SamiGPT

Overview Schema Related Servers Score Discussions

AI-SOC-Agent
execution_flow

case_analysis.svg•47.1 kB

<?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">   <svg width="1081pt" height="1847pt" viewBox="0.00 0.00 1081.00 1847.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 1843.32)"> <title>SOC2CaseAnalysis</title> <polygon fill="white" stroke="none" points="-4,4 -4,-1843.32 1077,-1843.32 1077,4 -4,4"/> <g id="clust1" class="cluster"> <title>cluster_deep_siem</title> <polygon fill="lightcoral" stroke="black" points="8,-1077.71 8,-1197.46 1065,-1197.46 1065,-1077.71 8,-1077.71"/> <text xml:space="preserve" text-anchor="middle" x="536.5" y="-1182.06" font-family="Times,serif" font-size="12.00">Step 5: Deep SIEM Analysis (SOC2 Core)</text> </g> <g id="clust2" class="cluster"> <title>cluster_cti_enrichment</title> <polygon fill="lightyellow" stroke="black" points="310,-950.21 310,-1058.71 1023,-1058.71 1023,-950.21 310,-950.21"/> <text xml:space="preserve" text-anchor="middle" x="666.5" y="-1044.26" font-family="Times,serif" font-size="11.00">Step 6: CTI & Entity Enrichment</text> </g> <g id="clust3" class="cluster"> <title>cluster_legend</title> <polygon fill="none" stroke="black" stroke-dasharray="5,2" points="774,-1432.21 774,-1831.32 930,-1831.32 930,-1432.21 774,-1432.21"/> <text xml:space="preserve" text-anchor="middle" x="852" y="-1816.87" font-family="Times,serif" font-size="11.00">Legend - Tool Categories</text> </g>  <g id="node1" class="node"> <title>START</title> <ellipse fill="lightgreen" stroke="black" cx="553" cy="-1782.07" rx="77.6" ry="35.36"/> <text xml:space="preserve" text-anchor="middle" x="553" y="-1794.52" font-family="Arial" font-size="9.00">START</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1784.02" font-family="Arial" font-size="9.00">SOC2 Case Analysis</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1773.52" font-family="Arial" font-size="9.00">[CM] review_case</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1763.02" font-family="Arial" font-size="9.00">(case_id=${CASE_ID})</text> </g>  <g id="node2" class="node"> <title>STEP1</title> <path fill="none" stroke="black" d="M607.88,-1709.71C607.88,-1709.71 498.12,-1709.71 498.12,-1709.71 492.12,-1709.71 486.12,-1703.71 486.12,-1697.71 486.12,-1697.71 486.12,-1650.71 486.12,-1650.71 486.12,-1644.71 492.12,-1638.71 498.12,-1638.71 498.12,-1638.71 607.88,-1638.71 607.88,-1638.71 613.88,-1638.71 619.88,-1644.71 619.88,-1650.71 619.88,-1650.71 619.88,-1697.71 619.88,-1697.71 619.88,-1703.71 613.88,-1709.71 607.88,-1709.71"/> <text xml:space="preserve" text-anchor="middle" x="553" y="-1697.16" font-family="Arial" font-size="9.00">Step 1</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1686.66" font-family="Arial" font-size="9.00">Review Case</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1676.16" font-family="Arial" font-size="9.00">[CM] review_case</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1665.66" font-family="Arial" font-size="9.00">Read ALL case details</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1655.16" font-family="Arial" font-size="9.00">Extract alert details</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1644.66" font-family="Arial" font-size="9.00">Store in ${CASE_CONTEXT}</text> </g>  <g id="edge1" class="edge"> <title>START->STEP1</title> <path fill="none" stroke="black" d="M553,-1746.41C553,-1738.36 553,-1729.68 553,-1721.23"/> <polygon fill="black" stroke="black" points="556.5,-1721.46 553,-1711.46 549.5,-1721.46 556.5,-1721.46"/> </g>  <g id="node3" class="node"> <title>STEP2</title> <path fill="none" stroke="black" d="M612.38,-1601.71C612.38,-1601.71 493.62,-1601.71 493.62,-1601.71 487.62,-1601.71 481.62,-1595.71 481.62,-1589.71 481.62,-1589.71 481.62,-1553.21 481.62,-1553.21 481.62,-1547.21 487.62,-1541.21 493.62,-1541.21 493.62,-1541.21 612.38,-1541.21 612.38,-1541.21 618.38,-1541.21 624.38,-1547.21 624.38,-1553.21 624.38,-1553.21 624.38,-1589.71 624.38,-1589.71 624.38,-1595.71 618.38,-1601.71 612.38,-1601.71"/> <text xml:space="preserve" text-anchor="middle" x="553" y="-1589.16" font-family="Arial" font-size="9.00">Step 2</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1578.66" font-family="Arial" font-size="9.00">Review Tasks & Timeline</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1568.16" font-family="Arial" font-size="9.00">[CM] list_case_tasks</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1557.66" font-family="Arial" font-size="9.00">[CM] list_case_timeline_events</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1547.16" font-family="Arial" font-size="9.00">Identify pending tasks</text> </g>  <g id="edge2" class="edge"> <title>STEP1->STEP2</title> <path fill="none" stroke="black" d="M553,-1638.26C553,-1630.22 553,-1621.61 553,-1613.35"/> <polygon fill="black" stroke="black" points="556.5,-1613.51 553,-1603.51 549.5,-1613.51 556.5,-1613.51"/> </g>  <g id="node4" class="node"> <title>STEP3</title> <path fill="none" stroke="black" d="M611.62,-1504.21C611.62,-1504.21 494.38,-1504.21 494.38,-1504.21 488.38,-1504.21 482.38,-1498.21 482.38,-1492.21 482.38,-1492.21 482.38,-1424.21 482.38,-1424.21 482.38,-1418.21 488.38,-1412.21 494.38,-1412.21 494.38,-1412.21 611.62,-1412.21 611.62,-1412.21 617.62,-1412.21 623.62,-1418.21 623.62,-1424.21 623.62,-1424.21 623.62,-1492.21 623.62,-1492.21 623.62,-1498.21 617.62,-1504.21 611.62,-1504.21"/> <text xml:space="preserve" text-anchor="middle" x="553" y="-1491.66" font-family="Arial" font-size="9.00">Step 