CtrlK
BlogDocsLog inGet started
Tessl Logo

triage-suspicious-login

Triage suspicious login alerts like impossible travel, untrusted location, or multiple failures. Use when investigating authentication anomalies. Analyzes user history, source IP reputation, login patterns, and determines if escalation is needed.

Install with Tessl CLI

npx tessl i github:dandye/ai-runbooks --skill triage-suspicious-login
What are skills?

86

Review86%

Does it follow best practices?

Validation10 / 11 Passed

Validation for skill structure

SKILL.md
Review
Evals

Suspicious Login Triage Skill

Guide initial triage of suspicious login alerts (impossible travel, untrusted location, multiple failed logins) for Tier 1 SOC Analysts.

Inputs

  • CASE_ID - SOAR case ID containing the alert(s)
  • ALERT_GROUP_IDENTIFIERS - Alert group identifiers from the case
  • (Optional) USER_ID - The user ID if known upfront
  • (Optional) SOURCE_IP - The source IP if known upfront

Workflow

Step 1: Get Case Context

secops-soar.get_case_full_details(case_id=CASE_ID)

Step 2: Extract Key Entities

secops-soar.list_events_by_alert(case_id=CASE_ID, alert_id=ALERT_ID)

Parse events to extract:

  • USER_ID - The user account
  • SOURCE_IP - The login source IP
  • HOSTNAME - The target/source hostname (if available)

Step 3: User Context (SIEM)

secops-mcp.lookup_entity(entity_value=USER_ID)

Record: Recent activity, first/last seen, related alerts.

Step 4: Source IP Enrichment

Use /enrich-ioc with IOC_TYPE="IP Address":

  • GTI reputation and geolocation
  • SIEM entity summary
  • IOC match status

Step 5: Hostname Context (if available)

secops-mcp.lookup_entity(entity_value=HOSTNAME)

Step 6: Recent Login Activity

Search for login patterns over the last 96 hours:

secops-mcp.search_security_events(
    text='metadata.event_type IN ("USER_LOGIN", "AUTH_ATTEMPT") AND principal.user.userid = "USER_ID"',
    hours_back=96
)

Analyze for:

  • Logins from unusual IPs
  • Successful logins after failures
  • Geographic anomalies (impossible travel)
  • Concurrent sessions from different locations

Step 7: Check Related Cases

Use /find-relevant-case with search terms: [USER_ID, SOURCE_IP, HOSTNAME]

Step 8: (Optional) Identity Provider Check

If IDP tools available (e.g., Okta):

  • Account status
  • MFA enrollment
  • Recent legitimate logins
  • Password change history

Step 9: Synthesize & Document

Use /document-in-case with findings summary:

Suspicious Login Triage for USER_ID from SOURCE_IP:
- User SIEM Summary: [...]
- Source IP GTI: [reputation, geo]
- Login Pattern: [normal/anomalous]
- Related Cases: [...]
- Recommendation: [Close as FP | Escalate to Tier 2]

Required Outputs

After completing this skill, you MUST report these outputs:

OutputDescription
LOGIN_VERDICTAssessment: legitimate, suspicious, or malicious
ANOMALY_INDICATORSWhat made the login suspicious (impossible travel, new device, etc.)
RELATED_ACTIVITYOther suspicious activity from user or source IP
RISK_SCORENumerical risk assessment (0-100) based on findings

Decision Matrix

FindingRecommendation
Known VPN/corporate IP + normal patternClose as FP
User confirmed travel + MFA usedClose as Benign TP
Malicious IP reputationEscalate
Impossible travel + no MFAEscalate urgently
Multiple failures then success from new IPEscalate
Pattern matches user's normal behaviorClose as FP

Key Patterns to Detect

Impossible Travel:

  • Login from NYC, then London 30 mins later
  • Check if VPN or cloud service could explain

Credential Stuffing:

  • Many failures across multiple accounts from same IP
  • Success after many failures

Account Takeover:

  • Login from new device/location
  • Followed by password change or MFA modification

Lateral Movement:

  • Same user logging into many systems rapidly
  • Unusual service account activity
Repository
dandye/ai-runbooks
Commit

67a00be

Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill