full-triage-alert
Complete Tier 1 triage workflow. Orchestrates the full alert triage process: check-duplicates, triage-alert, enrich-ioc for each entity, and either close (FP/BTP) or escalate (TP/Suspicious). Use for end-to-end alert processing.
Install with Tessl CLI
npx tessl i github:dandye/ai-runbooks --skill full-triage-alert83
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Full Alert Triage Workflow
A composite skill that orchestrates the complete Tier 1 alert triage process from initial receipt to disposition (close or escalate).
Inputs
CASE_IDorALERT_ID- The alert/case to triage (required)
Orchestrated Workflow
┌─────────────────────────────────────────────────────────────────┐
│ FULL ALERT TRIAGE │
├─────────────────────────────────────────────────────────────────┤
│ │
│ START │
│ │ │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ /check-duplicates │ │
│ └──────────┬──────────┘ │
│ │ │
│ ┌───────┴───────┐ │
│ ▼ ▼ │
│ DUPLICATE NOT DUPLICATE │
│ │ │ │
│ ▼ ▼ │
│ Close & ┌─────────────────────┐ │
│ Document │ /triage-alert │ │
│ │ └───────────┬─────────┘ │
│ │ │ │
│ │ ┌───────────┴─────────┐ │
│ │ │ For each entity: │ │
│ │ │ /enrich-ioc │ │
│ │ └───────────┬─────────┘ │
│ │ │ │
│ │ ┌───────────┴─────────┐ │
│ │ │ DECISION │ │
│ │ └───────────┬─────────┘ │
│ │ │ │
│ │ ┌───────────────┼────────────────┐ │
│ │ ▼ ▼ ▼ │
│ │ FP/BTP TP/Suspicious Inconclusive │
│ │ │ │ │ │
│ │ ▼ ▼ ▼ │
│ │ /document-in-case /document-in-case /document-in-case │
│ │ /close-case-artifact ESCALATE Request more info │
│ │ │ │ │ │
│ └─────┴──────────────────┴──────────────────┘ │
│ │ │
│ ▼ │
│ /generate-report │
│ │ │
│ ▼ │
│ END │
│ │
└─────────────────────────────────────────────────────────────────┘Detailed Steps
Phase 1: Pre-Check
Step 1.1: Check for Duplicates
Invoke: /check-duplicates CASE_ID=$CASE_ID
- If duplicate confirmed:
- Invoke:
/document-in-casewith "Closing as duplicate of [Similar Case ID]" - Invoke:
/close-case-artifactwith reason NOT_MALICIOUS - END WORKFLOW
- Invoke:
- If not duplicate: Continue to Phase 2
Phase 2: Initial Triage
Step 2.1: Perform Alert Triage
Invoke: /triage-alert CASE_ID=$CASE_ID
Extract from results:
CLASSIFICATION- FP, BTP, TP, or SuspiciousKEY_ENTITIES- List of IOCs (IPs, domains, hashes, URLs)ALERT_TYPE- Type of alert (malware, authentication, network, etc.)PRIORITY- Suggested priority level
Phase 3: Enrichment
Step 3.1: Enrich Each Entity
For each entity in KEY_ENTITIES:
Invoke: /enrich-ioc IOC_VALUE=$entity
Collect:
GTI_FINDINGS- Threat intelligence resultsSIEM_CONTEXT- SIEM entity summaryIOC_MATCH_STATUS- Whether IOC appears in threat feeds
Update CLASSIFICATION if enrichment reveals new information.
Phase 4: Decision & Action
Step 4.1: Make Final Classification
Based on triage and enrichment, confirm classification:
| Classification | Criteria | Action |
|---|---|---|
| False Positive (FP) | No malicious indicators, known benign | Close |
| Benign True Positive (BTP) | Real but authorized/expected | Close |
| True Positive (TP) | Confirmed malicious | Escalate |
| Suspicious | Inconclusive, warrants investigation | Escalate |
Step 4.2: Execute Disposition
If FP or BTP:
- Invoke:
/document-in-casewith:- Classification and rationale
- Evidence summary from enrichment
- Closure justification
- Invoke:
/close-case-artifactwith:- Reason: NOT_MALICIOUS
- Root cause: Appropriate option (e.g., "Legit action", "Normal behavior")
If TP or Suspicious:
- Invoke:
/document-in-casewith:- Classification and rationale
- Evidence summary
- Recommended next steps
- Output escalation recommendation:
- Escalate to Tier 2
- Suggest appropriate follow-up skill based on alert type:
- Malware →
/triage-malware - Authentication →
/triage-suspicious-login - IOC-focused →
/deep-dive-ioc
- Malware →
Phase 5: Report
Step 5.1: Generate Triage Report
Invoke: /generate-report REPORT_TYPE=triage
Include:
- Case/Alert ID
- Classification with rationale
- Key entities and enrichment results
- SIEM queries executed
- Disposition taken
- Next steps (if escalated)
Outputs
| Output | Description |
|---|---|
FINAL_CLASSIFICATION | FP, BTP, TP, or Suspicious |
DISPOSITION | Closed or Escalated |
EVIDENCE_SUMMARY | Key findings from triage and enrichment |
REPORT_PATH | Path to generated triage report |
ESCALATION_TARGET | If escalated, recommended next skill/tier |
Error Handling
- If
/check-duplicatesfails → Log warning, continue with triage - If
/enrich-iocfails for an entity → Log warning, continue with other entities - If
/close-case-artifactfails → Log error, manual closure required - If any MCP tool unavailable → Document limitation, proceed with available data
Performance Targets
- Total workflow time: < 15 minutes
- Duplicate detection: < 1 minute
- Per-entity enrichment: < 2 minutes
- Target accuracy: > 90% correct classification
- Repository
- dandye/ai-runbooks
- Commit
67a00be
- Last updated
- Created
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.