SamiGPT

Overview Schema Related Servers Score Discussions

malware_initial_triage.md•20.6 kB

# SOC1: Malware Initial Triage Runbook ## Objective Perform initial analysis and context gathering for a suspected malicious file hash from a security alert. **SOC1 MUST ALWAYS BEGIN FROM SECURITY ALERTS (`${ALERT_ID}`), NEVER FROM EXISTING CASES.** This helps determine if the file requires escalation to SOC2 for deep analysis, can be closed as benign, or should be left as an open case with comprehensive alert details if uncertain. ## Scope This runbook covers: * Initial triage steps for a file hash using CTI and basic SIEM tools. * Basic file reputation and behavior checks. * Simple execution and network activity checks. * Decision-making for escalation to SOC2 or closure. This runbook explicitly **excludes**: * Deep forensic analysis of the affected host (SOC2/SOC3 responsibility). * Full reverse engineering (SOC2/SOC3 responsibility). * Complete network IOC enrichment (SOC2 responsibility). * Endpoint isolation or containment (SOC3 responsibility). ## SOC Tier **Tier:** SOC1 (Tier 1) **Escalation Target:** SOC2 for deep malware analysis, SOC3 for containment actions ## Inputs * `${ALERT_ID}`: **REQUIRED** - The identifier for the security alert from the SIEM alert queue. SOC1 MUST ALWAYS START FROM `${ALERT_ID}`. * `${FILE_HASH}`: The MD5, SHA1, or SHA256 hash of the suspected malicious file (extracted from alert details). * *(Optional) `${TIME_FRAME_HOURS}`: Lookback period in hours for SIEM searches (default: 24 hours for SOC1 efficiency).* ## Outputs * `${ASSESSMENT}`: The outcome of the triage (e.g., "Benign", "Suspicious", "Malicious"). * `${ACTION_TAKEN}`: The action performed (e.g., "Closed", "Escalated to SOC2"). * `${ESCALATION_RECOMMENDATION}`: Recommendation for escalation if suspicious. ## Tools * **CTI Tools:** `lookup_hash_ti` * **SIEM Tools:** `get_file_report`, `get_file_behavior_summary`, `get_entities_related_to_file`, `get_ip_address_report`, `search_security_events`, `get_ioc_matches`, `get_network_events`, `get_dns_events`, `get_alerts_by_entity` * **Case Management Tools:** `review_case`, `search_cases`, `add_case_comment`, `attach_observable_to_case`, `add_case_task`, `add_case_asset` * **Engineering Tools:** `list_fine_tuning_recommendations`, `create_fine_tuning_recommendation`, `add_comment_to_fine_tuning_recommendation`, `create_visibility_recommendation` ## Workflow Steps 1. **Receive Alert (MANDATORY):** * **SOC1 MUST ALWAYS START FROM `${ALERT_ID}`** - this is the entry point for all SOC1 workflows. * Obtain the `${ALERT_ID}` from the SIEM alert queue. * **MUST use `get_security_alert_by_id` with `alert_id=${ALERT_ID}` as the FIRST action.** * Extract `${FILE_HASH}` from alert details. * Extract and store ALL alert details in `${ALERT_COMPLETE_DETAILS}`: * Alert ID, alert name/type, severity, detection rule name * All timestamps * Complete event data * Host information, user information * File hashes, process names, command lines * Any other alert metadata * Obtain optionally `${TIME_FRAME_HOURS}` (default: 24 hours). 2. **CTI Hash Lookup:** * Use `lookup_hash_ti` with `hash_value=${FILE_HASH}`. * Record key details (`${CTI_REPORT_DETAILS}`): threat classification, reputation, related indicators, threat intelligence context. * **Decision Point:** If CTI shows clearly benign (e.g., known good software), consider closing as BTP. 3. **SIEM File Report:** * Use `get_file_report` with `file_hash=${FILE_HASH}`. * Record key details (`${SIEM_FILE_REPORT}`): first/last seen, detection count, affected hosts count. * **Decision Point:** If file is widespread (many hosts) and has detections, likely suspicious. 