SamiGPT

Overview Schema Related Servers Score Discussions

AI-SOC-Agent
execution_flow

initial_alert_triage.svg•55.8 kB

<?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">   <svg width="3734pt" height="794pt" viewBox="0.00 0.00 3734.00 794.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 790.2)"> <title>InitialAlertTriage</title> <polygon fill="white" stroke="none" points="-4,4 -4,-790.2 3729.77,-790.2 3729.77,4 -4,4"/> <g id="clust1" class="cluster"> <title>cluster_siem_investigation</title> <polygon fill="lightcyan" stroke="black" points="1500.31,-114 1500.31,-600 1707.56,-600 1707.56,-114 1500.31,-114"/> <text xml:space="preserve" text-anchor="middle" x="1603.94" y="-585.55" font-family="Times,serif" font-size="11.00">Step 8: Parallel Investigation - SIEM Tools</text> </g> <g id="clust2" class="cluster"> <title>cluster_case_mgmt</title> <polygon fill="lightpink" stroke="black" points="1507.44,-8 1507.44,-106 1700.44,-106 1700.44,-8 1507.44,-8"/> <text xml:space="preserve" text-anchor="middle" x="1603.94" y="-91.55" font-family="Times,serif" font-size="11.00">Step 8: Case Management Investigation</text> </g> <g id="clust3" class="cluster"> <title>cluster_legend</title> <polygon fill="none" stroke="black" stroke-dasharray="5,2" points="8,-524 8,-598 1365.84,-598 1365.84,-524 8,-524"/> <text xml:space="preserve" text-anchor="middle" x="686.92" y="-583.55" font-family="Times,serif" font-size="11.00">Legend - Tool Categories</text> </g>  <g id="node1" class="node"> <title>START</title> <ellipse fill="lightgreen" stroke="black" cx="92.62" cy="-385" rx="61.7" ry="20.51"/> <text xml:space="preserve" text-anchor="middle" x="92.62" y="-386.95" font-family="Arial" font-size="9.00">START</text> <text xml:space="preserve" text-anchor="middle" x="92.62" y="-376.45" font-family="Arial" font-size="9.00">Get Recent Alerts</text> </g>  <g id="node2" class="node"> <title>STEP1</title> <path fill="none" stroke="black" d="M321.62,-404.75C321.62,-404.75 229.88,-404.75 229.88,-404.75 223.88,-404.75 217.88,-398.75 217.88,-392.75 217.88,-392.75 217.88,-377.25 217.88,-377.25 217.88,-371.25 223.88,-365.25 229.88,-365.25 229.88,-365.25 321.62,-365.25 321.62,-365.25 327.62,-365.25 333.62,-371.25 333.62,-377.25 333.62,-377.25 333.62,-392.75 333.62,-392.75 333.62,-398.75 327.62,-404.75 321.62,-404.75"/> <text xml:space="preserve" text-anchor="middle" x="275.75" y="-392.2" font-family="Arial" font-size="9.00">Step 1</text> <text xml:space="preserve" text-anchor="middle" x="275.75" y="-381.7" font-family="Arial" font-size="9.00">Get Recent Alerts</text> <text xml:space="preserve" text-anchor="middle" x="275.75" y="-371.2" font-family="Arial" font-size="9.00">[SIEM] get_recent_alerts</text> </g>  <g id="edge1" class="edge"> <title>START->STEP1</title> <path fill="none" stroke="black" d="M154.69,-385C171.22,-385 189.21,-385 206.11,-385"/> <polygon fill="black" stroke="black" points="206.1,-388.5 216.1,-385 206.1,-381.5 206.1,-388.5"/> </g>  <g id="node3" class="node"> <title>STEP2</title> <path fill="none" stroke="black" d="M516.75,-415.25C516.75,-415.25 394.25,-415.25 394.25,-415.25 388.25,-415.25 382.25,-409.25 382.25,-403.25 382.25,-403.25 382.25,-366.75 382.25,-366.75 382.25,-360.75 388.25,-354.75 394.25,-354.75 394.25,-354.75 516.75,-354.75 516.75,-354.75 522.75,-354.75 528.75,-360.75 528.75,-366.75 528.75,-366.75 528.75,-403.25 528.75,-403.25 528.75,-409.25 522.75,-415.25 516.75,-415.25"/> <text xml:space="preserve" text-anchor="middle" x="455.5" y="-402.7" font-family="Arial" font-size="9.00">Step 2</text> <text xml:space="preserve" text-anchor="middle" x="455.5" y="-392.2" font-family="Arial" font-size="9.00">Retrieve Alert Details</text> <text xml:space="preserve" text-anchor="middle" x="455.5" y="-381.7" font-family="Arial" font-size="9.00">[SIEM] get_security_alert_by_id</text> <text xml:space="preserve" text-anchor="middle" x="455.5" y="-371.2" font-family="Arial" font-size="9.00">CRITICAL: Examine events field</text> <text xml:space="preserve" text-anchor="middle" x="455.5" y="-360.7" font-family="Arial" font-size="9.00">(actual triggering events)</text> </g>  <g id="edge2" class="edge"> <title>STEP1->STEP2</title> <path fill="none" stroke="black" d="M333.97,-385C345.62,-385 358.12,-385 370.48,-385"/> <polygon fill="black" stroke="black" points="370.26,-388.5 380.26,-385 370.26,-381.5 370.26,-388.5"/> </g>  <g id="node4" class="node"> <title>STEP3</title> <path fill="none" stroke="black" d="M757.03,-456.75C757.03,-456.75 652.53,-456.75 652.53,-456.75 646.53,-456.75 640.53,-450.75 640.53,-444.75 640.53,-444.75 640.53,-429.25 640.53,-429.25 640.53,-423.25 646.53,-417.25 652.53,-417.25 652.53,-417.25 757.03,-417.25 757.03,-417.25 763.03,-417.25 769.03,-423.25 769.03,-429.25 769.03,-429.25 769.03,-444.75 769.03,-444.75 769.03,-450.75 763.03,-456.75 757.03,-456.75"/> <text xml:space="preserve" text-anchor="middle" x="704.78" y="-444.2" font-family="Arial" font-size="9.00">Step 3</text> <text xml:space="preserve" text-anchor="middle" x="704.78" y="-433.7" font-family="Arial" font-size="9.00">Set Verdict in-progress</text> <text xml:space="preserve" text-anchor="middle" x="704.78" y="-423.2" font-family="Arial" font-size="9.00">[SIEM] update_alert_verdict</text> </g>  <g id="edge4" class="edge"> <title>STEP2->STEP3</title> <path fill="none" stroke="black" d="M529.02,-400.25C560.51,-406.87 597.37,-414.62 629.09,-421.29"/> <polygon fill="black" stroke="black" points="628.1,-424.66 638.6,-423.29 629.54,-417.81 628.1,-424.66"/> <text xml:space="preserve" text-anchor="middle" x="565.5" y="-413.15" font-family="Arial" font-size="8.00">No Verdict</text> </g>  <g id="node25" class="node"> <title>END_VERDICT</title> <ellipse fill="lightgray" stroke="black" cx="704.78" cy="-364" rx="102.53" ry="35.36"/> <text xml:space="preserve" text-anchor="middle" x="704.78" y="-376.45" font-family="Arial" font-size="9.00">END</text> <text xml:space="preserve" text-anchor="middle" x="704.78" y="-365.95" font-family="Arial" font-size="9.00">Already Investigated</text> <text xml:space="preserve" text-anchor="middle" x="704.78" y="-355.45" font-family="Arial" font-size="9.00">[SIEM] get_security_alert_by_id</text> <text xml:space="preserve" text-anchor="middle" x="704.78" y="-344.95" font-family="Arial" font-size="9.00">(check verdict field)</text> </g>  <g id="edge3" class="edge"> <title>STEP2->END_VERDICT</title> <path fill="none" stroke="orange" stroke-width="2" stroke-dasharray="5,2" d="M529.02,-378.84C548.82,-377.16 