SamiGPT

Overview Schema Related Servers Score Discussions

malware_deep_analysis.md•16.3 kB

# SOC2: Malware Deep Analysis Runbook Perform comprehensive deep-dive analysis of a malicious file hash case that has been escalated from SOC1. **SOC2 MUST ALWAYS BEGIN FROM CASES (`${CASE_ID}`), NEVER FROM RAW ALERT QUEUE.** This runbook provides thorough investigation including complete behavior analysis, full IOC enrichment, attack chain reconstruction, and containment recommendations. SOC2 should read all case details, complete pending tasks, and fetch additional events from SIEM as needed. ## Scope This runbook covers: * Complete file behavior analysis and MITRE ATT&CK mapping. * Full network IOC enrichment and correlation. * Process tree analysis and execution chain reconstruction. * Multi-entity correlation and attack pattern identification. * Containment recommendations for SOC3. This runbook explicitly **excludes**: * Containment execution (SOC3 responsibility). * Forensic artifact collection (SOC3 responsibility). * Endpoint isolation (SOC3 responsibility). ## SOC Tier **Tier:** SOC2 (Tier 2) **Escalation Target:** SOC3 for containment actions if active threat confirmed ## Inputs * `${CASE_ID}`: **REQUIRED** - The case ID from the case management system. SOC2 MUST ALWAYS START FROM `${CASE_ID}`, never from raw `${ALERT_ID}`. * `${FILE_HASH}`: The MD5, SHA1, or SHA256 hash of the malicious file (extracted from case details). * *(Optional) `${TIME_FRAME_HOURS}`: Lookback period in hours for SIEM searches (default: 72 hours for comprehensive analysis).* ## Outputs * `${DEEP_ANALYSIS_RESULTS}`: Comprehensive analysis including: - Complete behavior analysis - Full IOC enrichment - Attack chain reconstruction - MITRE ATT&CK mapping - Containment recommendations * `${CONTAINMENT_RECOMMENDATION}`: Recommendation for SOC3 containment actions. ## Tools * **CTI Tools:** `lookup_hash_ti` * **SIEM Tools:** `get_file_report`, `get_file_behavior_summary`, `get_entities_related_to_file`, `get_ip_address_report`, `search_security_events`, `lookup_entity`, `pivot_on_indicator`, `get_ioc_matches`, `get_threat_intel` * **Case Management Tools:** `review_case`, `search_cases`, `add_case_comment`, `attach_observable_to_case`, `update_case_status`, `list_case_tasks`, `update_case_task_status` * **Knowledge Base Tools:** `kb_list_clients`, `kb_get_client_infra` ## Workflow Steps 1. **Receive Case (MANDATORY):** * **SOC2 MUST ALWAYS START FROM `${CASE_ID}`** - this is the entry point for all SOC2 workflows. * Obtain the `${CASE_ID}` from the case management system. * **MUST use `review_case` with `case_id=${CASE_ID}` as the FIRST action.** * **Read ALL case details:** * Case title, description, status, priority, tags * ALL case comments and notes (review from oldest to newest) * ALL observables (IPs, domains, hashes, URLs, etc.) * ALL assets (endpoints, servers, users) * ALL evidence files * Extract alert details from case description/comments (SOC1 should have documented all alert details including alert ID, event data, detection rule name, timestamps, host/user info) * Extract `${FILE_HASH}` from case observables or description. * Obtain optionally `${TIME_FRAME_HOURS}` (default: 72 hours). * **Review case timeline**: Use `list_case_timeline_events` to understand case history and previous actions. * **Task Management (Review & Complete Pending Tasks):** * Use `list_case_tasks` with `case_id=${CASE_ID}` to find ALL existing tasks created by SOC1/SOC2/SOC3. * **Identify pending tasks**: Review tasks with `status="pending"` and complete them before starting new analysis. * **Review completed tasks**: Avoid repeating work already covered by completed tasks; instead, consume their findings and reference them. * If no structured SOC2 malware analysis