enrich-ioc
$
npx mdskill add dandye/ai-runbooks/enrich-iocEnrich indicators with reputation and context via GTI and SIEM.
- Reveals malicious reputation and campaign links for any IOC.
- Depends on GTI and Chronicle SIEM for data retrieval.
- Classifies threats based on automated reputation scoring.
- Outputs structured findings, entity summaries, and match status.
SKILL.md
.github/skills/enrich-iocView on GitHub ↗
--- name: enrich-ioc description: "Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status." required_roles: chronicle: roles/chronicle.viewer gti: GTI Standard personas: [tier1-analyst, tier2-analyst, tier3-analyst, threat-hunter, incident-responder] --- # Enrich IOC Skill Perform standardized enrichment for a single Indicator of Compromise (IOC) using Google Threat Intelligence (GTI) and Chronicle SIEM. ## Inputs - `IOC_VALUE` - The indicator value (e.g., "198.51.100.10", "evil-domain.com", "abcdef123456...", "http://bad.url/path") - `IOC_TYPE` - The type: "IP Address", "Domain", "File Hash", or "URL" ## Workflow ### Step 1: GTI Enrichment Based on IOC_TYPE, call the appropriate GTI tool: | IOC Type | Tool | Example | |----------|------|---------| | IP Address | `gti-mcp.get_ip_address_report` | `get_ip_address_report(ip_address="198.51.100.10")` | | Domain | `gti-mcp.get_domain_report` | `get_domain_report(domain="evil-domain.com")` | | File Hash | `gti-mcp.get_file_report` | `get_file_report(hash="abcdef123...")` | | URL | `gti-mcp.get_url_report` | `get_url_report(url="http://bad.url/path")` | Store key findings in `GTI_FINDINGS`: - Reputation score - Classification (malicious, suspicious, clean) - Key relationships (contacted domains, IPs, etc.) - Associated malware families or campaigns **Error Handling:** If GTI fails (quota exceeded, IOC not found), note the limitation and proceed with SIEM enrichment. ### Step 2: SIEM Entity Lookup ``` secops-mcp.lookup_entity(entity_value=IOC_VALUE) ``` Store in `SIEM_ENTITY_SUMMARY`: - First/last seen timestamps - Related alerts - Associated assets/users ### Step 3: SIEM IOC Match Check ``` secops-mcp.get_ioc_matches() ``` Check if IOC_VALUE appears in results. Store Yes/No in `SIEM_IOC_MATCH_STATUS`. ## Required Outputs **After completing this skill, you MUST report these outputs:** | Output | Description | |--------|-------------| | `GTI_FINDINGS` | Summary of GTI report (reputation, classification, relationships) | | `SIEM_SUMMARY` | SIEM entity context (first/last seen, related alerts) | | `IOC_MATCH_STATUS` | Yes/No - whether IOC appears in recent threat feed matches | | `THREAT_SCORE` | Numerical threat score (0-100) based on GTI reputation | | `MALICIOUS_CONFIDENCE` | Confidence level: `high`, `medium`, `low`, or `none` | ## Quick Reference **GTI Tools:** - `get_ip_address_report(ip_address)` - `get_domain_report(domain)` - `get_file_report(hash)` - `get_url_report(url)` **SIEM Tools:** - `lookup_entity(entity_value)` - `get_ioc_matches()`
More from dandye/ai-runbooks
- analyze-content-gapsIdentify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
- audit-contentComprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
- check-duplicates"Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
- close-case-artifact"Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
- cluster-documentsAutomated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
- confirm-action"Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response."
- correlate-ioc"Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
- deep-dive-ioc"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
- design-metadata-schemaDesign comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
- document-in-case"Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."