570.75,-375.3 592.19,-373.48"/> <polygon fill="orange" stroke="orange" stroke-width="2" points="592.4,-376.97 602.07,-372.64 591.81,-370 592.4,-376.97"/> <text xml:space="preserve" text-anchor="middle" x="565.5" y="-388.9" font-family="Arial" font-size="8.00">Verdict</text> <text xml:space="preserve" text-anchor="middle" x="565.5" y="-379.15" font-family="Arial" font-size="8.00">Exists</text> </g>  <g id="node5" class="node"> <title>QUICK_ASSESS</title> <polygon fill="lightyellow" stroke="black" points="958.56,-497.5 844.31,-437 958.56,-376.5 1072.81,-437 958.56,-497.5"/> <text xml:space="preserve" text-anchor="middle" x="958.56" y="-454.7" font-family="Arial" font-size="9.00">Step 4</text> <text xml:space="preserve" text-anchor="middle" x="958.56" y="-444.2" font-family="Arial" font-size="9.00">Quick Assessment</text> <text xml:space="preserve" text-anchor="middle" x="958.56" y="-433.7" font-family="Arial" font-size="9.00">[KB] kb_list_clients</text> <text xml:space="preserve" text-anchor="middle" x="958.56" y="-423.2" font-family="Arial" font-size="9.00">[KB] kb_get_client_infra</text> <text xml:space="preserve" text-anchor="middle" x="958.56" y="-412.7" font-family="Arial" font-size="9.00">[SIEM] get_ioc_matches</text> </g>  <g id="edge5" class="edge"> <title>STEP3->QUICK_ASSESS</title> <path fill="none" stroke="black" d="M769.32,-437C788.54,-437 810.37,-437 832.17,-437"/> <polygon fill="black" stroke="black" points="832.05,-440.5 842.05,-437 832.05,-433.5 832.05,-440.5"/> </g>  <g id="node6" class="node"> <title>STEP4_CLOSE</title> <path fill="none" stroke="black" d="M1348.06,-499C1348.06,-499 1243.56,-499 1243.56,-499 1237.56,-499 1231.56,-493 1231.56,-487 1231.56,-487 1231.56,-461 1231.56,-461 1231.56,-455 1237.56,-449 1243.56,-449 1243.56,-449 1348.06,-449 1348.06,-449 1354.06,-449 1360.06,-455 1360.06,-461 1360.06,-461 1360.06,-487 1360.06,-487 1360.06,-493 1354.06,-499 1348.06,-499"/> <text xml:space="preserve" text-anchor="middle" x="1295.81" y="-486.45" font-family="Arial" font-size="9.00">Step 4.3</text> <text xml:space="preserve" text-anchor="middle" x="1295.81" y="-475.95" font-family="Arial" font-size="9.00">Direct Closure Actions</text> <text xml:space="preserve" text-anchor="middle" x="1295.81" y="-465.45" font-family="Arial" font-size="9.00">[SIEM] add_alert_note</text> <text xml:space="preserve" text-anchor="middle" x="1295.81" y="-454.95" font-family="Arial" font-size="9.00">[SIEM] update_alert_verdict</text> </g>  <g id="edge6" class="edge"> <title>QUICK_ASSESS->STEP4_CLOSE</title> <path fill="none" stroke="green" stroke-width="2" stroke-dasharray="5,2" d="M1053.84,-447.41C1105.84,-453.14 1169.57,-460.18 1218.43,-465.57"/> <polygon fill="green" stroke="green" stroke-width="2" points="1217.82,-469.02 1228.14,-466.64 1218.59,-462.07 1217.82,-469.02"/> <text xml:space="preserve" text-anchor="middle" x="1115.19" y="-468.51" font-family="Arial" font-size="8.00">FP/BTP</text> <text xml:space="preserve" text-anchor="middle" x="1115.19" y="-458.76" font-family="Arial" font-size="8.00">Close Directly</text> </g>  <g id="node7" class="node"> <title>CASE_STRATEGY</title> <polygon fill="lightyellow" stroke="black" points="1295.81,-423.5 1157.56,-363 1295.81,-302.5 1434.06,-363 1295.81,-423.5"/> <text xml:space="preserve" text-anchor="middle" x="1295.81" y="-380.7" font-family="Arial" font-size="9.00">Step 5</text> <text xml:space="preserve" text-anchor="middle" x="1295.81" y="-370.2" font-family="Arial" font-size="9.00">Case Strategy</text> <text xml:space="preserve" text-anchor="middle" x="1295.81" y="-359.7" font-family="Arial" font-size="9.00">[CM] search_cases</text> <text xml:space="preserve" text-anchor="middle" x="1295.81" y="-349.2" font-family="Arial" font-size="9.00">Prefer Existing Related Cases</text> <text xml:space="preserve" text-anchor="middle" x="1295.81" y="-338.7" font-family="Arial" font-size="9.00">(Host/User/Type/Time)</text> </g>  <g id="edge8" class="edge"> <title>QUICK_ASSESS->CASE_STRATEGY</title> <path fill="none" stroke="black" d="M1039.86,-419.28C1085.52,-409.2 1143.16,-396.47 1192.08,-385.68"/> <polygon fill="black" stroke="black" points="1192.53,-389.16 1201.54,-383.59 1191.02,-382.32 1192.53,-389.16"/> <text xml:space="preserve" text-anchor="middle" x="1115.19" y="-418.53" font-family="Arial" font-size="8.00">Needs</text> <text xml:space="preserve" text-anchor="middle" x="1115.19" y="-408.78" font-family="Arial" font-size="8.00">Investigation</text> </g>  <g id="node26" class="node"> <title>END_FP_DIRECT</title> <ellipse fill="lightgreen" stroke="black" cx="1603.44" cy="-736" rx="90.86" ry="50.2"/> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-758.95" font-family="Arial" font-size="9.00">END</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-748.45" font-family="Arial" font-size="9.00">Closed Directly</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-737.95" font-family="Arial" font-size="9.00">(No Case)</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-727.45" font-family="Arial" font-size="9.00">[SIEM] add_alert_note</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-716.95" font-family="Arial" font-size="9.00">[SIEM] update_alert_verdict</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-706.45" font-family="Arial" font-size="9.00">[ENG] Recommendations</text> </g>  <g id="edge7" class="edge"> <title>STEP4_CLOSE->END_FP_DIRECT</title> <path fill="none" stroke="black" d="M1360.53,-481.28C1386.8,-487.49 1415.4,-498.92 1434.06,-520 1460.52,-549.89 1436.29,-571.32 1452.06,-608 1466.84,-642.38 1472.73,-651.71 1500.31,-677 1507.98,-684.04 1516.64,-690.6 1525.58,-696.61"/> <polygon fill="black" stroke="black" points="1523.4,-699.37 1533.7,-701.85 1527.19,-693.49 1523.4,-699.37"/> </g>  <g id="node8" class="node"> <title>STEP5_DUP</title> <path fill="none" stroke="black" d="M1655.69,-668.25C1655.69,-668.25 1551.19,-668.25 1551.19,-668.25 1545.19,-668.25 1539.19,-662.25 1539.19,-656.25 1539.19,-656.25 1539.19,-619.75 1539.19,-619.75 1539.19,-613.75 1545.19,-607.75 1551.19,-607.75 1551.19,-607.75 1655.69,-607.75 1655.69,-607.75 1661.69,-607.75 1667.69,-613.75 1667.69,-619.75 1667.69,-619.75 1667.69,-656.25 1667.69,-656.25 1667.69,-662.25 1661.69,-668.25 1655.69,-668.25"/> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-655.7" font-family="Arial" font-size="9.00">Step 5.3</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-645.2" font-family="Arial" font-size="9.00">Handle