SOC Triage
Generate a comprehensive triage report for security findings detected by DeepTempo's LogLM.
When to Use
Use this skill when:
- •A new high-severity finding is detected
- •An analyst needs to quickly understand a finding's significance
- •Starting a new investigation
- •Prioritizing findings for review
Prerequisites
- •Access to the DeepTempo Findings Server MCP
- •A finding ID to investigate
- •Understanding of MITRE ATT&CK framework
Instructions
Step 1: Retrieve the Finding
Use the get_finding tool to retrieve the primary finding:
code
get_finding(finding_id="<finding_id>")
Review:
- •Anomaly score (0-1 scale)
- •MITRE technique predictions
- •Entity context (IPs, hostnames, users)
- •Data source (flow, DNS, WAF)
Step 2: Get Similar Findings
Use nearest_neighbors to find behaviorally similar findings:
code
nearest_neighbors(query="<finding_id>", k=10)
Analyze:
- •Are neighbors from the same entity or distributed?
- •Do neighbors share MITRE technique predictions?
- •What is the time distribution of neighbors?
Step 3: Analyze the Pattern
Consider:
- •Behavioral Pattern: What does the embedding cluster represent?
- •Entity Scope: Single host or multiple hosts affected?
- •Temporal Pattern: One-time event or recurring behavior?
- •Technique Alignment: Do MITRE predictions make sense for the behavior?
Step 4: Assess Severity
Evaluate severity based on:
- •Anomaly Score: >0.8 is high, >0.6 is medium
- •Technique Confidence: >0.7 is high confidence
- •Entity Criticality: Is this a critical asset?
- •Pattern Scope: Isolated vs. widespread
Step 5: Generate the Report
Produce a structured triage report following the output format below.
Output Format
markdown
# Triage Report: [Finding ID] **Generated**: [Current Timestamp] **Status**: Requires Human Review ## Executive Summary [One paragraph summarizing: - What was detected - Why it's significant - Recommended priority level] ## Finding Details | Field | Value | |-------|-------| | Finding ID | [ID] | | Timestamp | [ISO timestamp] | | Data Source | [flow/dns/waf] | | Anomaly Score | [score] | | Severity | [critical/high/medium/low] | ## Entity Context | Entity Type | Value | |-------------|-------| | Source IP | [IP] | | Destination IP | [IP] | | Hostname | [hostname] | | User | [user] | | Application | [app] | ## MITRE ATT&CK Analysis | Technique | Name | Confidence | Tactic | |-----------|------|------------|--------| | [T####] | [Name] | [0.XX] | [Tactic] | ### Technique Assessment [For each high-confidence technique, explain: - Why this technique was predicted - What evidence supports it - Alternative interpretations] ## Similar Findings Analysis **Neighbors Found**: [count] **Similarity Range**: [min] - [max] ### Pattern Summary [Describe the pattern observed across neighbors: - Common entities - Shared techniques - Temporal clustering] ### Notable Neighbors | Finding ID | Similarity | Key Observation | |------------|------------|-----------------| | [ID] | [score] | [observation] | ## Recommended Actions ### Immediate (Priority 1) 1. [Action with specific details] 2. [Action with specific details] ### Short-term (Priority 2) 1. [Action with specific details] 2. [Action with specific details] ### Investigation Steps 1. [Specific investigation step] 2. [Specific investigation step] ## Confidence Assessment **Overall Confidence**: [High/Medium/Low] **Reasoning**: - [Factor 1] - [Factor 2] - [Factor 3] **Limitations**: - [What additional data would help] - [What uncertainties remain] --- *This report was generated by Claude using the SOC Triage skill.* *All recommendations require human review before action.*
Examples
Example 1: C2 Beaconing Detection
Input: Finding with high anomaly score, T1071.001 prediction, periodic timing pattern
Key Output Elements:
- •Executive summary highlighting beaconing behavior
- •MITRE analysis focusing on Command and Control tactic
- •Recommendation to investigate destination IP reputation
- •Medium-high confidence based on timing regularity
Example 2: DNS Tunneling Suspicion
Input: DNS finding with unusual query patterns, T1071.004 prediction
Key Output Elements:
- •Summary noting potential data exfiltration channel
- •Analysis of query entropy and frequency
- •Recommendation to block domain pending review
- •Medium confidence due to possible legitimate use cases
Guidelines
- •Start with the most significant observation - Lead with what matters most
- •Be specific in recommendations - "Block IP X" not "Consider blocking"
- •Quantify when possible - Use actual scores and counts
- •Acknowledge uncertainty - State confidence levels honestly
- •Connect the dots - Show how findings relate to each other
- •Prioritize actions - Help analysts know what to do first
Constraints
- •Never auto-execute response actions
- •Always include the human review disclaimer
- •Do not access raw logs unless specifically requested
- •Redact PII if present in entity context
- •Cite evidence for all claims and recommendations
- •Avoid definitive statements when confidence is below 70%