find-relevant-case

Name: find-relevant-case
Author: dandye/ai-runbooks

$npx mdskill add dandye/ai-runbooks/find-relevant-case

Connect new investigations to prior cases using specific search terms.

Prevents redundant work by revealing related past investigations.
Depends on the list_cases API and optional case detail retrieval.
Prioritizes results based on matching indicators, hostnames, or usernames.
Delivers matching case IDs and basic priority information to the analyst.

SKILL.md

.github/skills/find-relevant-caseView on GitHub ↗

---
name: find-relevant-case
description: "Search for existing cases related to specific indicators or entities. Use to find correlation with other investigations before starting new analysis. Takes search terms and returns matching case IDs."
required_roles:
  soar: roles/chronicle.editor
personas: [tier1-analyst, tier2-analyst, tier3-analyst, incident-responder]
---

# Find Relevant Case Skill

Identify existing cases that may be related to the current investigation based on IOCs, hostnames, usernames, or other entities.

## Inputs

- `SEARCH_TERMS` - List of values to search for (e.g., `["198.51.100.10", "mikeross-pc", "jsmith"]`)
- *(Optional)* `CASE_STATUS_FILTER` - Filter by status: "Opened", "Closed" (default: "Opened")
- *(Optional)* `TIME_FRAME_HOURS` - Lookback period for case creation/update
- *(Optional)* `MAX_RESULTS` - Maximum cases to return

## Workflow

### Step 1: Construct Search Filter

Build a filter for `list_cases` based on search terms and filters.

**Note:** The `list_cases` tool may have limited ability to search within case entities. If direct entity search isn't supported, use broader filters and refine results.

### Step 2: Execute Search

```
secops-soar.list_cases(
    filter=constructed_filter,
    limit=MAX_RESULTS
)
```

### Step 3: Process Results

Extract case IDs and basic details (DisplayName, Priority) from results.

### Step 4: (Optional) Refine Results

If too many results, use `get_case_full_details` on a subset to verify entity presence:

```
secops-soar.get_case_full_details(case_id=candidate_case_id)
```

## Outputs

| Output | Description |
|--------|-------------|
| `RELEVANT_CASE_IDS` | List of case IDs that match the search |
| `RELEVANT_CASE_SUMMARIES` | Brief summaries (ID, name, priority) |
| `FIND_CASE_STATUS` | Success/failure status of the search |

## Limitations & Workarounds

The `list_cases` tool may not support direct entity searching. Alternatives:

1. **Broader filters** - Use time range, alert type, then manually review
2. **SIEM correlation** - Search SIEM for entity, check if events belong to a case
3. **Multiple searches** - Search each term separately, combine results

More from dandye/ai-runbooks

Skill	Description
analyze-content-gaps	Identify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
audit-content	Comprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
check-duplicates	"Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
close-case-artifact	"Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
cluster-documents	Automated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
confirm-action	"Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response."
correlate-ioc	"Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
deep-dive-ioc	"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
design-metadata-schema	Design comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
document-in-case	"Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."