Exact Duplicate</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-634.7" font-family="Arial" font-size="9.00">[CM] add_case_comment</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-624.2" font-family="Arial" font-size="9.00">[SIEM] add_alert_note</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-613.7" font-family="Arial" font-size="9.00">[SIEM] update_alert_verdict</text> </g>  <g id="edge9" class="edge"> <title>CASE_STRATEGY->STEP5_DUP</title> <path fill="none" stroke="orange" stroke-width="2" stroke-dasharray="5,2" d="M1370.23,-391.18C1393.4,-403.19 1417.31,-419.29 1434.06,-440 1451.04,-460.98 1442.45,-472.78 1452.06,-498 1453.21,-501.02 1497.91,-601.84 1500.31,-604 1508.02,-610.93 1517.17,-616.45 1526.8,-620.85"/> <polygon fill="orange" stroke="orange" stroke-width="2" points="1525.31,-624.03 1535.89,-624.54 1527.94,-617.54 1525.31,-624.03"/> <text xml:space="preserve" text-anchor="middle" x="1471.19" y="-595.19" font-family="Arial" font-size="8.00">Exact</text> <text xml:space="preserve" text-anchor="middle" x="1471.19" y="-585.44" font-family="Arial" font-size="8.00">Duplicate</text> </g>  <g id="node9" class="node"> <title>KB_CHECK</title> <path fill="none" stroke="black" d="M1647.81,-570.5C1647.81,-570.5 1559.06,-570.5 1559.06,-570.5 1553.06,-570.5 1547.06,-564.5 1547.06,-558.5 1547.06,-558.5 1547.06,-511.5 1547.06,-511.5 1547.06,-505.5 1553.06,-499.5 1559.06,-499.5 1559.06,-499.5 1647.81,-499.5 1647.81,-499.5 1653.81,-499.5 1659.81,-505.5 1659.81,-511.5 1659.81,-511.5 1659.81,-558.5 1659.81,-558.5 1659.81,-564.5 1653.81,-570.5 1647.81,-570.5"/> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-557.95" font-family="Arial" font-size="9.00">Step 8.1</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-547.45" font-family="Arial" font-size="9.00">KB Verification</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-536.95" font-family="Arial" font-size="9.00">Extract entities from</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-526.45" font-family="Arial" font-size="9.00">events field (Step 2)</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-515.95" font-family="Arial" font-size="9.00">[KB] kb_list_clients</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-505.45" font-family="Arial" font-size="9.00">[KB] kb_get_client_infra</text> </g>  <g id="edge11" class="edge"> <title>CASE_STRATEGY->KB_CHECK</title> <path fill="none" stroke="black" stroke-width="2" d="M1359.78,-395.83C1383.51,-408.85 1410.46,-424.42 1434.06,-440 1465.07,-460.48 1468.28,-472.17 1500.31,-491 1511.62,-497.65 1524.13,-503.87 1536.39,-509.42"/> <polygon fill="black" stroke="black" stroke-width="2" points="1533.28,-511.87 1543.84,-512.7 1536.1,-505.47 1533.28,-511.87"/> <text xml:space="preserve" text-anchor="middle" x="1471.19" y="-486.65" font-family="Arial" font-size="8.00">Investigate</text> </g>  <g id="node10" class="node"> <title>IOC_CHECK</title> <path fill="none" stroke="black" d="M1648.56,-481.75C1648.56,-481.75 1558.31,-481.75 1558.31,-481.75 1552.31,-481.75 1546.31,-475.75 1546.31,-469.75 1546.31,-469.75 1546.31,-454.25 1546.31,-454.25 1546.31,-448.25 1552.31,-442.25 1558.31,-442.25 1558.31,-442.25 1648.56,-442.25 1648.56,-442.25 1654.56,-442.25 1660.56,-448.25 1660.56,-454.25 1660.56,-454.25 1660.56,-469.75 1660.56,-469.75 1660.56,-475.75 1654.56,-481.75 1648.56,-481.75"/> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-469.2" font-family="Arial" font-size="9.00">Step 8.2</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-458.7" font-family="Arial" font-size="9.00">IOC Check</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-448.2" font-family="Arial" font-size="9.00">[SIEM] get_ioc_matches</text> </g>  <g id="edge12" class="edge"> <title>CASE_STRATEGY->IOC_CHECK</title> <path fill="none" stroke="black" stroke-width="2" d="M1372.83,-390.25C1410.93,-403.63 1457.89,-419.69 1500.31,-433 1511.44,-436.49 1523.31,-440.03 1534.86,-443.38"/> <polygon fill="black" stroke="black" stroke-width="2" points="1532.33,-446.29 1542.91,-445.68 1534.26,-439.56 1532.33,-446.29"/> <text xml:space="preserve" text-anchor="middle" x="1471.19" y="-431.66" font-family="Arial" font-size="8.00">Investigate</text> </g>  <g id="node11" class="node"> <title>SIEM_SEARCH</title> <path fill="none" stroke="black" d="M1671.06,-424C1671.06,-424 1535.81,-424 1535.81,-424 1529.81,-424 1523.81,-418 1523.81,-412 1523.81,-412 1523.81,-302 1523.81,-302 1523.81,-296 1529.81,-290 1535.81,-290 1535.81,-290 1671.06,-290 1671.06,-290 1677.06,-290 1683.06,-296 1683.06,-302 1683.06,-302 1683.06,-412 1683.06,-412 1683.06,-418 1677.06,-424 1671.06,-424"/> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-411.45" font-family="Arial" font-size="9.00">Step 8.3</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-400.95" font-family="Arial" font-size="9.00">SIEM Search</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-390.45" font-family="Arial" font-size="9.00">CRITICAL: Use events from</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-379.95" font-family="Arial" font-size="9.00">Step 2 first</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-369.45" font-family="Arial" font-size="9.00">[SIEM] get_siem_event_by_id</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-358.95" font-family="Arial" font-size="9.00">[SIEM] search_security_events</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-348.45" font-family="Arial" font-size="9.00">[SIEM] get_network_events</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-337.95" font-family="Arial" font-size="9.00">[SIEM] get_dns_events</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-327.45" font-family="Arial" font-size="9.00">[SIEM] get_email_events</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-316.95" font-family="Arial" font-size="9.00">[SIEM] get_alerts_by_entity</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-306.45" font-family="Arial" font-size="9.00">[SIEM] get_alerts_by_time_window</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-295.95" font-family="Arial" font-size="9.00">[SIEM] lookup_entity</text> </g>  <g id="edge13" class="edge"> <title>CASE_STRATEGY->SIEM_SEARCH</title> <path fill="none" stroke="black" stroke-width="2" d="M1429.09,-360.4C1457.19,-359.85 1486.24,-359.28 1512.34,-358.77"/> <polygon fill="black" stroke="black" stroke-width="2" points="1510.76,-362.3 1520.69,-358.6 1510.62,-355.3 1510.76,-362.3"/> <text