3</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1481.16" font-family="Arial" font-size="9.00">Complete Pending Tasks</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1470.66" font-family="Arial" font-size="9.00">[CM] update_case_task_status</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1460.16" font-family="Arial" font-size="9.00">(in_progress -> completed)</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1449.66" font-family="Arial" font-size="9.00">Perform analysis</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1439.16" font-family="Arial" font-size="9.00">[CM] add_case_comment</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1428.66" font-family="Arial" font-size="9.00">Document findings</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1418.16" font-family="Arial" font-size="9.00">Mark completed</text> </g>  <g id="edge3" class="edge"> <title>STEP2->STEP3</title> <path fill="none" stroke="black" d="M553,-1540.94C553,-1533.15 553,-1524.48 553,-1515.78"/> <polygon fill="black" stroke="black" points="556.5,-1515.91 553,-1505.91 549.5,-1515.91 556.5,-1515.91"/> </g>  <g id="node5" class="node"> <title>STEP4</title> <polygon fill="lightyellow" stroke="black" points="553,-1375.21 399,-1304.21 553,-1233.21 707,-1304.21 553,-1375.21"/> <text xml:space="preserve" text-anchor="middle" x="553" y="-1327.16" font-family="Arial" font-size="9.00">Step 4</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1316.66" font-family="Arial" font-size="9.00">Initial Case Assessment</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1306.16" font-family="Arial" font-size="9.00">Analyze case data</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1295.66" font-family="Arial" font-size="9.00">Determine threat type</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1285.16" font-family="Arial" font-size="9.00">Identify analysis gaps</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1274.66" font-family="Arial" font-size="9.00">Decide on case-specific runbooks</text> </g>  <g id="edge4" class="edge"> <title>STEP3->STEP4</title> <path fill="none" stroke="black" d="M553,-1412.02C553,-1404.05 553,-1395.53 553,-1386.92"/> <polygon fill="black" stroke="black" points="556.5,-1387.09 553,-1377.09 549.5,-1387.09 556.5,-1387.09"/> </g>  <g id="node6" class="node"> <title>SIEM_KQL</title> <path fill="none" stroke="black" d="M153.75,-1167.21C153.75,-1167.21 28.25,-1167.21 28.25,-1167.21 22.25,-1167.21 16.25,-1161.21 16.25,-1155.21 16.25,-1155.21 16.25,-1097.71 16.25,-1097.71 16.25,-1091.71 22.25,-1085.71 28.25,-1085.71 28.25,-1085.71 153.75,-1085.71 153.75,-1085.71 159.75,-1085.71 165.75,-1091.71 165.75,-1097.71 165.75,-1097.71 165.75,-1155.21 165.75,-1155.21 165.75,-1161.21 159.75,-1167.21 153.75,-1167.21"/> <text xml:space="preserve" text-anchor="middle" x="91" y="-1154.66" font-family="Arial" font-size="9.00">Advanced KQL Queries</text> <text xml:space="preserve" text-anchor="middle" x="91" y="-1144.16" font-family="Arial" font-size="9.00">[SIEM] search_kql_query</text> <text xml:space="preserve" text-anchor="middle" x="91" y="-1133.66" font-family="Arial" font-size="9.00">Complex Elastic queries</text> <text xml:space="preserve" text-anchor="middle" x="91" y="-1123.16" font-family="Arial" font-size="9.00">Cross-index searches</text> <text xml:space="preserve" text-anchor="middle" x="91" y="-1112.66" font-family="Arial" font-size="9.00">Time-based analysis (7-30 days)</text> <text xml:space="preserve" text-anchor="middle" x="91" y="-1102.16" font-family="Arial" font-size="9.00">Aggregations, joins</text> <text xml:space="preserve" text-anchor="middle" x="91" y="-1091.66" font-family="Arial" font-size="9.00">Field-level analysis</text> </g>  <g id="edge5" class="edge"> <title>STEP4->SIEM_KQL</title> <path fill="none" stroke="red" stroke-width="2" d="M440.43,-1284.66C362.71,-1268.81 258.7,-1241.44 175,-1197.46 163.66,-1191.5 152.46,-1183.82 142.11,-1175.73"/> <polygon fill="red" stroke="red" stroke-width="2" points="144.39,-1173.08 134.42,-1169.48 139.97,-1178.5 144.39,-1173.08"/> <text xml:space="preserve" text-anchor="middle" x="236.48" y="-1207.61" font-family="Arial" font-size="8.00">Deep Investigation</text> </g>  <g id="node7" class="node"> <title>SIEM_PIVOT</title> <path fill="none" stroke="black" d="M300.25,-1161.96C300.25,-1161.96 195.75,-1161.96 195.75,-1161.96 189.75,-1161.96 183.75,-1155.96 183.75,-1149.96 183.75,-1149.96 183.75,-1102.96 183.75,-1102.96 183.75,-1096.96 189.75,-1090.96 195.75,-1090.96 195.75,-1090.96 300.25,-1090.96 300.25,-1090.96 306.25,-1090.96 312.25,-1096.96 312.25,-1102.96 312.25,-1102.96 312.25,-1149.96 312.25,-1149.96 312.25,-1155.96 306.25,-1161.96 300.25,-1161.96"/> <text xml:space="preserve" text-anchor="middle" x="248" y="-1149.41" font-family="Arial" font-size="9.00">Entity Pivoting</text> <text xml:space="preserve" text-anchor="middle" x="248" y="-1138.91" font-family="Arial" font-size="9.00">[SIEM] pivot_on_indicator</text> <text xml:space="preserve" text-anchor="middle" x="248" y="-1128.41" font-family="Arial" font-size="9.00">Pivot on ALL entities</text> <text xml:space="preserve" text-anchor="middle" x="248" y="-1117.91" font-family="Arial" font-size="9.00">Hosts, users, IPs, domains</text> <text xml:space="preserve" text-anchor="middle" x="248" y="-1107.41" font-family="Arial" font-size="9.00">Hashes, processes, registry</text> <text xml:space="preserve" text-anchor="middle" x="248" y="-1096.91" font-family="Arial" font-size="9.00">Ports, timelines</text> </g>  <g id="edge6" class="edge"> <title>STEP4->SIEM_PIVOT</title> <path fill="none" stroke="red" stroke-width="2" d="M467.24,-1272.21C421.82,-1253.84 366.24,-1228.15 321,-1197.46 309.88,-1189.92 298.88,-1180.63 288.93,-1171.31"/> <polygon fill="red" stroke="red" stroke-width="2" points="291.54,-1168.96 281.91,-1164.53 286.67,-1173.99 291.54,-1168.96"/> <text xml:space="preserve" text-anchor="middle" x="377.27" y="-1207.61" font-family="Arial" font-size="8.00">Deep Investigation</text> </g>  <g id="node8" class="node"> <title>SIEM_SEARCH</title> <path fill="none" stroke="black" d="M459.62,-1151.46C459.62,-1151.46 342.38,-1151.46 342.38,-1151.46 336.38,-1151.46 330.38,-1145.46 330.38,-1139.46 330.38,-1139.46 330.38,-1113.46 330.38,-1113.46 330.38,-1107.46 336.38,-1101.46 342.38,-1101.46 342.38,-1101.46 459.62,-1101.46 459.62,-1101.46 465.62,-1101.46 471.62,-1107.46 471.62,-1113.46 471.62,-1113.46 471.62,-1139.46 471.62,-1139.46 471.62,-1145.46 465.62,-1151.46 459.62,-1151.46"/> <text xml:space="preserve" text-anchor="middle" x="401" y="-1138.91" font-family="Arial" font-size="9.00">Security Event Search</text> <text xml:space="preserve" text-anchor="middle" x="401" y="-1128.41" font-family="Arial" font-size="9.00">[SIEM] search_security_events</text> <text xml:space="preserve" text-anchor="middle" x="401" y="-1117.91" font-family="Arial" font-size="9.00">Deep event analysis</text> <text xml:space="preserve" text-anchor="middle" x="401" y="-1107.41" font-family="Arial" font-size="9.00">Pattern detection</text> </g>  <g id="edge7" class="edge"> <title>STEP4->SIEM_SEARCH</title> <path fill="none" stroke="red" stroke-width="2" d="M509.44,-1252.85C484.04,-1223.48 452.69,-1187.22 430.24,-1161.26"/> <polygon fill="red" stroke="red" stroke-width="2" points="432.97,-1159.08 423.78,-1153.8 427.68,-1163.66 432.97,-1159.08"/> <text xml:space="preserve" text-anchor="middle" x="505.44" y="-1207.61" font-family="Arial" font-size="8.00">Deep Investigation</text> </g>  <g id="node9" class="node"> <title>SIEM_NETWORK</title> <path fill="none" stroke="black" d="M604.5,-1161.96C604.5,-1161.96 501.5,-1161.96 501.5,-1161.96 495.5,-1161.96 489.5,-1155.96 489.5,-1149.96 489.5,-1149.96 489.5,-1102.96 489.5,-1102.96 489.5,-1096.96 495.5,-1090.96 501.5,-1090.96 501.5,-1090.96 604.5,-1090.96 604.5,-1090.96 610.5,-1090.96 616.5,-1096.96 616.5,-1102.96 616.5,-1102.96 616.5,-1149.96 616.5,-1149.96 616.5,-1155.96 610.5,-1161.96 604.5,-1161.96"/> <text xml:space="preserve" text-anchor="middle" x="553" y="-1149.41" font-family="Arial" font-size="9.00">Network Deep Analysis</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1138.91" font-family="Arial" font-size="9.00">[SIEM] get_network_events</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1128.41" font-family="Arial" font-size="9.00">Full traffic analysis</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1117.91" font-family="Arial" font-size="9.00">Connection patterns</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1107.41" font-family="Arial" font-size="9.00">Data transfer analysis</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-1096.91" font-family="Arial" font-size="9.00">C2 detection</text> </g>  <g id="edge8" class="edge"> <title>STEP4->SIEM_NETWORK</title> <path fill="none" stroke="red" stroke-width="2" d="M553,-1232.74C553,-1213.41 553,-1192.91 553,-1175.19"/> <polygon fill="red" stroke="red" stroke-width="2" points="556.5,-1175.27 553,-1165.27 549.5,-1175.27 556.5,-1175.27"/> <text xml:space="preserve" text-anchor="middle" x="586" y="-1207.61" font-family="Arial" font-size="8.00">Deep Investigation</text> </g>  <g id="node10" class="node"> <title>SIEM_DNS</title> <path fill="none" stroke="black" d="M731.88,-1161.96C731.88,-1161.96 646.12,-1161.96 646.12,-1161.96 640.12,-1161.96 634.12,-1155.96 634.12,-1149.96 634.12,-1149.96 634.12,-1102.96 634.12,-1102.96 634.12,-1096.96 640.12,-1090.96 646.12,-1090.96 646.12,-1090.96 731.88,-1090.96 731.88,-1090.96 737.88,-1090.96 743.88,-1096.96 743.88,-1102.96 743.88,-1102.96 743.88,-1149.96 743.88,-1149.96 743.88,-1155.96 737.88,-1161.96 731.88,-1161.96"/> <text xml:space="preserve" text-anchor="middle" x="689" y="-1149.41" font-family="Arial" font-size="9.00">DNS Deep Analysis</text> <text xml:space="preserve" text-anchor="middle" x="689" y="-1138.91" font-family="Arial" font-size="9.00">[SIEM] get_dns_events</text> <text xml:space="preserve" text-anchor="middle" x="689" y="-1128.41" font-family="Arial" font-size="9.00">Query patterns</text> <text xml:space="preserve" text-anchor="middle" x="689" y="-1117.91" font-family="Arial" font-size="9.00">Domain resolution</text> <text xml:space="preserve" text-anchor="middle" x="689" y="-1107.41" font-family="Arial" font-size="9.00">C2 detection</text> <text xml:space="preserve" text-anchor="middle" x="689" y="-1096.91" font-family="Arial" font-size="9.00">DGA identification</text> </g>  <g id="edge9" class="edge"> <title>STEP4->SIEM_DNS</title> <path fill="none" stroke="red" stroke-width="2" d="M594.32,-1251.74C603.81,-1239.8 613.8,-1227.1 623,-1215.21 633.69,-1201.39 645.18,-1186.22 655.53,-1172.44"/> <polygon fill="red" stroke="red" stroke-width="2" points="658.19,-1174.74 661.38,-1164.64 652.58,-1170.54 658.19,-1174.74"/> <text xml:space="preserve" text-anchor="middle" x="663.27" y="-1207.61" font-family="Arial" font-size="8.00">Deep Investigation</text> </g>  <g id="node11" class="node"> <title>SIEM_EMAIL</title> <path fill="none" stroke="black" d="M867.62,-1161.96C867.62,-1161.96 