tasks exist yet for `${FILE_HASH}`, create a set of tasks via `add_case_task`, for example: * `SOC2 – CTI Analysis for ${FILE_HASH}` * `SOC2 – File Behavior Analysis for ${FILE_HASH}` * `SOC2 – Execution Timeline & Process Tree Analysis for ${FILE_HASH}` * `SOC2 – Network IOC Collection for ${FILE_HASH}` * `SOC2 – Network IOC Enrichment for ${FILE_HASH}` * `SOC2 – Attack Chain Reconstruction for ${FILE_HASH}` * `SOC2 – Multi-Entity Correlation for ${FILE_HASH}` * `SOC2 – Containment Recommendations for ${FILE_HASH}` * Each task description should document why the step is needed and what questions it answers, so future runs (and SOC3) can reuse the logic. * Before starting any of these steps, mark the corresponding task `status="in_progress"` using `update_case_task_status`. * **Knowledge Base Context:** * Use `kb_list_clients` to list available client environments. * If client name is known from case context, use `kb_get_client_infra` with `client_name=<CLIENT_NAME>` to get infrastructure knowledge. * If client name is unknown, check case observables/comments for client identifiers, or query knowledge base for "all" clients if needed. * Use knowledge base to understand: * Expected file locations and patterns * Network topology and expected network activity * Infrastructure-specific analysis considerations 2. **Comprehensive CTI Analysis:** * **Task linkage:** Execute this step under the `SOC2 – CTI Analysis for ${FILE_HASH}` task, managing its status accordingly. * Use `lookup_hash_ti` with `hash_value=${FILE_HASH}`. * Use `get_threat_intel` with query about the file hash to get additional context. * Record comprehensive CTI data (`${CTI_ANALYSIS}`): threat classification, malware family, threat actor attribution, related campaigns, TTPs. 3. **Complete SIEM File Analysis:** * **Task linkage:** Execute this step under the `SOC2 – File Behavior Analysis for ${FILE_HASH}` task. * Use `get_file_report` with `file_hash=${FILE_HASH}`. * Use `get_file_behavior_summary` with `file_hash=${FILE_HASH}`. * Record complete analysis (`${FILE_ANALYSIS}`): first/last seen, detection count, affected hosts, process trees, network activity, persistence mechanisms, MITRE ATT&CK techniques. 4. **Comprehensive Execution Analysis (Fetch Additional Events from SIEM):** * **Task linkage:** Execute this step under the `SOC2 – Execution Timeline & Process Tree Analysis for ${FILE_HASH}` task. * **SOC2 must fetch additional events beyond what SOC1 gathered:** * Use `search_security_events` with `hours_back=${TIME_FRAME_HOURS}` and advanced queries: * Query for all events related to the file hash (execution, file operations, registry, network). * Use broader time windows and more comprehensive queries than SOC1. * Use `search_kql_query` for complex queries if needed. * **Pivot on entities**: For each affected host/user/IP identified, use `pivot_on_indicator` to find related activity. * Build complete execution timeline across extended time period. * Identify all affected hosts (`AFFECTED_HOSTS`), users (`AFFECTED_USERS`), and processes (`AFFECTED_PROCESSES`). * Reconstruct process execution trees (`PROCESS_TREES`). * Store comprehensive execution data (`${EXECUTION_ANALYSIS}`). * **Document what additional events were fetched and what new insights were discovered.** 5. **Complete Network IOC Collection:** * **Task linkage:** Execute this step under the `SOC2 – Network IOC Collection for ${FILE_HASH}` task. * Use `get_entities_related_to_file` with `file_hash=${FILE_HASH}` to get all related network IOCs. * Use `pivot_on_indicator` with `indicator=${FILE_HASH}` to find all network-related events. * Extract all contacted IPs/domains/URLs (`ALL_NETWORK_IOCs`). * Store comprehensive network activity (`${NETWORK_ANALYSIS}`). 