4. **SIEM File Behavior Summary (Basic):** * Use `get_file_behavior_summary` with `file_hash=${FILE_HASH}`. * Record key behavioral indicators (`${BEHAVIOR_SUMMARY}`): * Basic network activity (contacted IPs/domains - limit to top 5: `NETWORK_IOCs_SIEM`). * Basic persistence mechanisms (if any). * Basic MITRE TTPs (if identified). * **Note:** Full behavior analysis is SOC2 responsibility. 5. **SIEM Execution Check (Basic):** * Use `search_security_events` with `hours_back=${TIME_FRAME_HOURS}` (default: 24) and query targeting the file hash: * Query should search for events where the file hash appears (e.g., `file_hash="${FILE_HASH}"` or similar query syntax for your SIEM). * Look for process execution, file creation events (`${SIEM_EXECUTION_EVENTS}`). * Limit results to 20-30 most recent events for efficiency. * Identify hosts (`AFFECTED_HOSTS`) and users (`AFFECTED_USERS`) associated with these events. * **Decision Point:** If file executed on multiple hosts, likely suspicious. 6. **SIEM Network Activity Check (Basic):** * Use `get_entities_related_to_file` with `file_hash=${FILE_HASH}` to get related network IOCs. * Extract contacted IPs/domains (`NETWORK_IOCs_SIEM`) - limit to top 5 most critical. * For each critical IP in `NETWORK_IOCs_SIEM`, use `get_network_events` with `destination_ip=<IP>` to get network traffic events in the last 24 hours. * For each critical domain in `NETWORK_IOCs_SIEM`, use `get_dns_events` with `domain=<DOMAIN>` to get DNS query events in the last 24 hours. * Store basic network events as `${SIEM_NETWORK_EVENTS}`. * **Alert Correlation:** Use `get_alerts_by_entity` with `entity_value=${FILE_HASH}` and `entity_type="hash"` to find related alerts for this file hash. For each critical network IOC, use `get_alerts_by_entity` to find related alerts. 7. **Basic IOC Enrichment (Critical IOCs Only):** * **Limit to top 3-5 most critical network IOCs** for efficiency. * Combine unique IOCs from `NETWORK_IOCs_SIEM` into `CRITICAL_NETWORK_IOCs` (top 5). * Initialize `NETWORK_IOC_ENRICHMENT`. For each critical IOC `Ni` in `CRITICAL_NETWORK_IOCs`: * If `Ni` is an IP: Use `get_ip_address_report` with `ip=Ni` to get reputation. * If `Ni` is a domain: Use `lookup_entity` with `entity_value=Ni` and `entity_type="domain"` (basic lookup only). * Use `get_ioc_matches` with appropriate `ioc_type` to check if it's a known IOC. * Store results in `NETWORK_IOC_ENRICHMENT[Ni]`. * **Note:** Full IOC enrichment is SOC2 responsibility. 8. **Check Related Cases:** * Prepare list of key entities to search: `SEARCH_TERMS = AFFECTED_HOSTS[0:3] + AFFECTED_USERS[0:3] + CRITICAL_NETWORK_IOCs[0:3]` (limit to top 3 of each). * Use `search_cases` with `text` parameter containing relevant search terms. * Filter by `status="open"` to find open cases. * Obtain `${RELATED_CASES}`. 9. **Create Case (If Needed) & Attach Observables:** * **Only create a case if:** Quick assessment determined that case creation is needed (uncertain, suspicious, or requires tracking). * If creating case, use `create_case` with comprehensive description including ALL alert details from `${ALERT_COMPLETE_DETAILS}`. * Store `${CASE_ID}` for subsequent steps. * Attach the file hash as an observable: Use `attach_observable_to_case` with `case_id=${CASE_ID}`, `observable_type="hash"`, `observable_value=${FILE_HASH}`. * For each critical IOC in `CRITICAL_NETWORK_IOCs` (top 3-5): * Use `attach_observable_to_case` with `case_id=${CASE_ID}`, appropriate `observable_type` (ip, domain, url), `observable_value=Ni`, and description. 10. **Synthesize & Document:** * Combine findings: `${CTI_REPORT_DETAILS}`, `${SIEM_FILE_REPORT}`, `${BEHAVIOR_SUMMARY}`, `${SIEM_EXECUTION_EVENTS}`, `${SIEM_NETWORK_EVENTS}`, `NETWORK_IOC_ENRICHMENT`, `AFFECTED_HOSTS`, `${RELATED_CASES}`. * Assess the severity based on: * CTI classification (malicious/benign). * Behavior indicators (network activity, persistence). * Execution scope (number of affected hosts). * IOC matches. * Relation to other cases. * Store the assessment in `${ASSESSMENT}`. * **If creating/open case: MANDATORY to include ALL alert details from `${ALERT_COMPLETE_DETAILS}`.