774.38,-1161.96 774.38,-1161.96 768.38,-1161.96 762.38,-1155.96 762.38,-1149.96 762.38,-1149.96 762.38,-1102.96 762.38,-1102.96 762.38,-1096.96 768.38,-1090.96 774.38,-1090.96 774.38,-1090.96 867.62,-1090.96 867.62,-1090.96 873.62,-1090.96 879.62,-1096.96 879.62,-1102.96 879.62,-1102.96 879.62,-1149.96 879.62,-1149.96 879.62,-1155.96 873.62,-1161.96 867.62,-1161.96"/> <text xml:space="preserve" text-anchor="middle" x="821" y="-1149.41" font-family="Arial" font-size="9.00">Email Deep Analysis</text> <text xml:space="preserve" text-anchor="middle" x="821" y="-1138.91" font-family="Arial" font-size="9.00">[SIEM] get_email_events</text> <text xml:space="preserve" text-anchor="middle" x="821" y="-1128.41" font-family="Arial" font-size="9.00">Phishing patterns</text> <text xml:space="preserve" text-anchor="middle" x="821" y="-1117.91" font-family="Arial" font-size="9.00">Attachment analysis</text> <text xml:space="preserve" text-anchor="middle" x="821" y="-1107.41" font-family="Arial" font-size="9.00">Header analysis</text> <text xml:space="preserve" text-anchor="middle" x="821" y="-1096.91" font-family="Arial" font-size="9.00">Campaign correlation</text> </g>  <g id="edge10" class="edge"> <title>STEP4->SIEM_EMAIL</title> <path fill="none" stroke="red" stroke-width="2" d="M631.39,-1268.85C669.75,-1250.31 715.6,-1225.49 753,-1197.46 763.17,-1189.84 773.22,-1180.68 782.34,-1171.53"/> <polygon fill="red" stroke="red" stroke-width="2" points="784.59,-1174.24 789.02,-1164.62 779.55,-1169.37 784.59,-1174.24"/> <text xml:space="preserve" text-anchor="middle" x="771.13" y="-1207.61" font-family="Arial" font-size="8.00">Deep Investigation</text> </g>  <g id="node12" class="node"> <title>SIEM_ALERT_CORR</title> <path fill="none" stroke="black" d="M1044.62,-1161.96C1044.62,-1161.96 909.38,-1161.96 909.38,-1161.96 903.38,-1161.96 897.38,-1155.96 897.38,-1149.96 897.38,-1149.96 897.38,-1102.96 897.38,-1102.96 897.38,-1096.96 903.38,-1090.96 909.38,-1090.96 909.38,-1090.96 1044.62,-1090.96 1044.62,-1090.96 1050.62,-1090.96 1056.62,-1096.96 1056.62,-1102.96 1056.62,-1102.96 1056.62,-1149.96 1056.62,-1149.96 1056.62,-1155.96 1050.62,-1161.96 1044.62,-1161.96"/> <text xml:space="preserve" text-anchor="middle" x="977" y="-1149.41" font-family="Arial" font-size="9.00">Alert Correlation</text> <text xml:space="preserve" text-anchor="middle" x="977" y="-1138.91" font-family="Arial" font-size="9.00">[SIEM] get_alerts_by_entity</text> <text xml:space="preserve" text-anchor="middle" x="977" y="-1128.41" font-family="Arial" font-size="9.00">[SIEM] get_alerts_by_time_window</text> <text xml:space="preserve" text-anchor="middle" x="977" y="-1117.91" font-family="Arial" font-size="9.00">[SIEM] get_security_alert_by_id</text> <text xml:space="preserve" text-anchor="middle" x="977" y="-1107.41" font-family="Arial" font-size="9.00">Multi-alert correlation</text> <text xml:space="preserve" text-anchor="middle" x="977" y="-1096.91" font-family="Arial" font-size="9.00">Extended time windows</text> </g>  <g id="edge11" class="edge"> <title>STEP4->SIEM_ALERT_CORR</title> <path fill="none" stroke="red" stroke-width="2" d="M657.24,-1280.92C725.65,-1263.79 815.69,-1236.42 889,-1197.46 903.15,-1189.94 917.27,-1180.05 929.92,-1170.08"/> <polygon fill="red" stroke="red" stroke-width="2" points="931.83,-1173.04 937.38,-1164.02 927.41,-1167.61 931.83,-1173.04"/> <text xml:space="preserve" text-anchor="middle" x="905.14" y="-1207.61" font-family="Arial" font-size="8.00">Deep Investigation</text> </g>  <g id="node13" class="node"> <title>CTI_HASH</title> <path fill="none" stroke="black" d="M457.5,-1029.21C457.5,-1029.21 330.5,-1029.21 330.5,-1029.21 324.5,-1029.21 318.5,-1023.21 318.5,-1017.21 318.5,-1017.21 318.5,-970.21 318.5,-970.21 318.5,-964.21 324.5,-958.21 330.5,-958.21 330.5,-958.21 457.5,-958.21 457.5,-958.21 463.5,-958.21 469.5,-964.21 469.5,-970.21 469.5,-970.21 469.5,-1017.21 469.5,-1017.21 469.5,-1023.21 463.5,-1029.21 457.5,-1029.21"/> <text xml:space="preserve" text-anchor="middle" x="394" y="-1016.66" font-family="Arial" font-size="9.00">Hash Enrichment</text> <text xml:space="preserve" text-anchor="middle" x="394" y="-1006.16" font-family="Arial" font-size="9.00">[CTI] lookup_hash_ti</text> <text xml:space="preserve" text-anchor="middle" x="394" y="-995.66" font-family="Arial" font-size="9.00">[CTI] get_file_report</text> <text xml:space="preserve" text-anchor="middle" x="394" y="-985.16" font-family="Arial" font-size="9.00">[CTI] get_file_behavior_summary</text> <text xml:space="preserve" text-anchor="middle" x="394" y="-974.66" font-family="Arial" font-size="9.00">[CTI] get_entities_related_to_file</text> <text xml:space="preserve" text-anchor="middle" x="394" y="-964.16" font-family="Arial" font-size="9.00">[SIEM] get_ioc_matches</text> </g>  <g id="edge12" class="edge"> <title>SIEM_KQL->CTI_HASH</title> <path fill="none" stroke="black" d="M159.77,-1085.25C164.88,-1082.61 169.99,-1080.07 175,-1077.71 217.64,-1057.66 266.56,-1038.75 307.33,-1024.06"/> <polygon fill="black" stroke="black" points="308.39,-1027.4 316.63,-1020.74 306.03,-1020.81 308.39,-1027.4"/> </g>  <g id="edge13" class="edge"> <title>SIEM_PIVOT->CTI_HASH</title> <path fill="none" stroke="black" d="M286.74,-1090.77C305.14,-1074.29 327.29,-1054.45 346.67,-1037.09"/> <polygon fill="black" stroke="black" points="348.83,-1039.86 353.95,-1030.58 344.17,-1034.64 348.83,-1039.86"/> </g>  <g id="edge14" class="edge"> <title>SIEM_SEARCH->CTI_HASH</title> <path fill="none" stroke="black" d="M399.7,-1101.17C398.79,-1084.18 