6. **Full Network IOC Enrichment:** * **Task linkage:** Execute this step under the `SOC2 – Network IOC Enrichment for ${FILE_HASH}` task. * Initialize `COMPLETE_IOC_ENRICHMENT`. For each IOC `Ni` in `ALL_NETWORK_IOCs`: * If `Ni` is an IP: * Use `get_ip_address_report` with `ip=Ni`. * Use `lookup_entity` with `entity_value=Ni` and `entity_type="ip"`. * Use `pivot_on_indicator` with `indicator=Ni` to find all related events. * Use `get_ioc_matches` with `ioc_type="ip"`. * If `Ni` is a domain: * Use `lookup_entity` with `entity_value=Ni` and `entity_type="domain"`. * Use `pivot_on_indicator` with `indicator=Ni`. * Use `get_ioc_matches` with `ioc_type="domain"`. * If `Ni` is a URL: * Use `lookup_entity` with `entity_value=Ni` and `entity_type="url"`. * Use `get_ioc_matches` with `ioc_type="url"`. * Store comprehensive results in `COMPLETE_IOC_ENRICHMENT[Ni]`. 7. **Attack Chain Reconstruction:** * **Task linkage:** Execute this step under the `SOC2 – Attack Chain Reconstruction for ${FILE_HASH}` task. * Analyze process trees, network activity, and file operations to reconstruct the attack chain. * Map to MITRE ATT&CK framework: * Initial Access * Execution * Persistence * Privilege Escalation * Defense Evasion * Credential Access * Discovery * Lateral Movement * Collection * Exfiltration * Command and Control * Store attack chain (`${ATTACK_CHAIN}`) and MITRE mapping (`${MITRE_TTPs}`). 8. **Multi-Entity Correlation:** * **Task linkage:** Execute this step under the `SOC2 – Multi-Entity Correlation for ${FILE_HASH}` task. * Use `search_cases` with comprehensive search terms including all IOCs, hosts, and users. * Correlate with other security events using `pivot_on_indicator` for key entities. * Identify related attacks, campaigns, or threat actors (`${CORRELATION_RESULTS}`). 9. **Attach All Observables to Case:** * Attach the file hash: Use `attach_observable_to_case` with `case_id=${CASE_ID}`, `observable_type="hash"`, `observable_value=${FILE_HASH}`. * For each IOC in `ALL_NETWORK_IOCs`: * Use `attach_observable_to_case` with `case_id=${CASE_ID}`, appropriate `observable_type`, `observable_value=Ni`, and description including enrichment data. 10. **Containment Recommendations:** * Based on analysis, prepare containment recommendations: * **If active threat confirmed:** * Endpoint isolation for affected hosts * Process termination for malicious processes * Network blocking for malicious IOCs * File quarantine * **If historical threat:** * Endpoint investigation * IOC blocking for prevention * Monitoring recommendations * Store recommendations in `${CONTAINMENT_RECOMMENDATION}`. 11. **Synthesize & Document (Update Case with Findings):** * Combine all findings: `${CTI_ANALYSIS}`, `${FILE_ANALYSIS}`, `${EXECUTION_ANALYSIS}`, `${NETWORK_ANALYSIS}`, `COMPLETE_IOC_ENRICHMENT`, `${ATTACK_CHAIN}`, `${MITRE_TTPs}`, `${CORRELATION_RESULTS}`, `${CONTAINMENT_RECOMMENDATION}`. * Include knowledge base findings (infrastructure context, expected patterns, network topology insights) in the analysis. * **Document what was reviewed from case**: Reference original alert details from SOC1, previous comments, completed tasks. * **Document what additional analysis was performed**: What additional events were fetched from SIEM, what pivots were performed, what new insights were discovered. * Prepare comprehensive comment: `COMMENT_TEXT = "SOC2 Deep Malware Analysis for Case ${CASE_ID} (Hash ${FILE_HASH}): **Case Context Reviewed:** [summary of case details, alert info from SOC1, previous comments]. **Additional SIEM Analysis:** [what additional events were fetched, pivots performed, time windows expanded]. CTI Analysis: [...]. File Analysis: [...]. Execution Analysis: [...]. Network Analysis: [...]. Complete IOC Enrichment: [...]. Attack Chain: [...]. MITRE ATT&CK Techniques: [...]