AgentSkillsCN

deep-dive-ioc

对关键 IOC 进行全方位深度分析。当某项 IOC 需要超出基础情报补充的第二层级及以上调查时,可使用此技能——包括 GTI 溯源分析、SIEM 深度检索、与相关实体的关联分析,以及威胁归属判定。适用于需要全面调查的升级 IOC。

SKILL.md
--- frontmatter
name: deep-dive-ioc
description: "Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
required_roles:
  chronicle: roles/chronicle.editor
  soar: roles/chronicle.editor
  gti: GTI Enterprise
personas: [tier2-analyst, tier3-analyst, threat-hunter, incident-responder]

Deep Dive IOC Analysis Skill

Perform exhaustive analysis of a single, potentially critical Indicator of Compromise escalated from Tier 1 or identified during an investigation.

Inputs

  • IOC_VALUE - The IOC to analyze (IP, domain, hash, or URL)
  • IOC_TYPE - The type: "IP Address", "Domain", "File Hash", or "URL"
  • CASE_ID - SOAR case ID for documentation (optional)
  • TIME_FRAME_HOURS - Lookback period (default: 168 = 7 days)

Workflow

Step 1: Get Case Context (if CASE_ID provided)

code
secops-soar.get_case_full_details(case_id=CASE_ID)

Step 2: Detailed GTI Report

Get comprehensive threat intelligence:

IOC TypeTool
IPgti-mcp.get_ip_address_report(ip_address=IOC_VALUE)
Domaingti-mcp.get_domain_report(domain=IOC_VALUE)
Hashgti-mcp.get_file_report(hash=IOC_VALUE)
URLgti-mcp.get_url_report(url=IOC_VALUE)

Record:

  • Reputation and classifications
  • First/last seen dates
  • Associated threats (malware families, actors) → ASSOCIATED_THREAT_IDS
  • Key behaviors (for file hashes)

Step 3: GTI Pivoting

Use /pivot-on-ioc or directly call GTI relationship tools:

Recommended relationships by type:

  • IP: communicating_files, downloaded_files, resolutions
  • Domain: resolutions, communicating_files, subdomains
  • Hash: contacted_domains, contacted_ips, dropped_files
  • URL: communicating_files, downloaded_files

For file hashes, also get behavior summary:

code
gti-mcp.get_file_behavior_summary(hash=IOC_VALUE)

Step 4: Deep SIEM Search

Search for activity involving the IOC and its related entities:

code
secops-mcp.search_security_events(
    text="UDM query for IOC_VALUE",
    hours_back=TIME_FRAME_HOURS
)

Identify OBSERVED_RELATED_IOCS - IOCs from GTI pivoting that actually appear in SIEM results.

Step 5: SIEM Enrichment & Correlation

For the IOC and each OBSERVED_RELATED_IOC:

  • Use /enrich-ioc for enrichment
  • Use /correlate-ioc for alert/case correlation
  • Use /find-relevant-case for broader case search

Step 6: Enrich Associated Threats (Optional)

If ASSOCIATED_THREAT_IDS were found (malware families, actors):

code
gti-mcp.get_collection_report(id=THREAT_ID)

Step 7: Synthesize & Report

Combine all findings:

  • GTI report details
  • Related entities from pivoting
  • SIEM search results
  • Observed related IOCs with enrichment
  • Related alerts and cases
  • Associated threat context

Document in SOAR (if CASE_ID provided):

code
Use /document-in-soar with comprehensive findings summary

Or generate standalone report:

code
Use /generate-report with REPORT_TYPE="deep_dive_ioc"

Required Outputs

After completing this skill, you MUST report these outputs:

OutputDescription
GTI_DEEP_FINDINGSComprehensive GTI analysis (reputation, classification, behaviors)
SIEM_DEEP_CONTEXTExtended SIEM event context (hosts, users, timelines)
RELATED_ENTITIESRelated IOCs from GTI pivoting (infrastructure connections)
DISCOVERED_IOCSAll IOCs discovered during analysis
THREAT_ATTRIBUTIONThreat actor/campaign attribution if found

Additionally provide:

  • Impact assessment and scope identification
  • Recommendations (escalate, contain, monitor)
  • Documentation in SOAR or standalone report

When to Use This vs Basic Enrichment

Use /enrich-iocUse /deep-dive-ioc
Initial triageEscalated from Tier 1
Quick context neededComprehensive investigation
Single IOC lookupFull infrastructure mapping
Tier 1 workflowTier 2+ investigation