AgentSkillsCN

soc-triage

根据 DeepTempo 的检测结果及其最近邻近数据,生成初步的分类报告,包含执行摘要、MITRE ATT&CK 分析,以及推荐的应对措施。

SKILL.md
--- frontmatter
name: soc-triage
description: Generate an initial triage report from a DeepTempo finding and its nearest neighbors, providing executive summary, MITRE ATT&CK analysis, and recommended actions
version: 1.0.0
author: DeepTempo
tags:
  - soc
  - triage
  - investigation
  - mitre
requires:
  - mcp/deeptempo-findings-server

SOC Triage

Generate a comprehensive triage report for security findings detected by DeepTempo's LogLM.

When to Use

Use this skill when:

  • A new high-severity finding is detected
  • An analyst needs to quickly understand a finding's significance
  • Starting a new investigation
  • Prioritizing findings for review

Prerequisites

  • Access to the DeepTempo Findings Server MCP
  • A finding ID to investigate
  • Understanding of MITRE ATT&CK framework

Instructions

Step 1: Retrieve the Finding

Use the get_finding tool to retrieve the primary finding:

code
get_finding(finding_id="<finding_id>")

Review:

  • Anomaly score (0-1 scale)
  • MITRE technique predictions
  • Entity context (IPs, hostnames, users)
  • Data source (flow, DNS, WAF)

Step 2: Get Similar Findings

Use nearest_neighbors to find behaviorally similar findings:

code
nearest_neighbors(query="<finding_id>", k=10)

Analyze:

  • Are neighbors from the same entity or distributed?
  • Do neighbors share MITRE technique predictions?
  • What is the time distribution of neighbors?

Step 3: Analyze the Pattern

Consider:

  1. Behavioral Pattern: What does the embedding cluster represent?
  2. Entity Scope: Single host or multiple hosts affected?
  3. Temporal Pattern: One-time event or recurring behavior?
  4. Technique Alignment: Do MITRE predictions make sense for the behavior?

Step 4: Assess Severity

Evaluate severity based on:

  • Anomaly Score: >0.8 is high, >0.6 is medium
  • Technique Confidence: >0.7 is high confidence
  • Entity Criticality: Is this a critical asset?
  • Pattern Scope: Isolated vs. widespread

Step 5: Generate the Report

Produce a structured triage report following the output format below.

Output Format

markdown
# Triage Report: [Finding ID]

**Generated**: [Current Timestamp]
**Status**: Requires Human Review

## Executive Summary

[One paragraph summarizing:
- What was detected
- Why it's significant
- Recommended priority level]

## Finding Details

| Field | Value |
|-------|-------|
| Finding ID | [ID] |
| Timestamp | [ISO timestamp] |
| Data Source | [flow/dns/waf] |
| Anomaly Score | [score] |
| Severity | [critical/high/medium/low] |

## Entity Context

| Entity Type | Value |
|-------------|-------|
| Source IP | [IP] |
| Destination IP | [IP] |
| Hostname | [hostname] |
| User | [user] |
| Application | [app] |

## MITRE ATT&CK Analysis

| Technique | Name | Confidence | Tactic |
|-----------|------|------------|--------|
| [T####] | [Name] | [0.XX] | [Tactic] |

### Technique Assessment

[For each high-confidence technique, explain:
- Why this technique was predicted
- What evidence supports it
- Alternative interpretations]

## Similar Findings Analysis

**Neighbors Found**: [count]
**Similarity Range**: [min] - [max]

### Pattern Summary

[Describe the pattern observed across neighbors:
- Common entities
- Shared techniques
- Temporal clustering]

### Notable Neighbors

| Finding ID | Similarity | Key Observation |
|------------|------------|-----------------|
| [ID] | [score] | [observation] |

## Recommended Actions

### Immediate (Priority 1)
1. [Action with specific details]
2. [Action with specific details]

### Short-term (Priority 2)
1. [Action with specific details]
2. [Action with specific details]

### Investigation Steps
1. [Specific investigation step]
2. [Specific investigation step]

## Confidence Assessment

**Overall Confidence**: [High/Medium/Low]

**Reasoning**:
- [Factor 1]
- [Factor 2]
- [Factor 3]

**Limitations**:
- [What additional data would help]
- [What uncertainties remain]

---
*This report was generated by Claude using the SOC Triage skill.*
*All recommendations require human review before action.*

Examples

Example 1: C2 Beaconing Detection

Input: Finding with high anomaly score, T1071.001 prediction, periodic timing pattern

Key Output Elements:

  • Executive summary highlighting beaconing behavior
  • MITRE analysis focusing on Command and Control tactic
  • Recommendation to investigate destination IP reputation
  • Medium-high confidence based on timing regularity

Example 2: DNS Tunneling Suspicion

Input: DNS finding with unusual query patterns, T1071.004 prediction

Key Output Elements:

  • Summary noting potential data exfiltration channel
  • Analysis of query entropy and frequency
  • Recommendation to block domain pending review
  • Medium confidence due to possible legitimate use cases

Guidelines

  1. Start with the most significant observation - Lead with what matters most
  2. Be specific in recommendations - "Block IP X" not "Consider blocking"
  3. Quantify when possible - Use actual scores and counts
  4. Acknowledge uncertainty - State confidence levels honestly
  5. Connect the dots - Show how findings relate to each other
  6. Prioritize actions - Help analysts know what to do first

Constraints

  • Never auto-execute response actions
  • Always include the human review disclaimer
  • Do not access raw logs unless specifically requested
  • Redact PII if present in entity context
  • Cite evidence for all claims and recommendations
  • Avoid definitive statements when confidence is below 70%