xml:space="preserve" text-anchor="middle" x="1471.19" y="-361.97" font-family="Arial" font-size="8.00">Investigate</text> </g>  <g id="node12" class="node"> <title>ENRICHMENT</title> <path fill="none" stroke="black" d="M1660.19,-271.75C1660.19,-271.75 1546.69,-271.75 1546.69,-271.75 1540.69,-271.75 1534.69,-265.75 1534.69,-259.75 1534.69,-259.75 1534.69,-202.25 1534.69,-202.25 1534.69,-196.25 1540.69,-190.25 1546.69,-190.25 1546.69,-190.25 1660.19,-190.25 1660.19,-190.25 1666.19,-190.25 1672.19,-196.25 1672.19,-202.25 1672.19,-202.25 1672.19,-259.75 1672.19,-259.75 1672.19,-265.75 1666.19,-271.75 1660.19,-271.75"/> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-259.2" font-family="Arial" font-size="9.00">Step 8.4</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-248.7" font-family="Arial" font-size="9.00">Entity Enrichment</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-238.2" font-family="Arial" font-size="9.00">[CTI] lookup_hash_ti</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-227.7" font-family="Arial" font-size="9.00">[SIEM] get_file_report</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-217.2" font-family="Arial" font-size="9.00">[SIEM] get_ip_address_report</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-206.7" font-family="Arial" font-size="9.00">[SIEM] lookup_entity</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-196.2" font-family="Arial" font-size="9.00">[SIEM] get_ioc_matches</text> </g>  <g id="edge14" class="edge"> <title>CASE_STRATEGY->ENRICHMENT</title> <path fill="none" stroke="black" stroke-width="2" d="M1366.16,-333.05C1413.09,-312.78 1475.16,-285.97 1523.91,-264.92"/> <polygon fill="black" stroke="black" stroke-width="2" points="1523.84,-268.76 1531.63,-261.58 1521.07,-262.33 1523.84,-268.76"/> <text xml:space="preserve" text-anchor="middle" x="1471.19" y="-295.19" font-family="Arial" font-size="8.00">Investigate</text> </g>  <g id="node13" class="node"> <title>UNCERTAIN_SEARCH</title> <path fill="none" stroke="black" d="M1682.31,-172C1682.31,-172 1524.56,-172 1524.56,-172 1518.56,-172 1512.56,-166 1512.56,-160 1512.56,-160 1512.56,-134 1512.56,-134 1512.56,-128 1518.56,-122 1524.56,-122 1524.56,-122 1682.31,-122 1682.31,-122 1688.31,-122 1694.31,-128 1694.31,-134 1694.31,-134 1694.31,-160 1694.31,-160 1694.31,-166 1688.31,-172 1682.31,-172"/> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-159.45" font-family="Arial" font-size="9.00">Step 8.6</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-148.95" font-family="Arial" font-size="9.00">Find Uncertain Alerts</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-138.45" font-family="Arial" font-size="9.00">Same Host Pattern</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-127.95" font-family="Arial" font-size="9.00">[SIEM] get_all_uncertain_alerts_for_host</text> </g>  <g id="edge16" class="edge"> <title>CASE_STRATEGY->UNCERTAIN_SEARCH</title> <path fill="none" stroke="black" stroke-width="2" d="M1335.33,-319.54C1373.59,-278.71 1435.73,-218.45 1500.31,-181 1502.48,-179.74 1504.7,-178.52 1506.96,-177.34"/> <polygon fill="black" stroke="black" stroke-width="2" points="1506.92,-181.25 1514.39,-173.73 1503.86,-174.96 1506.92,-181.25"/> <text xml:space="preserve" text-anchor="middle" x="1471.19" y="-211.76" font-family="Arial" font-size="8.00">Investigate</text> </g>  <g id="node14" class="node"> <title>CASE_SEARCH</title> <path fill="none" stroke="black" d="M1665.06,-76.25C1665.06,-76.25 1541.81,-76.25 1541.81,-76.25 1535.81,-76.25 1529.81,-70.25 1529.81,-64.25 1529.81,-64.25 1529.81,-27.75 1529.81,-27.75 1529.81,-21.75 1535.81,-15.75 1541.81,-15.75 1541.81,-15.75 1665.06,-15.75 1665.06,-15.75 1671.06,-15.75 1677.06,-21.75 1677.06,-27.75 1677.06,-27.75 1677.06,-64.25 1677.06,-64.25 1677.06,-70.25 1671.06,-76.25 1665.06,-76.25"/> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-63.7" font-family="Arial" font-size="9.00">Step 8.5</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-53.2" font-family="Arial" font-size="9.00">Find & Group Related Cases</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-42.7" font-family="Arial" font-size="9.00">Group by Host/User/Threat Type</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-32.2" font-family="Arial" font-size="9.00">[CM] list_cases</text> <text xml:space="preserve" text-anchor="middle" x="1603.44" y="-21.7" font-family="Arial" font-size="9.00">[CM] search_cases</text> </g>  <g id="edge15" class="edge"> <title>CASE_STRATEGY->CASE_SEARCH</title> <path fill="none" stroke="red" stroke-width="2" d="M1327.33,-316.17C1364.01,-262.21 1429.53,-172.91 1500.31,-110 1511.28,-100.25 1523.9,-91.04 1536.45,-82.81"/> <polygon fill="red" stroke="red" stroke-width="2" points="1536.9,-86.67 1543.45,-78.34 1533.14,-80.77 1536.9,-86.67"/> <text xml:space="preserve" text-anchor="middle" x="1471.19" y="-155.42" font-family="Arial" font-size="8.00">Investigate</text> </g>  <g id="node27" class="node"> <title>END_DUP</title> <ellipse fill="lightgreen" stroke="black" cx="1827.42" cy="-638" rx="90.86" ry="42.78"/> <text xml:space="preserve" text-anchor="middle" x="1827.42" y="-655.7" font-family="Arial" font-size="9.00">END</text> <text xml:space="preserve" text-anchor="middle" x="1827.42" y="-645.2" font-family="Arial" font-size="9.00">Duplicate Noted</text> <text xml:space="preserve" text-anchor="middle" x="1827.42" y="-634.7" font-family="Arial" font-size="9.00">[CM] add_case_comment</text> <text xml:space="preserve" text-anchor="middle" x="1827.42" y="-624.2" font-family="Arial" font-size="9.00">[SIEM] add_alert_note</text> <text xml:space="preserve" text-anchor="middle" x="1827.42" y="-613.7" font-family="Arial" font-size="9.00">[SIEM] update_alert_verdict</text> </g>  <g id="edge10" class="edge"> <title>STEP5_DUP->END_DUP</title> <path fill="none" stroke="black" d="M1668.05,-638C1685.83,-638 1705.6,-638 1724.99,-638"/> <polygon fill="black" stroke="black" points="1724.82,-641.5 1734.82,-638 1724.82,-634.5 1724.82,-641.5"/> </g>  <g id="node15" class="node"> <title>CONVERGE</title> <path fill="none" stroke="black" d="M1865.05,-288.75C1865.05,-288.75 1789.8,-288.75 1789.8,-288.75 1783.8,-288.75 1777.8,-282.75 1777.8,-276.75 1777.8,-276.75 1777.8,-261.25 1777.8,-261.25 1777.8,-255.25 1783.8,-249.25 1789.8,-249.25 1789.8,-249.25 1865.05,-249.25 1865.05,-249.25 1871.05,-249.25 1877.05,-255.25 1877.05,-261.25 1877.05,-261.25 1877.05,-276.75 1877.05,-276.75 1877.05,-282.75 1871.05,-288.75 1865.05,-288.75"/> <text