397.55,-1060.96 396.45,-1040.53"/> <polygon fill="black" stroke="black" points="399.96,-1040.53 395.93,-1030.73 392.97,-1040.9 399.96,-1040.53"/> </g>  <g id="node14" class="node"> <title>CTI_IP</title> <path fill="none" stroke="black" d="M606,-1018.71C606,-1018.71 500,-1018.71 500,-1018.71 494,-1018.71 488,-1012.71 488,-1006.71 488,-1006.71 488,-980.71 488,-980.71 488,-974.71 494,-968.71 500,-968.71 500,-968.71 606,-968.71 606,-968.71 612,-968.71 618,-974.71 618,-980.71 618,-980.71 618,-1006.71 618,-1006.71 618,-1012.71 612,-1018.71 606,-1018.71"/> <text xml:space="preserve" text-anchor="middle" x="553" y="-1006.16" font-family="Arial" font-size="9.00">IP Enrichment</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-995.66" font-family="Arial" font-size="9.00">[CTI] get_ip_address_report</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-985.16" font-family="Arial" font-size="9.00">[SIEM] lookup_entity</text> <text xml:space="preserve" text-anchor="middle" x="553" y="-974.66" font-family="Arial" font-size="9.00">[SIEM] get_ioc_matches</text> </g>  <g id="edge15" class="edge"> <title>SIEM_NETWORK->CTI_IP</title> <path fill="none" stroke="black" d="M553,-1090.77C553,-1072.18 553,-1049.32 553,-1030.57"/> <polygon fill="black" stroke="black" points="556.5,-1030.72 553,-1020.72 549.5,-1030.72 556.5,-1030.72"/> </g>  <g id="node15" class="node"> <title>CTI_DOMAIN</title> <path fill="none" stroke="black" d="M738.12,-1018.71C738.12,-1018.71 647.88,-1018.71 647.88,-1018.71 641.88,-1018.71 635.88,-1012.71 635.88,-1006.71 635.88,-1006.71 635.88,-980.71 635.88,-980.71 635.88,-974.71 641.88,-968.71 647.88,-968.71 647.88,-968.71 738.12,-968.71 738.12,-968.71 744.12,-968.71 750.12,-974.71 750.12,-980.71 750.12,-980.71 750.12,-1006.71 750.12,-1006.71 750.12,-1012.71 744.12,-1018.71 738.12,-1018.71"/> <text xml:space="preserve" text-anchor="middle" x="693" y="-1006.16" font-family="Arial" font-size="9.00">Domain Enrichment</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-995.66" font-family="Arial" font-size="9.00">[SIEM] lookup_entity</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-985.16" font-family="Arial" font-size="9.00">[CTI] get_threat_intel</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-974.66" font-family="Arial" font-size="9.00">[SIEM] get_ioc_matches</text> </g>  <g id="edge16" class="edge"> <title>SIEM_DNS->CTI_DOMAIN</title> <path fill="none" stroke="black" d="M690.06,-1090.77C690.63,-1072.18 691.33,-1049.32 691.9,-1030.57"/> <polygon fill="black" stroke="black" points="695.4,-1030.82 692.2,-1020.72 688.4,-1030.61 695.4,-1030.82"/> </g>  <g id="edge17" class="edge"> <title>SIEM_EMAIL->CTI_DOMAIN</title> <path fill="none" stroke="black" d="M787.03,-1090.77C767.81,-1071.13 743.91,-1046.71 725.01,-1027.41"/> <polygon fill="black" stroke="black" points="727.54,-1024.99 718.04,-1020.29 722.54,-1029.88 727.54,-1024.99"/> </g>  <g id="node17" class="node"> <title>CTI_THREAT</title> <path fill="none" stroke="black" d="M1003.38,-1029.21C1003.38,-1029.21 926.62,-1029.21 926.62,-1029.21 920.62,-1029.21 914.62,-1023.21 914.62,-1017.21 914.62,-1017.21 914.62,-970.21 914.62,-970.21 914.62,-964.21 920.62,-958.21 926.62,-958.21 926.62,-958.21 1003.38,-958.21 1003.38,-958.21 1009.38,-958.21 1015.38,-964.21 1015.38,-970.21 1015.38,-970.21 1015.38,-1017.21 1015.38,-1017.21 1015.38,-1023.21 1009.38,-1029.21 1003.38,-1029.21"/> <text xml:space="preserve" text-anchor="middle" x="965" y="-1016.66" font-family="Arial" font-size="9.00">Threat Intelligence</text> <text xml:space="preserve" text-anchor="middle" x="965" y="-1006.16" font-family="Arial" font-size="9.00">[CTI] get_threat_intel</text> <text xml:space="preserve" text-anchor="middle" x="965" y="-995.66" font-family="Arial" font-size="9.00">Threat actors</text> <text xml:space="preserve" text-anchor="middle" x="965" y="-985.16" font-family="Arial" font-size="9.00">Campaigns</text> <text xml:space="preserve" text-anchor="middle" x="965" y="-974.66" font-family="Arial" font-size="9.00">TTPs</text> <text xml:space="preserve" text-anchor="middle" x="965" y="-964.16" font-family="Arial" font-size="9.00">Historical data</text> </g>  <g id="edge18" class="edge"> <title>SIEM_ALERT_CORR->CTI_THREAT</title> <path fill="none" stroke="black" d="M973.82,-1090.77C972.41,-1075.4 970.73,-1057.11 969.21,-1040.63"/> <polygon fill="black" stroke="black" points="972.74,-1040.71 968.34,-1031.08 965.77,-1041.35 972.74,-1040.71"/> </g>  <g id="node18" class="node"> <title>STEP7</title> <path fill="none" stroke="black" d="M739.62,-921.21C739.62,-921.21 646.38,-921.21 646.38,-921.21 640.38,-921.21 634.38,-915.21 634.38,-909.21 634.38,-909.21 634.38,-872.71 634.38,-872.71 634.38,-866.71 640.38,-860.71 646.38,-860.71 646.38,-860.71 739.62,-860.71 739.62,-860.71 745.62,-860.71 751.62,-866.71 751.62,-872.71 751.62,-872.71 751.62,-909.21 751.62,-909.21 751.62,-915.21 745.62,-921.21 739.62,-921.21"/> <text xml:space="preserve" text-anchor="middle" x="693" y="-908.66" font-family="Arial" font-size="9.00">Step 7</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-898.16" font-family="Arial" font-size="9.00">Client Infrastructure</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-887.66" font-family="Arial" font-size="9.00">[KB] kb_get_client_infra</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-877.16" font-family="Arial" font-size="9.00">Verify entities</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-866.66" font-family="Arial" font-size="9.00">Understand attack