correlate-ioc
$
npx mdskill add dandye/ai-runbooks/correlate-iocCorrelate IOCs to reveal prior alerts and active cases.
- Detects if malicious indicators triggered historical security alerts.
- Integrates with SIEM and SOAR platforms for unified data access.
- Aggregates alert counts, severity levels, and case statuses.
- Delivers structured summaries of findings for analyst review.
SKILL.md
.github/skills/correlate-iocView on GitHub ↗
---
name: correlate-ioc
description: "Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
required_roles:
chronicle: roles/chronicle.viewer
soar: roles/chronicle.editor
personas: [tier1-analyst, tier2-analyst, tier3-analyst]
---
# Correlate IOC Skill
Check for existing SIEM alerts and cases related to specific Indicators of Compromise.
## Inputs
- `IOC_LIST` - Single IOC or list of IOCs (e.g., `["198.51.100.10", "evil-domain.com"]`)
- *(Optional)* `TIME_FRAME_HOURS` - Lookback period for SIEM alerts (default: 168 = 7 days)
- *(Optional)* `SOAR_CASE_FILTER` - Additional filter for SOAR cases (e.g., `status="OPEN"`)
## Workflow
### Step 1: Correlate SIEM Alerts
Search for alerts containing any IOC in the list:
```
secops-mcp.get_security_alerts(
query=IOC_based_query,
hours_back=TIME_FRAME_HOURS
)
```
Store summary in `RELATED_SIEM_ALERTS`:
- Alert count
- Alert types/names
- Severity distribution
- Affected assets
### Step 2: Correlate Cases
Search for cases containing any IOC:
```
secops-soar.list_cases(
filter=IOC_based_filter + SOAR_CASE_FILTER
)
```
Store summary in `RELATED_SOAR_CASES`:
- Case IDs and names
- Case status
- Case priority
## Required Outputs
**After completing this skill, you MUST report these outputs:**
| Output | Description |
|--------|-------------|
| `RELATED_SIEM_ALERTS` | Summary of SIEM alerts related to the IOC(s) |
| `RELATED_CASES` | Summary of cases related to the IOC(s) |
| `CORRELATION_STATUS` | Success/failure status of the correlation |
| `MALICIOUS_CONFIDENCE` | Derived confidence based on alert history: `high`, `medium`, `low`, or `none` |
## Use Cases
1. **Before Investigation** - Check if IOC is already under investigation
2. **During Enrichment** - Understand internal activity for an IOC
3. **Threat Hunt** - Find all alerts/cases related to campaign indicators
4. **Incident Response** - Identify scope of compromise across cases
## Correlation Summary Template
```
IOC Correlation Summary for [IOC_LIST]:
SIEM Alerts (last [TIME_FRAME_HOURS] hours):
- Total alerts: [count]
- Alert types: [list]
- Affected hosts: [list]
Related Cases:
- Open cases: [count] - [IDs]
- Closed cases: [count]
- Related investigations: [summary]
```
More from dandye/ai-runbooks
- analyze-content-gapsIdentify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
- audit-contentComprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
- check-duplicates"Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
- close-case-artifact"Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
- cluster-documentsAutomated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
- confirm-action"Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response."
- deep-dive-ioc"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
- design-metadata-schemaDesign comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
- document-in-case"Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."
- enrich-ioc"Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status."