xml:space="preserve" text-anchor="middle" x="1827.42" y="-276.2" font-family="Arial" font-size="9.00">Step 8.7</text> <text xml:space="preserve" text-anchor="middle" x="1827.42" y="-265.7" font-family="Arial" font-size="9.00">Convergence</text> <text xml:space="preserve" text-anchor="middle" x="1827.42" y="-255.2" font-family="Arial" font-size="9.00">Combine All Results</text> </g>  <g id="edge17" class="edge"> <title>KB_CHECK->CONVERGE</title> <path fill="none" stroke="black" d="M1660.11,-519.18C1676.76,-512.47 1694.14,-503.29 1707.56,-491 1766.55,-437 1801.92,-346.83 1817.32,-299.75"/> <polygon fill="black" stroke="black" points="1820.57,-301.06 1820.26,-290.46 1813.9,-298.94 1820.57,-301.06"/> </g>  <g id="edge18" class="edge"> <title>IOC_CHECK->CONVERGE</title> <path fill="none" stroke="black" d="M1660.97,-453.31C1677.01,-449 1693.83,-442.57 1707.56,-433 1757.18,-398.4 1793.78,-336.25 1812.46,-299.2"/> <polygon fill="black" stroke="black" points="1815.53,-300.89 1816.8,-290.37 1809.25,-297.8 1815.53,-300.89"/> </g>  <g id="edge19" class="edge"> <title>SIEM_SEARCH->CONVERGE</title> <path fill="none" stroke="black" d="M1683.33,-325.73C1710.8,-314.83 1741.16,-302.8 1766.81,-292.63"/> <polygon fill="black" stroke="black" points="1768.08,-295.89 1776.09,-288.95 1765.5,-289.39 1768.08,-295.89"/> </g>  <g id="edge20" class="edge"> <title>ENRICHMENT->CONVERGE</title> <path fill="none" stroke="black" d="M1672.55,-242.66C1702.48,-247.78 1737.32,-253.75 1766.28,-258.7"/> <polygon fill="black" stroke="black" points="1765.53,-262.13 1775.98,-260.36 1766.71,-255.23 1765.53,-262.13"/> </g>  <g id="edge22" class="edge"> <title>UNCERTAIN_SEARCH->CONVERGE</title> <path fill="none" stroke="black" d="M1689.21,-172.48C1695.52,-175.13 1701.7,-177.97 1707.56,-181 1739.56,-197.58 1772.21,-222.43 1795.17,-241.5"/> <polygon fill="black" stroke="black" points="1792.72,-244.01 1802.62,-247.78 1797.23,-238.66 1792.72,-244.01"/> </g>  <g id="edge21" class="edge"> <title>CASE_SEARCH->CONVERGE</title> <path fill="none" stroke="black" d="M1662.26,-76.65C1677.81,-86.25 1694.05,-97.61 1707.56,-110 1750.22,-149.12 1788.06,-205.33 1809.04,-239.38"/> <polygon fill="black" stroke="black" points="1805.78,-240.76 1813.97,-247.48 1811.77,-237.12 1805.78,-240.76"/> </g>  <g id="node16" class="node"> <title>ASSESSMENT</title> <path fill="none" stroke="black" d="M2041.04,-288.75C2041.04,-288.75 1967.29,-288.75 1967.29,-288.75 1961.29,-288.75 1955.29,-282.75 1955.29,-276.75 1955.29,-276.75 1955.29,-261.25 1955.29,-261.25 1955.29,-255.25 1961.29,-249.25 1967.29,-249.25 1967.29,-249.25 2041.04,-249.25 2041.04,-249.25 2047.04,-249.25 2053.04,-255.25 2053.04,-261.25 2053.04,-261.25 2053.04,-276.75 2053.04,-276.75 2053.04,-282.75 2047.04,-288.75 2041.04,-288.75"/> <text xml:space="preserve" text-anchor="middle" x="2004.16" y="-276.2" font-family="Arial" font-size="9.00">Step 9</text> <text xml:space="preserve" text-anchor="middle" x="2004.16" y="-265.7" font-family="Arial" font-size="9.00">Assessment</text> <text xml:space="preserve" text-anchor="middle" x="2004.16" y="-255.2" font-family="Arial" font-size="9.00">Evaluate All Results</text> </g>  <g id="edge23" class="edge"> <title>CONVERGE->ASSESSMENT</title> <path fill="none" stroke="black" d="M1877.1,-269C1897.73,-269 1921.96,-269 1943.65,-269"/> <polygon fill="black" stroke="black" points="1943.54,-272.5 1953.54,-269 1943.54,-265.5 1943.54,-272.5"/> </g>  <g id="node17" class="node"> <title>RECOMMENDATIONS</title> <path fill="none" stroke="black" d="M2303.29,-299.25C2303.29,-299.25 2102.04,-299.25 2102.04,-299.25 2096.04,-299.25 2090.04,-293.25 2090.04,-287.25 2090.04,-287.25 2090.04,-250.75 2090.04,-250.75 2090.04,-244.75 2096.04,-238.75 2102.04,-238.75 2102.04,-238.75 2303.29,-238.75 2303.29,-238.75 2309.29,-238.75 2315.29,-244.75 2315.29,-250.75 2315.29,-250.75 2315.29,-287.25 2315.29,-287.25 2315.29,-293.25 2309.29,-299.25 2303.29,-299.25"/> <text xml:space="preserve" text-anchor="middle" x="2202.66" y="-286.7" font-family="Arial" font-size="9.00">Step 10</text> <text xml:space="preserve" text-anchor="middle" x="2202.66" y="-276.2" font-family="Arial" font-size="9.00">Recommendations</text> <text xml:space="preserve" text-anchor="middle" x="2202.66" y="-265.7" font-family="Arial" font-size="9.00">[ENG] list_visibility_recommendations</text> <text xml:space="preserve" text-anchor="middle" x="2202.66" y="-255.2" font-family="Arial" font-size="9.00">[ENG] create_visibility_recommendation</text> <text xml:space="preserve" text-anchor="middle" x="2202.66" y="-244.7" font-family="Arial" font-size="9.00">[ENG] add_comment_to_visibility_recommendation</text> </g>  <g id="edge24" class="edge"> <title>ASSESSMENT->RECOMMENDATIONS</title> <path fill="none" stroke="black" d="M2053.48,-269C2061.39,-269 2069.89,-269 2078.67,-269"/> <polygon fill="black" stroke="black" points="2078.41,-272.5 2088.41,-269 2078.41,-265.5 2078.41,-272.5"/> </g>  <g id="node18" class="node"> <title>FINAL_ACTION</title> <polygon fill="lightyellow" stroke="black" points="2416.29,-298 2352.29,-269 2416.29,-240 2480.29,-269 2416.29,-298"/> <text xml:space="preserve" text-anchor="middle" x="2416.29" y="-270.95" font-family="Arial" font-size="9.00">Step 11</text> <text xml:space="preserve" text-anchor="middle" x="2416.29" y="-260.45" font-family="Arial" font-size="9.00">Final Action</text> </g>  <g id="edge25" class="edge"> <title>RECOMMENDATIONS->FINAL_ACTION</title> <path fill="none" stroke="black" d="M2315.67,-269C2323.87,-269 2332.01,-269 2339.91,-269"/> <polygon fill="black" stroke="black" points="2339.76,-272.5 2349.76,-269 2339.76,-265.5 2339.76,-272.5"/> </g>  <g id="node19" class="node"> <title>STEP11_FP</title> <path fill="none" stroke="black" d="M2777.54,-463.25C2777.54,-463.25 2562.79,-463.25 2562.79,-463.25 2556.79,-463.25 2550.79,-457.25 2550.79,-451.25 2550.79,-451.25 2550.79,-372.75 2550.79,-372.75 2550.79,-366.75 2556.79,-360.75 2562.79,-360.75 2562.79,-360.75 2777.54,-360.75 2777.54,-360.75 2783.54,-360.75 2789.54,-366.75 2789.54,-372.75 2789.54,-372.75 2789.54,-451.25 2789.54,-451.25 2789.54,-457.25 2783.54,-463.25 2777.54,-463.25"/> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-450.7" font-family="Arial" font-size="9.00">Step 11.2</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-440.2" font-family="Arial" font-size="9.00">If FP/BTP</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-429.7" font-family="Arial" font-size="9.00">[SIEM] add_alert_note</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-419.2" font-family="Arial" font-size="9.00">[CM] add_case_comment (if case)</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-408.7" font-family="Arial" font-size="9.00">[CM] update_case_status (if case)</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-398.2" font-family="Arial" font-size="9.00">[SIEM] update_alert_verdict</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-387.7" font-family="Arial" font-size="9.00">[ENG] list_fine_tuning_recommendations</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-377.2" font-family="Arial" font-size="9.00">[ENG] create_fine_tuning_recommendation</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-366.7" font-family="Arial" font-size="9.00">[ENG] add_comment_to_fine_tuning_recommendation</text> </g>  <g id="edge26" class="edge"> <title>FINAL_ACTION->STEP11_FP</title> <path fill="none" stroke="green" stroke-width="2" stroke-dasharray="5,2" d="M2445.69,-285.13C2475.22,-301.89 2523.19,-329.13 2567.13,-354.07"/> <polygon fill="green" stroke="green" stroke-width="2" points="2565.15,-356.97 2575.57,-358.86 2568.6,-350.88 2565.15,-356.97"/> <text xml:space="preserve" text-anchor="middle" x="2515.54" y="-334.09" font-family="Arial" font-size="8.00">FP/BTP</text> </g>  <g id="node20" class="node"> <title>STEP11_TP</title> <path fill="none" stroke="black" d="M2738.16,-325.5C2738.16,-325.5 2602.16,-325.5 2602.16,-325.5 2596.16,-325.5 2590.16,-319.5 2590.16,-313.5 2590.16,-313.5 2590.16,-224.5 2590.16,-224.5 2590.16,-218.5 2596.16,-212.5 2602.16,-212.5 2602.16,-212.5 2738.16,-212.5 2738.16,-212.5 2744.16,-212.5 2750.16,-218.5 2750.16,-224.5 2750.16,-224.5 2750.16,-313.5 2750.16,-313.5 2750.16,-319.5 2744.16,-325.5 2738.16,-325.5"/> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-312.95" font-family="Arial" font-size="9.00">Step 11.3</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-302.45" font-family="Arial" font-size="9.00">If Confirmed TP</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-291.95" font-family="Arial" font-size="9.00">Prefer Existing Case When Related</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-281.45" font-family="Arial" font-size="9.00">[CM] create_case (if new)</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-270.95" font-family="Arial" font-size="9.00">[SIEM] add_alert_note</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-260.45" font-family="Arial" font-size="9.00">[CM] add_case_comment</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-249.95" font-family="Arial" font-size="9.00">[CM] attach_observable_to_case</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-239.45" font-family="Arial" font-size="9.00">[CM] update_case_status</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-228.95" font-family="Arial" font-size="9.00">[SIEM] update_alert_verdict</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-218.45" font-family="Arial" font-size="9.00">[CM] add_case_task</text> </g>  <g id="edge27" class="edge"> <title>FINAL_ACTION->STEP11_TP</title> <path fill="none" stroke="red" stroke-width="2" stroke-dasharray="5,2" d="M2481.5,-269C2510.45,-269 2545.18,-269 2576.85,-269"/> <polygon fill="red" stroke="red" stroke-width="2" points="2576.72,-272.5 2586.72,-269 2576.72,-265.5 2576.72,-272.5"/> <text xml:space="preserve" text-anchor="middle" x="2515.54" y="-271.15" font-family="Arial" font-size="8.00">TP</text> </g>  <g id="node24" class="node"> <title>STEP11_UNCERTAIN</title> <path fill="none" stroke="black" d="M2722.41,-167.25C2722.41,-167.25 2617.91,-167.25 2617.91,-167.25 2611.91,-167.25 2605.91,-161.25 2605.91,-155.25 2605.91,-155.25 2605.91,-118.75 2605.91,-118.75 2605.91,-112.75 2611.91,-106.75 2617.91,-106.75 2617.91,-106.75 2722.41,-106.75 2722.41,-106.75 2728.41,-106.75 2734.41,-112.75 2734.41,-118.75 2734.41,-118.75 2734.41,-155.25 2734.41,-155.25 2734.41,-161.25 2728.41,-167.25 2722.41,-167.25"/> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-154.7" font-family="Arial" font-size="9.00">Step 11.4</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-144.2" font-family="Arial" font-size="9.00">If Uncertain</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-133.7" font-family="Arial" font-size="9.00">[SIEM] add_alert_note</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-123.2" font-family="Arial" font-size="9.00">[SIEM] update_alert_verdict</text> <text xml:space="preserve" text-anchor="middle" x="2670.16" y="-112.7" font-family="Arial" font-size="9.00">(verdict="uncertain")</text> </g>  <g id="edge28" class="edge"> <title>FINAL_ACTION->STEP11_UNCERTAIN</title> <path fill="none" stroke="orange" stroke-width="2" stroke-dasharray="5,2" d="M2446.67,-253.6C2483.87,-234.1 2549.17,-199.89 2599.43,-173.54"/> <polygon fill="orange" stroke="orange" stroke-width="2" points="2600.97,-176.69 2608.2,-168.95 2597.72,-170.49 2600.97,-176.69"/> <text xml:space="preserve" text-anchor="middle" x="2515.54" y="-228.45" font-family="Arial" font-size="8.00">Uncertain</text> </g>  <g id="node28" class="node"> <title>END_CLOSE</title> <ellipse fill="lightgreen" stroke="black" cx="2955.04" cy="-429" rx="90.86" ry="50.2"/> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-451.95" font-family="Arial" font-size="9.00">END</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-441.45" font-family="Arial" font-size="9.00">Case Closed</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-430.95" font-family="Arial" font-size="9.00">[CM] add_case_comment</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-420.45" font-family="Arial" font-size="9.00">[CM] update_case_status</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-409.95" font-family="Arial" font-size="9.00">[SIEM] add_alert_note</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-399.45" font-family="Arial" font-size="9.00">[SIEM] update_alert_verdict</text> </g>  <g id="edge29" class="edge"> <title>STEP11_FP->END_CLOSE</title> <path fill="none" stroke="black" d="M2789.9,-419.14C2810.95,-420.4 2832.68,-421.71 2853.18,-422.94"/> <polygon fill="black" stroke="black" points="2852.72,-426.42 2862.92,-423.52 2853.14,-419.43 2852.72,-426.42"/> </g>  <g id="node21" class="node"> <title>STEP11_TP_UNCERTAIN</title> <polygon fill="lightyellow" stroke="black" points="2955.04,-361 2826.54,-269 2955.04,-177 3083.54,-269 2955.04,-361"/> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-302.45" font-family="Arial" font-size="9.00">Step 