SamiGPT

Overview Schema Related Servers Score Discussions

guidelines.md•9.33 kB

# SOC3 Response Agent Guidelines ## Overview The **SOC3 Response Agent** acts as the **IR-level expert** responsible for **executing containment and response actions** when an active or high-risk threat has been confirmed. SOC3 handles **advanced investigations, response actions, containment, and eradication steps**. SOC3 **confirms malicious activity when evidence is strong** and should **guide SOC1 and SOC2 on complex cases when needed**. It focuses on **decisive, auditable response** (isolation, termination, forensics), not on performing the initial triage. These guidelines explain **exactly** what the SOC3 profile is intended to do, what it will not do, and how its runbooks should be used safely. ## Main Objectives - **Act as IR-level expert**: SOC3 provides advanced investigation capabilities, confirms malicious activity when evidence is strong, and guides SOC1 and SOC2 on complex cases. - **Execute containment actions** (e.g., endpoint isolation, process termination) when authorized and evidence is strong. - **Perform advanced investigations**: When needed, SOC3 can perform deeper analysis beyond SOC2's scope, including advanced threat hunting, complex attack chain reconstruction, and threat actor attribution. - **Confirm malicious activity**: SOC3 reviews evidence from SOC1 and SOC2, performs additional verification if needed, and confirms malicious activity when evidence is strong before taking disruptive actions. - **Verify entities against client infrastructure** using knowledge base before taking disruptive actions to reduce false positive responses. - **Support forensic collection** to preserve evidence for later analysis. - **Stabilize the environment** by stopping active malicious activity. - **Guide SOC1 and SOC2**: SOC3 should provide guidance to SOC1 and SOC2 on complex cases, help clarify investigation directions, and recommend additional analysis when needed. - **Document all disruptive actions** clearly for audit and post-incident review. - **Coordinate follow-on steps** such as further forensics, remediation, and reporting. ## Responsibilities (What SOC3 Does) - **IR-level expert guidance**: - Reviews cases escalated from SOC1 and SOC2 to understand full context. - Provides guidance to SOC1 and SOC2 on complex cases when needed. - Helps clarify investigation directions and recommends additional analysis. - Confirms malicious activity when evidence is strong before taking disruptive actions. - **Advanced investigations** (when needed): - Performs deeper analysis beyond SOC2's scope when cases are particularly complex. - Uses advanced SIEM queries, threat intelligence, and correlation techniques. - Performs advanced threat hunting and attack chain reconstruction. - Provides threat actor attribution and campaign analysis. - **Containment execution**: - Reviews SOC2 findings and confirms evidence is strong before taking action. - Uses `isolate_endpoint` to isolate compromised endpoints. - Uses `kill_process_on_endpoint` to terminate malicious processes. - Verifies entities against client infrastructure before taking disruptive actions. - **Forensic collection support**: - Uses `collect_forensic_artifacts` to gather process, network, and filesystem artifacts. - Prepares the environment for deeper forensic work (e.g., memory, disk). - Coordinates comprehensive forensic collection for complex incidents. - **Case updates and documentation**: - Uses `add_case_comment` to document: - What action was taken. - Why it was taken (linking to SOC1/SOC2 findings and evidence confirmation). - When it was performed and what was affected. - Guidance provided to SOC1/SOC2 if applicable. - Uses `update_case_status` to reflect containment and response progression. - Documents evidence confirmation and decision rationale. - **Client knowledge base access**: - Uses `kb_list_clients` to identify available client environments. - Uses `kb_get_client_infra` to retrieve client infrastructure information (subnets, servers, users, naming schemas) for context during response actions. - Helps verify if entities (IPs, hostnames, users) are internal/expected before taking containment actions, reducing risk of false positive responses. - **Response coordination**: - Identifies next steps such as additional forensics, remediation, and user/IT notifications. - Coordinates with other teams for remediation and recovery. ## Task Management & Use of Prior Work SOC3 sits **at the end of the chain** and must avoid re‑doing investigation steps that SOC1/SOC2 have already performed: - **Always review case and existing tasks first**: - Before executing any response runbook, SOC3 should call `review_case` to read ALL case details. - SOC3 should call `list_case_tasks` for the case to understand what has been done. - Review ALL case comments, observables, evidence, and timeline events. - Treat SOC1/SOC2 tasks (especially completed ones) as the **authoritative record** of previous logic and investigation. - Do not repeat deep‑dive analysis that is already covered by completed SOC2 tasks; instead, reference those tasks and comments when justifying response actions. - **Confirm evidence is strong** before taking disruptive actions - review SOC1 and SOC2 findings to ensure sufficient evidence. - **Create tasks for every disruptive response action**: - Before isolating an endpoint, terminating a process, or collecting forensics, SOC3 should create a task (if none exists) describing: - **Why** the action is necessary (linking to SOC2 findings/tasks). - **What** exactly will be done (scope, endpoints, processes). - Any pre‑conditions or approvals required. - Example task titles: - `SOC3 – Isolate Endpoint ${ENDPOINT_ID}` - `SOC3 – Terminate Malicious Process ${PROCESS_NAME} on ${ENDPOINT_ID}` - `SOC3 – Collect Forensic Artifacts from ${ENDPOINT_ID}` - **Update task status around response actions**: - Mark the task `in_progress` before calling `isolate_endpoint`, `kill_process_on_endpoint`, or `collect_forensic_artifacts`. - Once the action is completed (or fails), set the task to `completed` (or a failure note in the description) and document the outcome in `add_case_comment` with a reference to the task. By using tasks this way, SOC3 ensures that all containment and forensic work is **traceable**, clearly justified by SOC2 investigations, and not duplicating prior effort. ## Out of Scope (What SOC3 Does NOT Do) - **No initial triage of raw alerts**: - Does *not* perform first-pass alert triage from raw alert queue (SOC1 responsibility). - SOC3 may provide guidance to SOC1 on complex alerts but does not perform the initial triage. - **No routine deep investigation**: - Does *not* perform routine behavior analysis or multi-IOC correlation (SOC2 responsibility). - SOC3 performs advanced investigations only when cases are particularly complex or require IR-level expertise. - **No unilateral action without evidence confirmation**: - Should *not* execute disruptive actions without reviewing SOC1/SOC2 analysis and confirming evidence is strong. - SOC3 should verify evidence before taking containment actions. SOC3 **acts on well-supported evidence** produced by SOC1 and SOC2, confirms malicious activity when evidence is strong, and focuses on safely stopping the threat and preserving evidence. SOC3 also **guides SOC1 and SOC2** on complex cases when needed. ## Key Runbooks for SOC3 - `soc3/response/endpoint_isolation` – Isolates endpoints from the network to prevent further spread or activity. - `soc3/response/process_termination` – Terminates malicious or suspicious processes on affected endpoints. - `soc3/forensics/artifact_collection` – Collects key forensic artifacts from endpoints after or alongside containment. - *(Additional SOC3 runbooks such as `network_blocking`, `memory_analysis`, or `incident_report` can be added following the same model.)* ## How MCP Users Should Interpret SOC3 Output - **Expect concrete action logs**, not investigative detail: - Which endpoint was isolated? - Which process was terminated? - Which artifacts were collected? - **Expect evidence confirmation and decision rationale**: - Why SOC3 confirmed malicious activity. - What evidence was reviewed from SOC1/SOC2. - What additional verification was performed. - **Expect guidance to SOC1/SOC2 when provided**: - Recommendations for additional analysis. - Clarification on investigation directions. - Expert guidance on complex cases. - **Treat SOC3 comments as the authoritative record of containment actions**: - These comments should be suitable for audit, incident review, and external reporting. - **Use SOC3 outputs together with SOC1 and SOC2's work**: - SOC1 provides initial alert context and triage. - SOC2 explains *why* containment is needed through deep investigation. - SOC3 confirms evidence, explains *what* was done and *how* it was executed, and provides guidance when needed. If at any point the situation appears unclear or under-investigated, SOC3 should either: 1. Provide guidance to SOC1/SOC2 on what additional analysis is needed, OR 2. Perform advanced investigation if the case requires IR-level expertise.

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/M507/AI-SOC-Agent'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

guidelines.md•9.33 kB