scope</text> </g>  <g id="edge19" class="edge"> <title>CTI_HASH->STEP7</title> <path fill="none" stroke="black" d="M460.73,-957.82C466.84,-955.09 472.99,-952.51 479,-950.21 526.06,-932.25 580.9,-917.43 623.28,-907.24"/> <polygon fill="black" stroke="black" points="623.94,-910.68 632.86,-904.97 622.32,-903.87 623.94,-910.68"/> </g>  <g id="edge20" class="edge"> <title>CTI_IP->STEP7</title> <path fill="none" stroke="black" d="M586.89,-968.32C603.57,-956.32 624.03,-941.6 642.51,-928.3"/> <polygon fill="black" stroke="black" points="644.38,-931.26 650.45,-922.58 640.29,-925.58 644.38,-931.26"/> </g>  <g id="edge21" class="edge"> <title>CTI_DOMAIN->STEP7</title> <path fill="none" stroke="black" d="M693,-968.32C693,-957.64 693,-944.82 693,-932.75"/> <polygon fill="black" stroke="black" points="696.5,-933.03 693,-923.03 689.5,-933.03 696.5,-933.03"/> </g>  <g id="node16" class="node"> <title>CTI_USER</title> <path fill="none" stroke="black" d="M884.25,-1018.71C884.25,-1018.71 779.75,-1018.71 779.75,-1018.71 773.75,-1018.71 767.75,-1012.71 767.75,-1006.71 767.75,-1006.71 767.75,-980.71 767.75,-980.71 767.75,-974.71 773.75,-968.71 779.75,-968.71 779.75,-968.71 884.25,-968.71 884.25,-968.71 890.25,-968.71 896.25,-974.71 896.25,-980.71 896.25,-980.71 896.25,-1006.71 896.25,-1006.71 896.25,-1012.71 890.25,-1018.71 884.25,-1018.71"/> <text xml:space="preserve" text-anchor="middle" x="832" y="-1006.16" font-family="Arial" font-size="9.00">User Activity</text> <text xml:space="preserve" text-anchor="middle" x="832" y="-995.66" font-family="Arial" font-size="9.00">[SIEM] search_user_activity</text> <text xml:space="preserve" text-anchor="middle" x="832" y="-985.16" font-family="Arial" font-size="9.00">[SIEM] lookup_entity</text> <text xml:space="preserve" text-anchor="middle" x="832" y="-974.66" font-family="Arial" font-size="9.00">Account analysis</text> </g>  <g id="edge22" class="edge"> <title>CTI_USER->STEP7</title> <path fill="none" stroke="black" d="M798.35,-968.32C781.79,-956.32 761.48,-941.6 743.13,-928.3"/> <polygon fill="black" stroke="black" points="745.4,-925.62 735.25,-922.59 741.29,-931.29 745.4,-925.62"/> </g>  <g id="edge23" class="edge"> <title>CTI_THREAT->STEP7</title> <path fill="none" stroke="black" d="M919.13,-957.87C914.48,-955.06 909.73,-952.45 905,-950.21 859.87,-928.84 805.51,-914.1 763.13,-904.8"/> <polygon fill="black" stroke="black" points="764.07,-901.42 753.56,-902.75 762.6,-908.26 764.07,-901.42"/> </g>  <g id="node19" class="node"> <title>STEP8</title> <path fill="none" stroke="black" d="M753.5,-823.71C753.5,-823.71 632.5,-823.71 632.5,-823.71 626.5,-823.71 620.5,-817.71 620.5,-811.71 620.5,-811.71 620.5,-764.71 620.5,-764.71 620.5,-758.71 626.5,-752.71 632.5,-752.71 632.5,-752.71 753.5,-752.71 753.5,-752.71 759.5,-752.71 765.5,-758.71 765.5,-764.71 765.5,-764.71 765.5,-811.71 765.5,-811.71 765.5,-817.71 759.5,-823.71 753.5,-823.71"/> <text xml:space="preserve" text-anchor="middle" x="693" y="-811.16" font-family="Arial" font-size="9.00">Step 8</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-800.66" font-family="Arial" font-size="9.00">Correlation Analysis</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-790.16" font-family="Arial" font-size="9.00">[CM] link_cases</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-779.66" font-family="Arial" font-size="9.00">[SIEM] get_security_alert_by_id</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-769.16" font-family="Arial" font-size="9.00">[SIEM] get_alerts_by_entity</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-758.66" font-family="Arial" font-size="9.00">Evidence-based connections</text> </g>  <g id="edge24" class="edge"> <title>STEP7->STEP8</title> <path fill="none" stroke="black" d="M693,-860.28C693,-852.46 693,-843.83 693,-835.36"/> <polygon fill="black" stroke="black" points="696.5,-835.52 693,-825.52 689.5,-835.52 696.5,-835.52"/> </g>  <g id="node20" class="node"> <title>STEP9</title> <path fill="none" stroke="black" d="M746.75,-715.71C746.75,-715.71 639.25,-715.71 639.25,-715.71 633.25,-715.71 627.25,-709.71 627.25,-703.71 627.25,-703.71 627.25,-667.21 627.25,-667.21 627.25,-661.21 633.25,-655.21 639.25,-655.21 639.25,-655.21 746.75,-655.21 746.75,-655.21 752.75,-655.21 758.75,-661.21 758.75,-667.21 758.75,-667.21 758.75,-703.71 758.75,-703.71 758.75,-709.71 752.75,-715.71 746.75,-715.71"/> <text xml:space="preserve" text-anchor="middle" x="693" y="-703.16" font-family="Arial" font-size="9.00">Step 9</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-692.66" font-family="Arial" font-size="9.00">Attack Chain Reconstruction</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-682.16" font-family="Arial" font-size="9.00">Map to MITRE ATT&CK</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-671.66" font-family="Arial" font-size="9.00">Reconstruct lifecycle</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-661.16" font-family="Arial" font-size="9.00">Document attack chain</text> </g>  <g id="edge25" class="edge"> <title>STEP8->STEP9</title> <path fill="none" stroke="black" d="M693,-752.26C693,-744.22 693,-735.61 693,-727.35"/> <polygon fill="black" stroke="black" points="696.5,-727.51 693,-717.51 689.5,-727.51 696.5,-727.51"/> </g>  <g id="node21" class="node"> <title>STEP10</title> <path fill="none" stroke="black" d="M753.12,-618.21C753.12,-618.21 632.88,-618.21 632.88,-618.21 626.88,-618.21 620.88,-612.21 620.88,-606.21 620.88,-606.21 620.88,-548.71 620.88,-548.71 620.88,-542.71 626.88,-536.71 632.88,-536.71 