** * Prepare `COMMENT_TEXT`: "SOC1 Malware Initial Triage for Alert `${ALERT_ID}` (Hash `${FILE_HASH}`): **Complete Alert Details:** [include ALL from `${ALERT_COMPLETE_DETAILS}` - alert ID, detection rule name, timestamps, host/user info, event data, etc.]. CTI Classification: [...], SIEM File Report: [...], Basic Behavior Summary: [...]. Observed on Hosts: [`${AFFECTED_HOSTS}`]. Critical Network IOCs: [...]. Network IOC Enrichment: [...]. Related Open Cases: [`${RELATED_CASES}`]. Assessment: [...]. Recommendation: [Close as Benign | Escalate to SOC2 for deep analysis | Leave as open case if uncertain]". * If case exists, use `add_case_comment` with `case_id=${CASE_ID}` and `content=${COMMENT_TEXT}`. * If no case yet and creating one, include this comment in the case description. 11. **Analyze Results and Create Recommendations (MANDATORY):** * **CRITICAL: After making the assessment, the AI MUST analyze the results and determine if recommendations should be created.** * **This step ensures continuous improvement of detection rules and visibility.** * **For Benign (High Confidence) assessments:** * **Analyze if a fine-tuning recommendation should be created:** * Extract detection rule name from `${ALERT_COMPLETE_DETAILS}` (if available). * Extract alert type/pattern from alert details. * Use `list_fine_tuning_recommendations` with `include_closed=false` to search for existing recommendations matching the alert type or rule name. * **If matching recommendation found:** * Extract `task_id` from the matching task. * Prepare comment: `FINE_TUNING_COMMENT = "Additional benign/malware false positive observed. Alert ID: ${ALERT_ID}. Case ID: ${CASE_ID} (if created). Assessment: ${ASSESSMENT}. Details: [CTI classification, behavior summary, IOC enrichment results]. Consider this additional data point for rule improvement."` * Use `add_comment_to_fine_tuning_recommendation` with `task_id=${task_id}` and `comment_text=${FINE_TUNING_COMMENT}`. * **If no matching recommendation found:** * Prepare task title: `TASK_TITLE = "Reduce false positives for Malware Detection - [Detection Rule Name if available]"` * Prepare task description: `TASK_DESCRIPTION = "Alert ${ALERT_ID} was assessed as ${ASSESSMENT} during SOC1 malware triage. Detection Rule: [rule name if available]. File Hash: ${FILE_HASH}. CTI Classification: [from ${CTI_REPORT_DETAILS}]. Behavior Summary: [from ${BEHAVIOR_SUMMARY}]. Affected Hosts: ${AFFECTED_HOSTS}. Recommendations for improvement: Consider adjusting rule threshold, adding whitelist entries for known benign files, refining detection logic based on CTI classification, or adding KB-based checks to reduce false positive rate."` * Use `create_fine_tuning_recommendation` with `title=${TASK_TITLE}`, `description=${TASK_DESCRIPTION}`, and `tags=["false-positive", "fine-tuning", "soc1-triage", "malware"]`. * **For Suspicious/Malicious or Uncertain assessments:** * **Analyze if a visibility recommendation should be created:** * **Check for visibility gaps:** * If CTI data was incomplete or unavailable * If SIEM file behavior summary lacked critical details * If network IOC enrichment was limited due to missing data * If KB data was incomplete for affected hosts/users * If detection rule lacks context needed for proper assessment * **If visibility gaps identified:** * Prepare task title: `VISIBILITY_TITLE = "Improve visibility for malware detection - [specific gap identified]"` * Prepare task description: `VISIBILITY_DESCRIPTION = "During SOC1 malware triage of Alert ${ALERT_ID} (Case ${CASE_ID} if created), visibility gaps were identified: [list specific gaps]. Impact: [how this gap affected triage]. Recommendations: [specific recommendations - e.g., 'Enhance CTI integration', 'Improve SIEM file behavior logging', 'Add KB data for host patterns']."