AgentSkillsCN

enrich-ioc

利用威胁情报丰富 IOC(IP、域名、哈希值、URL)信息。当您需要借助 GTI 与 SIEM 查找指标的信誉与上下文时,可使用此技能。系统将返回威胁情报分析结果、SIEM 实体概要,以及 IOC 匹配状态。

SKILL.md
--- frontmatter
name: enrich-ioc
description: "Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status."
required_roles:
  chronicle: roles/chronicle.viewer
  gti: GTI Standard
personas: [tier1-analyst, tier2-analyst, tier3-analyst, threat-hunter, incident-responder]

Enrich IOC Skill

Perform standardized enrichment for a single Indicator of Compromise (IOC) using Google Threat Intelligence (GTI) and Chronicle SIEM.

Inputs

  • IOC_VALUE - The indicator value (e.g., "198.51.100.10", "evil-domain.com", "abcdef123456...", "http://bad.url/path")
  • IOC_TYPE - The type: "IP Address", "Domain", "File Hash", or "URL"

Workflow

Step 1: GTI Enrichment

Based on IOC_TYPE, call the appropriate GTI tool:

IOC TypeToolExample
IP Addressgti-mcp.get_ip_address_reportget_ip_address_report(ip_address="198.51.100.10")
Domaingti-mcp.get_domain_reportget_domain_report(domain="evil-domain.com")
File Hashgti-mcp.get_file_reportget_file_report(hash="abcdef123...")
URLgti-mcp.get_url_reportget_url_report(url="http://bad.url/path")

Store key findings in GTI_FINDINGS:

  • Reputation score
  • Classification (malicious, suspicious, clean)
  • Key relationships (contacted domains, IPs, etc.)
  • Associated malware families or campaigns

Error Handling: If GTI fails (quota exceeded, IOC not found), note the limitation and proceed with SIEM enrichment.

Step 2: SIEM Entity Lookup

code
secops-mcp.lookup_entity(entity_value=IOC_VALUE)

Store in SIEM_ENTITY_SUMMARY:

  • First/last seen timestamps
  • Related alerts
  • Associated assets/users

Step 3: SIEM IOC Match Check

code
secops-mcp.get_ioc_matches()

Check if IOC_VALUE appears in results. Store Yes/No in SIEM_IOC_MATCH_STATUS.

Required Outputs

After completing this skill, you MUST report these outputs:

OutputDescription
GTI_FINDINGSSummary of GTI report (reputation, classification, relationships)
SIEM_SUMMARYSIEM entity context (first/last seen, related alerts)
IOC_MATCH_STATUSYes/No - whether IOC appears in recent threat feed matches
THREAT_SCORENumerical threat score (0-100) based on GTI reputation
MALICIOUS_CONFIDENCEConfidence level: high, medium, low, or none

Quick Reference

GTI Tools:

  • get_ip_address_report(ip_address)
  • get_domain_report(domain)
  • get_file_report(hash)
  • get_url_report(url)

SIEM Tools:

  • lookup_entity(entity_value)
  • get_ioc_matches()