632.88,-536.71 753.12,-536.71 753.12,-536.71 759.12,-536.71 765.12,-542.71 765.12,-548.71 765.12,-548.71 765.12,-606.21 765.12,-606.21 765.12,-612.21 759.12,-618.21 753.12,-618.21"/> <text xml:space="preserve" text-anchor="middle" x="693" y="-605.66" font-family="Arial" font-size="9.00">Step 10</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-595.16" font-family="Arial" font-size="9.00">Add Timeline Events</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-584.66" font-family="Arial" font-size="9.00">[CM] add_case_timeline_event</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-574.16" font-family="Arial" font-size="9.00">Add ALL events chronologically</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-563.66" font-family="Arial" font-size="9.00">From SIEM, CTI, Correlation</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-553.16" font-family="Arial" font-size="9.00">Attack chain stages</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-542.66" font-family="Arial" font-size="9.00">Link to IOCs/Assets</text> </g>  <g id="edge26" class="edge"> <title>STEP9->STEP10</title> <path fill="none" stroke="black" d="M693,-654.93C693,-647.1 693,-638.4 693,-629.77"/> <polygon fill="black" stroke="black" points="696.5,-630.04 693,-620.04 689.5,-630.04 696.5,-630.04"/> </g>  <g id="node22" class="node"> <title>STEP11</title> <path fill="none" stroke="black" d="M756.12,-499.71C756.12,-499.71 629.88,-499.71 629.88,-499.71 623.88,-499.71 617.88,-493.71 617.88,-487.71 617.88,-487.71 617.88,-388.21 617.88,-388.21 617.88,-382.21 623.88,-376.21 629.88,-376.21 629.88,-376.21 756.12,-376.21 756.12,-376.21 762.12,-376.21 768.12,-382.21 768.12,-388.21 768.12,-388.21 768.12,-487.71 768.12,-487.71 768.12,-493.71 762.12,-499.71 756.12,-499.71"/> <text xml:space="preserve" text-anchor="middle" x="693" y="-487.16" font-family="Arial" font-size="9.00">Step 11</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-476.66" font-family="Arial" font-size="9.00">Add IOCs, Assets, Notes</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-466.16" font-family="Arial" font-size="9.00">Evidences, Tasks</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-455.66" font-family="Arial" font-size="9.00">[CM] attach_observable_to_case</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-445.16" font-family="Arial" font-size="9.00">(hashes, IPs, domains, URLs)</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-434.66" font-family="Arial" font-size="9.00">[CM] add_case_asset</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-424.16" font-family="Arial" font-size="9.00">(endpoints, servers, users)</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-413.66" font-family="Arial" font-size="9.00">[CM] add_case_comment</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-403.16" font-family="Arial" font-size="9.00">[CM] add_case_evidence</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-392.66" font-family="Arial" font-size="9.00">[CM] add_case_task</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-382.16" font-family="Arial" font-size="9.00">(AI + Human tasks)</text> </g>  <g id="edge27" class="edge"> <title>STEP10->STEP11</title> <path fill="none" stroke="black" d="M693,-536.32C693,-528.44 693,-519.95 693,-511.38"/> <polygon fill="black" stroke="black" points="696.5,-511.63 693,-501.63 689.5,-511.63 696.5,-511.63"/> </g>  <g id="node23" class="node"> <title>STEP12</title> <path fill="none" stroke="black" d="M755,-339.21C755,-339.21 631,-339.21 631,-339.21 625,-339.21 619,-333.21 619,-327.21 619,-327.21 619,-259.21 619,-259.21 619,-253.21 625,-247.21 631,-247.21 631,-247.21 755,-247.21 755,-247.21 761,-247.21 767,-253.21 767,-259.21 767,-259.21 767,-327.21 767,-327.21 767,-333.21 761,-339.21 755,-339.21"/> <text xml:space="preserve" text-anchor="middle" x="693" y="-326.66" font-family="Arial" font-size="9.00">Step 12</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-316.16" font-family="Arial" font-size="9.00">Containment Recommendations</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-305.66" font-family="Arial" font-size="9.00">[CM] add_case_task</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-295.16" font-family="Arial" font-size="9.00">(SOC3 containment task)</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-284.66" font-family="Arial" font-size="9.00">Endpoint isolation</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-274.16" font-family="Arial" font-size="9.00">Process termination</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-263.66" font-family="Arial" font-size="9.00">Network blocking</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-253.16" font-family="Arial" font-size="9.00">Forensic priorities</text> </g>  <g id="edge28" class="edge"> <title>STEP11->STEP12</title> <path fill="none" stroke="black" d="M693,-376.01C693,-367.66 693,-359.13 693,-350.86"/> <polygon fill="black" stroke="black" points="696.5,-350.93 693,-340.93 689.5,-350.93 696.5,-350.93"/> </g>  <g id="node24" class="node"> <title>STEP13</title> <path fill="none" stroke="black" d="M756.12,-210.21C756.12,-210.21 629.88,-210.21 629.88,-210.21 623.88,-210.21 617.88,-204.21 617.88,-198.21 617.88,-198.21 617.88,-119.71 617.88,-119.71 617.88,-113.71 623.88,-107.71 629.88,-107.71 629.88,-107.71 756.12,-107.71 756.12,-107.71 762.12,-107.71 768.12,-113.71 768.12,-119.71 768.12,-119.71 768.12,-198.21 768.12,-198.21 768.12,-204.21 762.12,-210.21 756.12,-210.21"/> <text xml:space="preserve" text-anchor="middle" x="693" y="-197.66" font-family="Arial" font-size="9.00">Step 