. Correlation Results: [...]. Infrastructure Context (KB): [...]. Containment Recommendations: ${CONTAINMENT_RECOMMENDATION}. **Next Steps:** [Escalate to SOC3 for containment if active threat | Monitor if historical]"` * Use `add_case_comment` with `case_id=${CASE_ID}` and `content=${COMMENT_TEXT}`. * **Update case observables**: Attach any new IOCs discovered during investigation. * **Update case status/priority** if findings warrant it. * **Task Management:** * For each SOC2 task created for this hash (CTI, behavior, execution, network collection, enrichment, attack chain, correlation, containment), use `update_case_task_status` with `status="completed"` once the corresponding work is done and reflected in comments. * Ensure all pending tasks from SOC1 have been addressed. 12. **Action Based on Analysis:** * **If active threat confirmed:** * Use `update_case_status` with `case_id=${CASE_ID}` and `status="in_progress"`. * Set `${ACTION_TAKEN}` = "Escalated to SOC3 for containment actions." * **Note:** SOC3 will execute containment using appropriate runbooks. * **If historical threat:** * Document findings and recommendations. * Set `${ACTION_TAKEN}` = "Analysis complete. Monitoring recommended." ## Completion Criteria The malware deep analysis has been successfully completed by SOC2: * **MANDATORY: Workflow started from `${CASE_ID}` (never from raw alert).** * **MANDATORY: `review_case` called as FIRST step to read ALL case details (comments, tasks, observables, evidence).** * **MANDATORY: All pending tasks reviewed and completed.** * Comprehensive CTI analysis performed. * Complete file behavior analysis obtained. * **Additional events fetched from SIEM beyond what SOC1 gathered.** * **Pivots performed on hosts, users, IPs, and timelines to find related activity.** * Full execution analysis and process tree reconstruction completed. * All network IOCs collected and fully enriched. * Attack chain reconstructed and mapped to MITRE ATT&CK. * Multi-entity correlation performed. * All observables attached to case. * Containment recommendations prepared. * **Case updated with findings**: New comments, observables, status/priority updates. * Comprehensive documentation completed including what additional analysis was performed. * Appropriate escalation to SOC3 (if needed) performed. ## Escalation Criteria to SOC3 Escalate to SOC3 if: * Active threat confirmed (file currently executing or recently executed). * Multiple endpoints affected. * Containment actions required (isolation, process termination, network blocking). * Active data exfiltration detected. * Lateral movement confirmed. ## Notes * **MANDATORY: SOC2 MUST ALWAYS START FROM `${CASE_ID}`** - never begin from raw `${ALERT_ID}` in the alert queue. * **MANDATORY: Read ALL case details first** - review case comments, tasks, observables, evidence, and previous actions before starting new analysis. * **MANDATORY: Complete pending tasks** - identify and complete any pending tasks from SOC1 or previous SOC2 work before starting new analysis. * This is a comprehensive deep analysis runbook for SOC2. * Take time to perform thorough analysis - this is not a quick triage. * **Fetch additional events from SIEM** - use broader time windows and more comprehensive queries than SOC1. * **Perform pivots** - pivot on hosts, users, IPs, domains, and timelines to find related activity. * **Update case with findings** - document what additional analysis was performed and what new insights were discovered. * Document all findings comprehensively for SOC3 and future reference. * Containment actions require SOC3 authorization and execution.

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/M507/AI-SOC-Agent'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

malware_deep_analysis.md•16.3 kB