` * Use `create_visibility_recommendation` with `title=${VISIBILITY_TITLE}`, `description=${VISIBILITY_DESCRIPTION}`, and `tags=["visibility", "soc1-triage", "malware"]`. * **Document recommendation creation in case comments or alert notes:** * If a fine-tuning recommendation was created/updated, mention it in the alert note or case comment. * If a visibility recommendation was created, mention it in the alert note or case comment. 12. **Action Based on Assessment:** * **If Benign (High Confidence):** * Use `close_alert` with `alert_id=${ALERT_ID}`, `reason="benign_true_positive"` or `reason="false_positive"`, and detailed comment. * If case was created, use `update_case_status` with `case_id=${CASE_ID}` and `status="closed"`. * Set `${ACTION_TAKEN}` = "Closed as benign during SOC1 triage." * End runbook execution. * **If Suspicious/Malicious OR If Uncertain:** * **MUST create case if not already created, with ALL alert details from `${ALERT_COMPLETE_DETAILS}`.** * Use `update_case_status` with `case_id=${CASE_ID}` and `status="in_progress"` (if suspicious) or `status="open"` (if uncertain). * **Add Affected Assets:** * For each host in `AFFECTED_HOSTS` (limit to top 5): * Use `add_case_asset` with: * `case_id=${CASE_ID}` * `asset_name=[hostname]` * `asset_type="endpoint"` * `description="Affected endpoint with malware execution. File hash: ${FILE_HASH}. Alert ID: ${ALERT_ID}"` * `hostname=[hostname]` * `tags=["malware", "affected", "suspicious"]` * **Create Task for SOC2:** * Use `add_case_task` with: * `case_id=${CASE_ID}` * `title="Deep Malware Analysis - File Hash: ${FILE_HASH}"` * `description="Perform comprehensive deep malware analysis for alert ${ALERT_ID} (file hash ${FILE_HASH}). **All alert details documented in case comments.** CTI Classification: [from ${CTI_REPORT_DETAILS}]. Behavior Summary: [from ${BEHAVIOR_SUMMARY}]. Affected Hosts: ${AFFECTED_HOSTS}. Critical Network IOCs: ${CRITICAL_NETWORK_IOCs}. Network IOC Enrichment: ${NETWORK_IOC_ENRICHMENT}. Related Cases: ${RELATED_CASES}. SOC1 Assessment: [Suspicious/Malicious/Uncertain] - requires SOC2 deep analysis including full IOC correlation, threat intelligence analysis, and behavior analysis."` * `assignee="SOC2"` (or leave empty for SOC2 team assignment) * `priority="high"` (or "critical" if multiple hosts affected or active threat) * `status="pending"` * **If Active Threat (Multiple Hosts or High Severity):** * Create additional task for SOC3: * Use `add_case_task` with: * `case_id=${CASE_ID}` * `title="Containment Assessment - Active Malware Threat"` * `description="Assess need for endpoint isolation and containment actions. Alert ID: ${ALERT_ID}. File Hash: ${FILE_HASH}. Affected Hosts: ${AFFECTED_HOSTS}. Threat Level: [High/Critical]. This task should be picked up by SOC3 after SOC2 confirms active threat. If immediate containment is needed, SOC3 should isolate affected endpoints and terminate malicious processes."` * `assignee="SOC3"` (or leave empty for SOC3 team assignment) * `priority="high"` (or "critical" if immediate containment needed) * `status="pending"` * Set `${ACTION_TAKEN}` = "Escalated to SOC2 for deep malware analysis. Tasks created for SOC2 and SOC3 (if active threat). All alert details documented." * Set `${ESCALATION_RECOMMENDATION}` = "Escalate to SOC2 for deep malware analysis. Alert ID: ${ALERT_ID}. File Hash: ${FILE_HASH}. Affected Hosts: ${AFFECTED_HOSTS}. Key Indicators: [list key suspicious indicators]. **Note:** If active threat requiring immediate containment, SOC3 task created for containment assessment." * **Note:** SOC2 will perform deep analysis using `malware_deep_analysis.md` runbook. If containment is needed, SOC2 will escalate to SOC3. ## Completion Criteria The malware alert triage has been successfully completed by SOC1: * **MANDATORY: Workflow started from `${ALERT_ID}` (never from existing case).