Malware Triage Skill

Perform initial analysis and context gathering for a suspected malicious file hash identified during an investigation or alert.

Inputs

• FILE_HASH - MD5, SHA1, or SHA256 hash of the suspected file
• CASE_ID - SOAR case ID for documentation
• ALERT_GROUP_IDENTIFIERS - Alert group identifiers from the case
• (Optional) TIME_FRAME_HOURS - Lookback period (default: 72)

Workflow

Step 1: Get Case Context

secops-soar.get_case_full_details(case_id=CASE_ID)

Step 2: GTI File Report

gti-mcp.get_file_report(hash=FILE_HASH)

Record:

• Detection ratio (e.g., 45/70 engines)
• Malware family classification
• First/last seen dates
• Associated threat actors or campaigns

Step 3: GTI Behavior Summary

gti-mcp.get_file_behavior_summary(hash=FILE_HASH)

Extract behavioral indicators:

• Network: Contacted IPs/domains → NETWORK_IOCs_GTI
• File system: Dropped files, modified files
• Registry: Modified keys
• MITRE TTPs: Observed techniques from sandbox

Step 4: SIEM Execution Check

Search for file execution events:

secops-mcp.search_security_events(
    text='target.file.sha256 = "FILE_HASH" OR target.file.md5 = "FILE_HASH"',
    hours_back=TIME_FRAME_HOURS
)

Look for: PROCESS_LAUNCH, FILE_CREATION, FILE_MODIFICATION

Identify:

• AFFECTED_HOSTS - Machines where file was seen
• AFFECTED_USERS - Users who executed/accessed the file

Step 5: SIEM Network Activity

Search for network connections from processes with this hash:

secops-mcp.search_security_events(
    text='principal.process.file.sha256 = "FILE_HASH"',
    hours_back=TIME_FRAME_HOURS
)

Extract: NETWORK_IOCs_SIEM (contacted IPs/domains)

Step 6: Enrich Network IOCs

Combine NETWORK_IOCs_GTI + NETWORK_IOCs_SIEM → ALL_NETWORK_IOCs

For each network IOC, use /enrich-ioc:

• Check GTI reputation
• Check SIEM presence
• Check IOC match status

Step 7: Check Related Cases

Use /find-relevant-case with:

SEARCH_TERMS = AFFECTED_HOSTS + AFFECTED_USERS + ALL_NETWORK_IOCs

Step 8: Synthesize & Document

Use /document-in-case with assessment:

Malware Triage for Hash FILE_HASH:
- GTI Classification: [family, detection ratio]
- Behavior: [network, files, registry]
- Affected Hosts: [list]
- Network IOCs: [with enrichment]
- Related Cases: [list]

Assessment: [severity level]

Recommendation:
- [ ] Isolate affected hosts
- [ ] Block network IOCs
- [ ] Escalate to IR
- [ ] Monitor only

Required Outputs

After completing this skill, you MUST report these outputs:

Severity Assessment Matrix

Recommended Actions by Severity

Critical/High:

1. Immediately isolate affected hosts
2. Block network IOCs at firewall
3. Escalate to Incident Response
4. Preserve forensic evidence

Medium:

1. Monitor affected hosts closely
2. Block known malicious IOCs
3. Schedule endpoint scan
4. Escalate to Tier 2

Low:

1. Document findings
2. Monitor for recurrence
3. Close with detailed notes