ai-runbooks

triage-suspicious-login

Triage suspicious login alerts like impossible travel, untrusted location, or multiple failures. Use when investigating authentication anomalies. Analyzes user history, source IP reputation, login patterns, and determines if escalation is needed.

triage-malware

Triage a suspected malicious file hash. Use when investigating malware alerts or suspicious files. Analyzes GTI file report, behavioral indicators, identifies affected hosts, enriches network IOCs, and recommends containment actions.

triage-alert

Triage a security alert or case. Use when given an ALERT_ID or CASE_ID to assess if it's a real threat. Enriches IOCs, searches SIEM for context, and determines if the alert should be closed (false positive) or escalated for investigation.

respond-ransomware

Respond to a ransomware incident following PICERL methodology. Use when ransomware is detected or suspected. Orchestrates identification, containment, eradication, and recovery phases. Requires CASE_ID and initial indicators.

respond-phishing

Respond to a reported phishing email following PICERL methodology. Use when a phishing email is reported or detected. Analyzes artifacts, identifies recipients who clicked, contains malicious IOCs, and removes emails from mailboxes.

respond-malware

Respond to a malware incident following PICERL methodology. Use when malware is detected on endpoints. Orchestrates triage, containment, eradication, and recovery. Works with triage-malware skill for analysis.

respond-compromised-account

Respond to a potentially compromised user account. Use when impossible travel, credential stuffing, successful phishing, or suspicious activity indicates account compromise. Investigates activity, contains the account, removes persistence, and restores access.

pivot-on-ioc

Explore GTI relationships for an IOC to discover related entities. Use to expand investigation by finding connected domains, IPs, files, or threat actors. Takes an IOC and relationship types to query.

inventory-content

Systematic cataloging of information assets. Creates comprehensive inventories of all content with metadata and characteristics.

hunt-threat

Conduct proactive, hypothesis-driven threat hunting. Use when performing advanced hunting based on threat intelligence, TTPs, or anomalies. For Tier 3 analysts or dedicated threat hunters. Supports iterative search, pivoting, and comprehensive documentation.

hunt-lateral-movement

Hunt for lateral movement using PsExec, WMI, or similar techniques. Use when proactively searching for attackers moving through your network using admin tools. Searches for service installations, remote process execution, and suspicious network correlations.

hunt-ioc

Hunt for specific IOCs across your environment. Use when you have a list of IPs, domains, hashes, or URLs from threat intel and want to check if they appear in your SIEM. Systematic searching with enrichment and documentation.

hunt-credential-access

Hunt for credential access techniques like LSASS dumping or browser credential theft. Use when searching for evidence of credential harvesting. Takes MITRE technique IDs and searches for behavioral indicators in SIEM.

hunt-apt

Hunt for a specific APT/threat actor in your environment. Use when you have a threat actor name or GTI collection ID and want to search for their TTPs and IOCs. Gathers intelligence from GTI, searches SIEM for IOCs and TTP-based indicators, and documents findings.

generate-thesaurus

Generate controlled vocabulary thesaurus for content domains. Creates comprehensive thesauri with preferred terms, broader/narrower/related terms.

generate-taxonomy

Develop hierarchical classification systems. Creates parent-child categorical structures for content organization.

generate-sitemap

Generate hierarchical site structure and navigation maps. Creates visual representations of information architecture and content relationships.

generate-report

Save investigation findings to a markdown report file. Use after completing triage, enrichment, or investigation to create a permanent record. Generates timestamped files in ./reports/ directory.

find-relevant-case

Search for existing cases related to specific indicators or entities. Use to find correlation with other investigations before starting new analysis. Takes search terms and returns matching case IDs.

enrich-ioc

Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status.

document-in-case

Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text.

design-metadata-schema

Design comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.

deep-dive-ioc

Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation.

correlate-ioc

Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases.

confirm-action

Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response.

cluster-documents

Automated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.

close-case-artifact

Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause.

check-duplicates

Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases.

audit-content

Comprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.

analyze-content-gaps

Identify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.

full-investigation

Complete Tier 2 investigation workflow. Orchestrates deep investigation of escalated cases: deep-dive-ioc, correlate-ioc, specialized triage (malware/login), pivot-on-ioc, and generate comprehensive report. Use for escalated cases requiring thorough analysis.

full-triage-alert

Complete Tier 1 triage workflow. Orchestrates the full alert triage process: check-duplicates, triage-alert, enrich-ioc for each entity, and either close (FP/BTP) or escalate (TP/Suspicious). Use for end-to-end alert processing.