13</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-187.16" font-family="Arial" font-size="9.00">Final Case Update</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-176.66" font-family="Arial" font-size="9.00">[CM] update_case_status</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-166.16" font-family="Arial" font-size="9.00">(Update status & priority)</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-155.66" font-family="Arial" font-size="9.00">[CM] add_case_comment</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-145.16" font-family="Arial" font-size="9.00">(Investigation summary)</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-134.66" font-family="Arial" font-size="9.00">[CM] attach_observable_to_case</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-124.16" font-family="Arial" font-size="9.00">[CM] add_case_asset</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-113.66" font-family="Arial" font-size="9.00">Ready for SOC3 escalation</text> </g>  <g id="edge29" class="edge"> <title>STEP12->STEP13</title> <path fill="none" stroke="black" d="M693,-247.07C693,-238.94 693,-230.34 693,-221.83"/> <polygon fill="black" stroke="black" points="696.5,-221.86 693,-211.86 689.5,-221.86 696.5,-221.86"/> </g>  <g id="node25" class="node"> <title>END</title> <ellipse fill="lightgreen" stroke="black" cx="693" cy="-35.36" rx="102" ry="35.36"/> <text xml:space="preserve" text-anchor="middle" x="693" y="-47.81" font-family="Arial" font-size="9.00">END</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-37.31" font-family="Arial" font-size="9.00">Case Ready for SOC3</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-26.81" font-family="Arial" font-size="9.00">All tasks completed</text> <text xml:space="preserve" text-anchor="middle" x="693" y="-16.31" font-family="Arial" font-size="9.00">Comprehensive documentation</text> </g>  <g id="edge30" class="edge"> <title>STEP13->END</title> <path fill="none" stroke="black" d="M693,-107.45C693,-99.11 693,-90.5 693,-82.28"/> <polygon fill="black" stroke="black" points="696.5,-82.51 693,-72.51 689.5,-82.51 696.5,-82.51"/> </g>  <g id="node26" class="node"> <title>LEGEND_SIEM</title> <path fill="none" stroke="black" d="M903.12,-1801.82C903.12,-1801.82 800.88,-1801.82 800.88,-1801.82 794.88,-1801.82 788.88,-1795.82 788.88,-1789.82 788.88,-1789.82 788.88,-1774.32 788.88,-1774.32 788.88,-1768.32 794.88,-1762.32 800.88,-1762.32 800.88,-1762.32 903.12,-1762.32 903.12,-1762.32 909.12,-1762.32 915.12,-1768.32 915.12,-1774.32 915.12,-1774.32 915.12,-1789.82 915.12,-1789.82 915.12,-1795.82 909.12,-1801.82 903.12,-1801.82"/> <text xml:space="preserve" text-anchor="middle" x="852" y="-1789.27" font-family="Arial" font-size="9.00">[SIEM] SIEM Tools</text> <text xml:space="preserve" text-anchor="middle" x="852" y="-1778.77" font-family="Arial" font-size="9.00">Advanced Elastic Querying</text> <text xml:space="preserve" text-anchor="middle" x="852" y="-1768.27" font-family="Arial" font-size="9.00">Deep Event Analysis</text> </g>  <g id="node27" class="node"> <title>LEGEND_CASE</title> <path fill="none" stroke="black" d="M909.5,-1692.21C909.5,-1692.21 794.5,-1692.21 794.5,-1692.21 788.5,-1692.21 782.5,-1686.21 782.5,-1680.21 782.5,-1680.21 782.5,-1668.21 782.5,-1668.21 782.5,-1662.21 788.5,-1656.21 794.5,-1656.21 794.5,-1656.21 909.5,-1656.21 909.5,-1656.21 915.5,-1656.21 921.5,-1662.21 921.5,-1668.21 921.5,-1668.21 921.5,-1680.21 921.5,-1680.21 921.5,-1686.21 915.5,-1692.21 909.5,-1692.21"/> <text xml:space="preserve" text-anchor="middle" x="852" y="-1676.16" font-family="Arial" font-size="9.00">[CM] Case Management Tools</text> <text xml:space="preserve" text-anchor="middle" x="852" y="-1665.66" font-family="Arial" font-size="9.00">Case Operations & Tracking</text> </g>   <g id="node28" class="node"> <title>LEGEND_CTI</title> <path fill="none" stroke="black" d="M885.88,-1589.46C885.88,-1589.46 818.12,-1589.46 818.12,-1589.46 812.12,-1589.46 806.12,-1583.46 806.12,-1577.46 806.12,-1577.46 806.12,-1565.46 806.12,-1565.46 806.12,-1559.46 812.12,-1553.46 818.12,-1553.46 818.12,-1553.46 885.88,-1553.46 885.88,-1553.46 891.88,-1553.46 897.88,-1559.46 897.88,-1565.46 897.88,-1565.46 897.88,-1577.46 897.88,-1577.46 897.88,-1583.46 891.88,-1589.46 885.88,-1589.46"/> <text xml:space="preserve" text-anchor="middle" x="852" y="-1573.41" font-family="Arial" font-size="9.00">[CTI] CTI Tools</text> <text xml:space="preserve" text-anchor="middle" x="852" y="-1562.91" font-family="Arial" font-size="9.00">Threat Intelligence</text> </g>   <g id="node29" class="node"> <title>LEGEND_KB</title> <path fill="none" stroke="black" d="M882.88,-1476.21C882.88,-1476.21 821.12,-1476.21 821.12,-1476.21 815.12,-1476.21 809.12,-1470.21 809.12,-1464.21 809.12,-1464.21 809.12,-1452.21 809.12,-1452.21 809.12,-1446.21 815.12,-1440.21 821.12,-1440.21 821.12,-1440.21 882.88,-1440.21 882.88,-1440.21 888.88,-1440.21 894.88,-1446.21 894.88,-1452.21 894.88,-1452.21 894.88,-1464.21 894.88,-1464.21 894.88,-1470.21 888.88,-1476.21 882.88,-1476.21"/> <text xml:space="preserve" text-anchor="middle" x="852" y="-1460.16" font-family="Arial" font-size="9.00">[KB] KB Tools</text> <text xml:space="preserve" text-anchor="middle" x="852" y="-1449.66" font-family="Arial" font-size="9.00">Knowledge Base</text> </g>  </g> </svg>

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/M507/AI-SOC-Agent'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

case_analysis.svg•47.1 kB