",
"skills": {
"pilot-dataset": "Cross-reference IOCs against known threat databases.",
"pilot-task-router": "Route enrichment tasks to specialized lookup services.",
"pilot-event-filter": "Filter low-confidence indicators before analysis."
},
"data_flows": [
{ "direction": "receive", "peer": "<prefix>-collector", "port": 1002, "topic": "raw-ioc", "description": "Raw IOCs to enrich" },
{ "direction": "send", "peer": "<prefix>-analyzer", "port": 1002, "topic": "enriched-ioc", "description": "IOCs with WHOIS, GeoIP, MITRE context" }
],
"handshakes_needed": ["<prefix>-collector", "<prefix>-analyzer"]
}
analyzer
{
"setup": "threat-intelligence", "role": "analyzer", "role_name": "Threat Analyzer",
"hostname": "<prefix>-analyzer",
"skills": {
"pilot-metrics": "Track threat volumes, severity distribution, and response times.",
"pilot-consensus": "Correlate multi-source verdicts for high-confidence scoring.",
"pilot-alert": "Emit critical threat alerts for immediate action."
},
"data_flows": [
{ "direction": "receive", "peer": "<prefix>-enricher", "port": 1002, "topic": "enriched-ioc", "description": "Enriched IOCs to analyze" },
{ "direction": "send", "peer": "<prefix>-distributor", "port": 1002, "topic": "threat-verdict", "description": "Scored verdicts with campaign attribution" }
],
"handshakes_needed": ["<prefix>-enricher", "<prefix>-distributor"]
}
distributor
{
"setup": "threat-intelligence", "role": "distributor", "role_name": "Intel Distributor",
"hostname": "<prefix>-distributor",
"skills": {
"pilot-webhook-bridge": "Push IOC updates to firewalls, IDS, and SIEM.",
"pilot-announce": "Broadcast threat advisories to subscribed consumers.",
"pilot-audit-log": "Log all published intelligence with distribution timestamps."
},
"data_flows": [
{ "direction": "receive", "peer": "<prefix>-analyzer", "port": 1002, "topic": "threat-verdict", "description": "Threat verdicts to distribute" },
{ "direction": "send", "peer": "external", "port": 443, "topic": "threat-feed", "description": "STIX/TAXII feeds to security infrastructure" }
],
"handshakes_needed": ["<prefix>-analyzer"]
}
Data Flows
collector -> enricher: raw IOCs normalized from threat feeds (port 1002)enricher -> analyzer: enriched IOCs with context and confidence scores (port 1002)analyzer -> distributor: threat verdicts with severity and campaign data (port 1002)distributor -> external: published threat feeds to security infrastructure (port 443)
Workflow Example
# On collector -- forward raw IOC:
pilotctl --json publish <prefix>-enricher raw-ioc '{"type":"ip","value":"198.51.100.23","source":"honeypot-east","tags":["c2","cobalt-strike"]}'
# On enricher -- forward enriched IOC:
pilotctl --json publish <prefix>-analyzer enriched-ioc '{"type":"ip","value":"198.51.100.23","whois":{"asn":"AS62904","country":"RU"},"mitre":["T1071.001"],"confidence":0.87}'
# On analyzer -- send verdict:
pilotctl --json publish <prefix>-distributor threat-verdict '{"ioc":"198.51.100.23","severity":"critical","campaign":"APT-THUNDER-BEAR","action":"block"}'
Dependencies
Requires pilot-protocol skill, pilotctl binary, clawhub binary, and a running daemon.
Version tags
latest
Runtime requirements
Binspilotctl, clawhub