11.3.0</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-291.95" font-family="Arial" font-size="9.00">Update Related</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-281.45" font-family="Arial" font-size="9.00">Uncertain Alerts</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-270.95" font-family="Arial" font-size="9.00">(If Any)</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-260.45" font-family="Arial" font-size="9.00">[SIEM] update_alert_verdict</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-249.95" font-family="Arial" font-size="9.00">(uncertain -> TP)</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-239.45" font-family="Arial" font-size="9.00">[SIEM] add_alert_note</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-228.95" font-family="Arial" font-size="9.00">(Link to case)</text> </g>  <g id="edge30" class="edge"> <title>STEP11_TP->STEP11_TP_UNCERTAIN</title> <path fill="none" stroke="black" d="M2750.34,-269C2770.31,-269 2792.35,-269 2814.34,-269"/> <polygon fill="black" stroke="black" points="2814.31,-272.5 2824.31,-269 2814.31,-265.5 2814.31,-272.5"/> </g>  <g id="node22" class="node"> <title>STEP11_TP_UPDATE_ALERTS</title> <path fill="none" stroke="black" d="M3281.79,-359.75C3281.79,-359.75 3177.29,-359.75 3177.29,-359.75 3171.29,-359.75 3165.29,-353.75 3165.29,-347.75 3165.29,-347.75 3165.29,-290.25 3165.29,-290.25 3165.29,-284.25 3171.29,-278.25 3177.29,-278.25 3177.29,-278.25 3281.79,-278.25 3281.79,-278.25 3287.79,-278.25 3293.79,-284.25 3293.79,-290.25 3293.79,-290.25 3293.79,-347.75 3293.79,-347.75 3293.79,-353.75 3287.79,-359.75 3281.79,-359.75"/> <text xml:space="preserve" text-anchor="middle" x="3229.54" y="-347.2" font-family="Arial" font-size="9.00">Step 11.3.0</text> <text xml:space="preserve" text-anchor="middle" x="3229.54" y="-336.7" font-family="Arial" font-size="9.00">Update Uncertain Alerts</text> <text xml:space="preserve" text-anchor="middle" x="3229.54" y="-326.2" font-family="Arial" font-size="9.00">For each uncertain alert:</text> <text xml:space="preserve" text-anchor="middle" x="3229.54" y="-315.7" font-family="Arial" font-size="9.00">[SIEM] update_alert_verdict</text> <text xml:space="preserve" text-anchor="middle" x="3229.54" y="-305.2" font-family="Arial" font-size="9.00">(uncertain -> TP)</text> <text xml:space="preserve" text-anchor="middle" x="3229.54" y="-294.7" font-family="Arial" font-size="9.00">[SIEM] add_alert_note</text> <text xml:space="preserve" text-anchor="middle" x="3229.54" y="-284.2" font-family="Arial" font-size="9.00">(Link to Case ${CASE_ID})</text> </g>  <g id="edge31" class="edge"> <title>STEP11_TP_UNCERTAIN->STEP11_TP_UPDATE_ALERTS</title> <path fill="none" stroke="orange" stroke-width="2" stroke-dasharray="5,2" d="M3057.89,-287.69C3089.23,-293.44 3123.17,-299.67 3152.47,-305.04"/> <polygon fill="orange" stroke="orange" stroke-width="2" points="3151.7,-308.46 3162.17,-306.82 3152.96,-301.57 3151.7,-308.46"/> <text xml:space="preserve" text-anchor="middle" x="3124.41" y="-314.73" font-family="Arial" font-size="8.00">Uncertain</text> <text xml:space="preserve" text-anchor="middle" x="3124.41" y="-304.98" font-family="Arial" font-size="8.00">Alerts Found</text> </g>  <g id="node23" class="node"> <title>STEP11_TP_TASKS</title> <path fill="none" stroke="black" d="M3460.04,-299C3460.04,-299 3342.79,-299 3342.79,-299 3336.79,-299 3330.79,-293 3330.79,-287 3330.79,-287 3330.79,-219 3330.79,-219 3330.79,-213 3336.79,-207 3342.79,-207 3342.79,-207 3460.04,-207 3460.04,-207 3466.04,-207 3472.04,-213 3472.04,-219 3472.04,-219 3472.04,-287 3472.04,-287 3472.04,-293 3466.04,-299 3460.04,-299"/> <text xml:space="preserve" text-anchor="middle" x="3401.41" y="-286.45" font-family="Arial" font-size="9.00">Step 11.3.1</text> <text xml:space="preserve" text-anchor="middle" x="3401.41" y="-275.95" font-family="Arial" font-size="9.00">Task Management</text> <text xml:space="preserve" text-anchor="middle" x="3401.41" y="-265.45" font-family="Arial" font-size="9.00">[CM] list_case_tasks</text> <text xml:space="preserve" text-anchor="middle" x="3401.41" y="-254.95" font-family="Arial" font-size="9.00">[CM] update_case_task_status</text> <text xml:space="preserve" text-anchor="middle" x="3401.41" y="-244.45" font-family="Arial" font-size="9.00">(Mark completed tasks)</text> <text xml:space="preserve" text-anchor="middle" x="3401.41" y="-233.95" font-family="Arial" font-size="9.00">[CM] add_case_task</text> <text xml:space="preserve" text-anchor="middle" x="3401.41" y="-223.45" font-family="Arial" font-size="9.00">(Add SOC2 tasks based on</text> <text xml:space="preserve" text-anchor="middle" x="3401.41" y="-212.95" font-family="Arial" font-size="9.00">SOC1 analysis findings)</text> </g>  <g id="edge32" class="edge"> <title>STEP11_TP_UNCERTAIN->STEP11_TP_TASKS</title> <path fill="none" stroke="green" stroke-width="2" stroke-dasharray="5,2" d="M3067.21,-256.7C3098.86,-253.73 3133.4,-250.98 3165.29,-249.5 3222.34,-246.85 3236.68,-248.56 3293.79,-249.5 3301.47,-249.63 3309.47,-249.8 3317.47,-250.01"/> <polygon fill="green" stroke="green" stroke-width="2" points="3317.33,-253.51 3327.42,-250.29 3317.52,-246.51 3317.33,-253.51"/> <text xml:space="preserve" text-anchor="middle" x="3229.54" y="-261.4" font-family="Arial" font-size="8.00">No Uncertain</text> <text xml:space="preserve" text-anchor="middle" x="3229.54" y="-251.65" font-family="Arial" font-size="8.00">Alerts</text> </g>  <g id="edge33" class="edge"> <title>STEP11_TP_UPDATE_ALERTS->STEP11_TP_TASKS</title> <path fill="none" stroke="black" d="M3294.28,-294.24C3302.55,-291.02 3311.11,-287.7 3319.62,-284.39"/> <polygon fill="black" stroke="black" points="3320.87,-287.66 3328.93,-280.77 3318.34,-281.13 3320.87,-287.66"/> </g>  <g id="node29" class="node"> <title>END_ESCALATE</title> <ellipse fill="lightcoral" stroke="black" cx="3617.4" cy="-253" rx="108.36" ry="102.18"/> <text xml:space="preserve" text-anchor="middle" x="3617.4" y="-312.7" font-family="Arial" font-size="9.00">END</text> <text xml:space="preserve" text-anchor="middle" x="3617.4" y="-302.2" font-family="Arial" font-size="9.00">Case Used (Existing or New)</text> <text xml:space="preserve" text-anchor="middle" x="3617.4" y="-291.7" font-family="Arial" font-size="9.00">Escalated to SOC2</text> <text xml:space="preserve" text-anchor="middle" x="3617.4" y="-281.2" font-family="Arial" font-size="9.00">[CM] create_case (if needed)</text> <text