close-case-artifact
$
npx mdskill add dandye/ai-runbooks/close-case-artifactClose cases or alerts with documented reasons and root causes.
- Automates finalizing investigations by enforcing required closure documentation.
- Integrates with SOAR via siemplify_close_case API for execution.
- Validates inputs against predefined reasons and root cause lists.
- Returns confirmation of case or alert closure status to the agent.
SKILL.md
.github/skills/close-case-artifactView on GitHub ↗
---
name: close-case-artifact
description: "Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
required_roles:
soar: roles/chronicle.editor
personas: [tier1-analyst, tier2-analyst, tier3-analyst, incident-responder]
---
# Close Case Artifact Skill
Close a case or alert with the required reason, root cause, and justification comment.
## Inputs
- `ARTIFACT_ID` - The ID of the case or alert to close
- `ARTIFACT_TYPE` - Either "Case" or "Alert"
- `CLOSURE_REASON` - Must be one of:
- `MALICIOUS` - Confirmed threat
- `NOT_MALICIOUS` - False positive or benign
- `MAINTENANCE` - System/maintenance activity
- `INCONCLUSIVE` - Unable to determine
- `UNKNOWN` - Unknown/other
- `ROOT_CAUSE` - Must match a predefined root cause (use `get_case_settings_root_causes` to list options)
- `CLOSURE_COMMENT` - Detailed justification for closure
- *(Optional)* `ALERT_GROUP_IDENTIFIERS` - Alert group identifiers
- *(Optional, for alerts)* `ASSIGN_TO_USER` - User to assign closed alert to
- *(Optional, for alerts)* `TAGS` - Comma-separated tags
## Workflow
### Step 1: Execute Closure
**For Cases:**
```
secops-soar.siemplify_close_case(
case_id=ARTIFACT_ID,
reason=CLOSURE_REASON,
root_cause=ROOT_CAUSE,
comment=CLOSURE_COMMENT,
alert_group_identifiers=ALERT_GROUP_IDENTIFIERS
)
```
**For Alerts:**
```
secops-soar.siemplify_close_alert(
alert_id=ARTIFACT_ID,
reason=CLOSURE_REASON,
root_cause=ROOT_CAUSE,
comment=CLOSURE_COMMENT,
assign_to_user=ASSIGN_TO_USER,
tags=TAGS
)
```
## Outputs
| Output | Description |
|--------|-------------|
| `CLOSURE_STATUS` | Success/failure status of the closure |
## Common Closure Patterns
| Scenario | Reason | Typical Root Cause |
|----------|--------|-------------------|
| False Positive | `NOT_MALICIOUS` | "Legit action", "Normal behavior" |
| Duplicate | `NOT_MALICIOUS` | "Similar case is already under investigation" |
| Benign True Positive | `NOT_MALICIOUS` | "Legit action" |
| Confirmed Threat (remediated) | `MALICIOUS` | Varies by threat type |
| Unable to determine | `INCONCLUSIVE` | "Insufficient data" |
## Get Valid Root Causes
If unsure of valid root cause values:
```
secops-soar.get_case_settings_root_causes()
```
More from dandye/ai-runbooks
- analyze-content-gapsIdentify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
- audit-contentComprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
- check-duplicates"Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
- cluster-documentsAutomated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
- confirm-action"Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response."
- correlate-ioc"Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
- deep-dive-ioc"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
- design-metadata-schemaDesign comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
- document-in-case"Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."
- enrich-ioc"Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status."