AgentSkillsCN

triage-suspicious-login

对诸如“无法登录”“非信任位置登录”或“多次登录失败”等可疑登录告警进行分类处置。当您调查身份认证异常时,可使用此技能。系统将分析用户历史、源 IP 信誉、登录模式,并判断是否需要进一步升级处理。

SKILL.md
--- frontmatter
name: triage-suspicious-login
description: "Triage suspicious login alerts like impossible travel, untrusted location, or multiple failures. Use when investigating authentication anomalies. Analyzes user history, source IP reputation, login patterns, and determines if escalation is needed."
required_roles:
  chronicle: roles/chronicle.viewer
  soar: roles/chronicle.editor
  gti: GTI Standard
personas: [tier1-analyst, tier2-analyst, tier3-analyst]

Suspicious Login Triage Skill

Guide initial triage of suspicious login alerts (impossible travel, untrusted location, multiple failed logins) for Tier 1 SOC Analysts.

Inputs

  • CASE_ID - SOAR case ID containing the alert(s)
  • ALERT_GROUP_IDENTIFIERS - Alert group identifiers from the case
  • (Optional) USER_ID - The user ID if known upfront
  • (Optional) SOURCE_IP - The source IP if known upfront

Workflow

Step 1: Get Case Context

code
secops-soar.get_case_full_details(case_id=CASE_ID)

Step 2: Extract Key Entities

code
secops-soar.list_events_by_alert(case_id=CASE_ID, alert_id=ALERT_ID)

Parse events to extract:

  • USER_ID - The user account
  • SOURCE_IP - The login source IP
  • HOSTNAME - The target/source hostname (if available)

Step 3: User Context (SIEM)

code
secops-mcp.lookup_entity(entity_value=USER_ID)

Record: Recent activity, first/last seen, related alerts.

Step 4: Source IP Enrichment

Use /enrich-ioc with IOC_TYPE="IP Address":

  • GTI reputation and geolocation
  • SIEM entity summary
  • IOC match status

Step 5: Hostname Context (if available)

code
secops-mcp.lookup_entity(entity_value=HOSTNAME)

Step 6: Recent Login Activity

Search for login patterns over the last 96 hours:

code
secops-mcp.search_security_events(
    text='metadata.event_type IN ("USER_LOGIN", "AUTH_ATTEMPT") AND principal.user.userid = "USER_ID"',
    hours_back=96
)

Analyze for:

  • Logins from unusual IPs
  • Successful logins after failures
  • Geographic anomalies (impossible travel)
  • Concurrent sessions from different locations

Step 7: Check Related Cases

Use /find-relevant-case with search terms: [USER_ID, SOURCE_IP, HOSTNAME]

Step 8: (Optional) Identity Provider Check

If IDP tools available (e.g., Okta):

  • Account status
  • MFA enrollment
  • Recent legitimate logins
  • Password change history

Step 9: Synthesize & Document

Use /document-in-soar with findings summary:

code
Suspicious Login Triage for USER_ID from SOURCE_IP:
- User SIEM Summary: [...]
- Source IP GTI: [reputation, geo]
- Login Pattern: [normal/anomalous]
- Related Cases: [...]
- Recommendation: [Close as FP | Escalate to Tier 2]

Required Outputs

After completing this skill, you MUST report these outputs:

OutputDescription
LOGIN_VERDICTAssessment: legitimate, suspicious, or malicious
ANOMALY_INDICATORSWhat made the login suspicious (impossible travel, new device, etc.)
RELATED_ACTIVITYOther suspicious activity from user or source IP
RISK_SCORENumerical risk assessment (0-100) based on findings

Decision Matrix

FindingRecommendation
Known VPN/corporate IP + normal patternClose as FP
User confirmed travel + MFA usedClose as Benign TP
Malicious IP reputationEscalate
Impossible travel + no MFAEscalate urgently
Multiple failures then success from new IPEscalate
Pattern matches user's normal behaviorClose as FP

Key Patterns to Detect

Impossible Travel:

  • Login from NYC, then London 30 mins later
  • Check if VPN or cloud service could explain

Credential Stuffing:

  • Many failures across multiple accounts from same IP
  • Success after many failures

Account Takeover:

  • Login from new device/location
  • Followed by password change or MFA modification

Lateral Movement:

  • Same user logging into many systems rapidly
  • Unusual service account activity