correlate-ioc

Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases.

Install with Tessl CLI

npx tessl i github:dandye/ai-runbooks --skill correlate-ioc

What are skills?

Review — 73%

Does it follow best practices?

If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:

npx tessl skill review --optimize ./path/to/skill

Learn more

Validation — 10 / 11 Passed

Validation for skill structure

SKILL.md

Review

Evals

Correlate IOC Skill

Check for existing SIEM alerts and cases related to specific Indicators of Compromise.

Inputs

IOC_LIST - Single IOC or list of IOCs (e.g., ["198.51.100.10", "evil-domain.com"])
(Optional) TIME_FRAME_HOURS - Lookback period for SIEM alerts (default: 168 = 7 days)
(Optional) SOAR_CASE_FILTER - Additional filter for SOAR cases (e.g., status="OPEN")

Workflow

Step 1: Correlate SIEM Alerts

Search for alerts containing any IOC in the list:

secops-mcp.get_security_alerts(
    query=IOC_based_query,
    hours_back=TIME_FRAME_HOURS
)

Store summary in RELATED_SIEM_ALERTS:

Alert count
Alert types/names
Severity distribution
Affected assets

Step 2: Correlate Cases

Search for cases containing any IOC:

secops-soar.list_cases(
    filter=IOC_based_filter + SOAR_CASE_FILTER
)

Store summary in RELATED_SOAR_CASES:

Case IDs and names
Case status
Case priority

Required Outputs

After completing this skill, you MUST report these outputs:

Output	Description
`RELATED_SIEM_ALERTS`	Summary of SIEM alerts related to the IOC(s)
`RELATED_CASES`	Summary of cases related to the IOC(s)
`CORRELATION_STATUS`	Success/failure status of the correlation
`MALICIOUS_CONFIDENCE`	Derived confidence based on alert history: `high`, `medium`, `low`, or `none`

Use Cases

Before Investigation - Check if IOC is already under investigation
During Enrichment - Understand internal activity for an IOC
Threat Hunt - Find all alerts/cases related to campaign indicators
Incident Response - Identify scope of compromise across cases

Correlation Summary Template

IOC Correlation Summary for [IOC_LIST]:

SIEM Alerts (last [TIME_FRAME_HOURS] hours):
- Total alerts: [count]
- Alert types: [list]
- Affected hosts: [list]

Related Cases:
- Open cases: [count] - [IDs]
- Closed cases: [count]
- Related investigations: [summary]

Repository: dandye/ai-runbooks
Commit: 67a00be
Last updated: 14 days ago
Created: 14 days ago

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.