** * **MANDATORY: `get_security_alert_by_id` called as FIRST step to gather ALL alert details.** * CTI hash lookup has been performed. * Basic SIEM file report has been obtained. * Basic behavior summary has been reviewed. * Basic execution check has been performed. * Critical network IOCs (top 3-5) have been enriched. * Related cases have been identified. * **If case created: ALL alert details included (alert ID, event data, context, detection rule name, timestamps, host/user info).** * Observables have been attached to the case (if case created). * **Affected endpoints/assets have been added to the case (if applicable).** * An assessment has been made (Benign, Suspicious, Malicious, Uncertain). * **MANDATORY: Results analyzed and recommendations created/updated when appropriate:** * **For Benign assessments:** Fine-tuning recommendation created or updated (if applicable) to track false positive patterns and improve detection rules. * **For Suspicious/Malicious/Uncertain assessments:** Visibility recommendation created (if gaps identified) to improve detection capabilities and triage efficiency. * Appropriate action (closure, escalation to SOC2, or leave as open case with comprehensive details) has been taken. * **If escalated or left open: Task created for SOC2 with comprehensive investigation requirements and reference to alert details. If active threat: Additional task created for SOC3 containment assessment.** * All findings and alert details have been documented in the case or alert closure. ## Escalation Criteria **Escalate to SOC2 if:** * File is classified as malicious or suspicious by CTI. * File shows suspicious behavior (network activity, persistence). * File has been executed on multiple hosts. * Network IOCs are known malicious. * Related suspicious cases exist. **Escalate to SOC3 if:** * Active threat requiring immediate containment. * Multiple endpoints affected. * SOC2 analysis confirms active compromise. * Containment actions are needed (isolation, process termination). ## Notes * **MANDATORY: SOC1 MUST ALWAYS START FROM `${ALERT_ID}`** - never begin from existing cases. * Focus on quick initial triage - deep analysis is SOC2 responsibility. * Limit enrichment to critical IOCs only (top 3-5) for efficiency. * **If uncertain about legitimacy: Leave as open case with ALL alert details documented** rather than closing as false positive. * When in doubt, create case with comprehensive alert details and escalate to SOC2. * Containment actions require SOC3 authorization and execution. * Every open case MUST include comprehensive alert details (alert ID, event data, context, detection rule name, timestamps, host/user info) for SOC2 investigation. * **MANDATORY: Recommendation Analysis and Creation:** After making the assessment, the AI MUST analyze results and create recommendations when appropriate: * **For Benign assessments:** Check if a fine-tuning recommendation should be created or updated. If a similar recommendation exists, add a comment to it. If not, create a new fine-tuning recommendation with specific improvement suggestions. * **For Suspicious/Malicious/Uncertain assessments:** Check for visibility gaps (missing CTI data, incomplete SIEM context, detection rule lacks context). If gaps are identified, create a visibility recommendation with specific improvement suggestions. * This ensures continuous improvement of detection rules and visibility capabilities.

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/M507/AI-SOC-Agent'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

malware_initial_triage.md•20.6 kB