xml:space="preserve" text-anchor="middle" x="3617.4" y="-270.7" font-family="Arial" font-size="9.00">[CM] add_case_comment</text> <text xml:space="preserve" text-anchor="middle" x="3617.4" y="-260.2" font-family="Arial" font-size="9.00">[CM] attach_observable_to_case</text> <text xml:space="preserve" text-anchor="middle" x="3617.4" y="-249.7" font-family="Arial" font-size="9.00">[CM] update_case_status</text> <text xml:space="preserve" text-anchor="middle" x="3617.4" y="-239.2" font-family="Arial" font-size="9.00">[CM] add_case_task</text> <text xml:space="preserve" text-anchor="middle" x="3617.4" y="-228.7" font-family="Arial" font-size="9.00">[CM] list_case_tasks</text> <text xml:space="preserve" text-anchor="middle" x="3617.4" y="-218.2" font-family="Arial" font-size="9.00">[CM] update_case_task_status</text> <text xml:space="preserve" text-anchor="middle" x="3617.4" y="-207.7" font-family="Arial" font-size="9.00">[SIEM] add_alert_note</text> <text xml:space="preserve" text-anchor="middle" x="3617.4" y="-197.2" font-family="Arial" font-size="9.00">[SIEM] update_alert_verdict</text> <text xml:space="preserve" text-anchor="middle" x="3617.4" y="-186.7" font-family="Arial" font-size="9.00">(Updated related uncertain alerts)</text> </g>  <g id="edge34" class="edge"> <title>STEP11_TP_TASKS->END_ESCALATE</title> <path fill="none" stroke="black" d="M3472.48,-253C3480.44,-253 3488.71,-253 3497.09,-253"/> <polygon fill="black" stroke="black" points="3497.04,-256.5 3507.04,-253 3497.04,-249.5 3497.04,-256.5"/> </g>  <g id="node30" class="node"> <title>END_UNCERTAIN</title> <ellipse fill="lightyellow" stroke="black" cx="2955.04" cy="-109" rx="90.86" ry="50.2"/> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-131.95" font-family="Arial" font-size="9.00">END</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-121.45" font-family="Arial" font-size="9.00">Uncertain</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-110.95" font-family="Arial" font-size="9.00">No Case Created</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-100.45" font-family="Arial" font-size="9.00">[SIEM] add_alert_note</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-89.95" font-family="Arial" font-size="9.00">[SIEM] update_alert_verdict</text> <text xml:space="preserve" text-anchor="middle" x="2955.04" y="-79.45" font-family="Arial" font-size="9.00">(verdict="uncertain")</text> </g>  <g id="edge35" class="edge"> <title>STEP11_UNCERTAIN->END_UNCERTAIN</title> <path fill="none" stroke="black" d="M2734.65,-130.72C2769.78,-127.24 2814.26,-122.84 2853.96,-118.91"/> <polygon fill="black" stroke="black" points="2854.18,-122.4 2863.79,-117.93 2853.49,-115.44 2854.18,-122.4"/> </g>  <g id="node31" class="node"> <title>LEGEND_SIEM</title> <path fill="none" stroke="black" d="M157.25,-568C157.25,-568 28,-568 28,-568 22,-568 16,-562 16,-556 16,-556 16,-544 16,-544 16,-538 22,-532 28,-532 28,-532 157.25,-532 157.25,-532 163.25,-532 169.25,-538 169.25,-544 169.25,-544 169.25,-556 169.25,-556 169.25,-562 163.25,-568 157.25,-568"/> <text xml:space="preserve" text-anchor="middle" x="92.62" y="-551.95" font-family="Arial" font-size="9.00">[SIEM] SIEM Tools</text> <text xml:space="preserve" text-anchor="middle" x="92.62" y="-541.45" font-family="Arial" font-size="9.00">Investigation & Alert Management</text> </g>  <g id="node32" class="node"> <title>LEGEND_CASE</title> <path fill="none" stroke="black" d="M333.25,-568C333.25,-568 218.25,-568 218.25,-568 212.25,-568 206.25,-562 206.25,-556 206.25,-556 206.25,-544 206.25,-544 206.25,-538 212.25,-532 218.25,-532 218.25,-532 333.25,-532 333.25,-532 339.25,-532 345.25,-538 345.25,-544 345.25,-544 345.25,-556 345.25,-556 345.25,-562 339.25,-568 333.25,-568"/> <text xml:space="preserve" text-anchor="middle" x="275.75" y="-551.95" font-family="Arial" font-size="9.00">[CM] Case Management Tools</text> <text xml:space="preserve" text-anchor="middle" x="275.75" y="-541.45" font-family="Arial" font-size="9.00">Case Operations & Tracking</text> </g>   <g id="node33" class="node"> <title>LEGEND_KB</title> <path fill="none" stroke="black" d="M486.38,-568C486.38,-568 424.62,-568 424.62,-568 418.62,-568 412.62,-562 412.62,-556 412.62,-556 412.62,-544 412.62,-544 412.62,-538 418.62,-532 424.62,-532 424.62,-532 486.38,-532 486.38,-532 492.38,-532 498.38,-538 498.38,-544 498.38,-544 498.38,-556 498.38,-556 498.38,-562 492.38,-568 486.38,-568"/> <text xml:space="preserve" text-anchor="middle" x="455.5" y="-551.95" font-family="Arial" font-size="9.00">[KB] KB Tools</text> <text xml:space="preserve" text-anchor="middle" x="455.5" y="-541.45" font-family="Arial" font-size="9.00">Knowledge Base</text> </g>   <g id="node34" class="node"> <title>LEGEND_CTI</title> <path fill="none" stroke="black" d="M738.66,-568C738.66,-568 670.91,-568 670.91,-568 664.91,-568 658.91,-562 658.91,-556 658.91,-556 658.91,-544 658.91,-544 658.91,-538 664.91,-532 670.91,-532 670.91,-532 738.66,-532 738.66,-532 744.66,-532 750.66,-538 750.66,-544 750.66,-544 750.66,-556 750.66,-556 750.66,-562 744.66,-568 738.66,-568"/> <text xml:space="preserve" text-anchor="middle" x="704.78" y="-551.95" font-family="Arial" font-size="9.00">[CTI] CTI Tools</text> <text xml:space="preserve" text-anchor="middle" x="704.78" y="-541.45" font-family="Arial" font-size="9.00">Threat Intelligence</text> </g>   <g id="node35" class="node"> <title>LEGEND_ENG</title> <path fill="none" stroke="black" d="M1004.81,-568C1004.81,-568 912.31,-568 912.31,-568 906.31,-568 900.31,-562 900.31,-556 900.31,-556 900.31,-544 900.31,-544 900.31,-538 906.31,-532 912.31,-532 912.31,-532 1004.81,-532 1004.81,-532 1010.81,-532 1016.81,-538 1016.81,-544 1016.81,-544 1016.81,-556 1016.81,-556 1016.81,-562 1010.81,-568 1004.81,-568"/> <text xml:space="preserve" text-anchor="middle" x="958.56" y="-551.95" font-family="Arial" font-size="9.00">[ENG] Engineering Tools</text> <text xml:space="preserve" text-anchor="middle" x="958.56" y="-541.45" font-family="Arial" font-size="9.00">Recommendations</text> </g>   <g id="node36" class="node"> <title>LEGEND_DECISION</title> <polygon fill="lightyellow" stroke="black" points="1295.81,-568 1233.78,-550 1295.81,-532 1357.84,-550 1295.81,-568"/> <text xml:space="preserve" text-anchor="middle" x="1295.81" y="-546.7" font-family="Arial" font-size="9.00">Decision Point</text> </g>  </g> </svg>

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/M507/AI-SOC-Agent'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

initial_alert_triage.svg•55.8 kB