triage-suspicious-login
$
npx mdskill add dandye/ai-runbooks/triage-suspicious-loginAnalyze login anomalies to decide if escalation is required.
- Investigates impossible travel and untrusted location alerts.
- Integrates with SOAR, SIEM, and GTI for data enrichment.
- Evaluates user history and IP reputation to determine severity.
- Outputs a clear recommendation on whether to escalate the case.
SKILL.md
.github/skills/triage-suspicious-loginView on GitHub ↗
---
name: triage-suspicious-login
description: "Triage suspicious login alerts like impossible travel, untrusted location, or multiple failures. Use when investigating authentication anomalies. Analyzes user history, source IP reputation, login patterns, and determines if escalation is needed."
required_roles:
chronicle: roles/chronicle.viewer
soar: roles/chronicle.editor
gti: GTI Standard
personas: [tier1-analyst, tier2-analyst, tier3-analyst]
---
# Suspicious Login Triage Skill
Guide initial triage of suspicious login alerts (impossible travel, untrusted location, multiple failed logins) for Tier 1 SOC Analysts.
## Inputs
- `CASE_ID` - SOAR case ID containing the alert(s)
- `ALERT_GROUP_IDENTIFIERS` - Alert group identifiers from the case
- *(Optional)* `USER_ID` - The user ID if known upfront
- *(Optional)* `SOURCE_IP` - The source IP if known upfront
## Workflow
### Step 1: Get Case Context
```
secops-soar.get_case_full_details(case_id=CASE_ID)
```
### Step 2: Extract Key Entities
```
secops-soar.list_events_by_alert(case_id=CASE_ID, alert_id=ALERT_ID)
```
Parse events to extract:
- `USER_ID` - The user account
- `SOURCE_IP` - The login source IP
- `HOSTNAME` - The target/source hostname (if available)
### Step 3: User Context (SIEM)
```
secops-mcp.lookup_entity(entity_value=USER_ID)
```
Record: Recent activity, first/last seen, related alerts.
### Step 4: Source IP Enrichment
Use `/enrich-ioc` with IOC_TYPE="IP Address":
- GTI reputation and geolocation
- SIEM entity summary
- IOC match status
### Step 5: Hostname Context (if available)
```
secops-mcp.lookup_entity(entity_value=HOSTNAME)
```
### Step 6: Recent Login Activity
Search for login patterns over the last 96 hours:
```
secops-mcp.search_security_events(
text='metadata.event_type IN ("USER_LOGIN", "AUTH_ATTEMPT") AND principal.user.userid = "USER_ID"',
hours_back=96
)
```
Analyze for:
- Logins from unusual IPs
- Successful logins after failures
- Geographic anomalies (impossible travel)
- Concurrent sessions from different locations
### Step 7: Check Related Cases
Use `/find-relevant-case` with search terms: `[USER_ID, SOURCE_IP, HOSTNAME]`
### Step 8: (Optional) Identity Provider Check
If IDP tools available (e.g., Okta):
- Account status
- MFA enrollment
- Recent legitimate logins
- Password change history
### Step 9: Synthesize & Document
Use `/document-in-case` with findings summary:
```
Suspicious Login Triage for USER_ID from SOURCE_IP:
- User SIEM Summary: [...]
- Source IP GTI: [reputation, geo]
- Login Pattern: [normal/anomalous]
- Related Cases: [...]
- Recommendation: [Close as FP | Escalate to Tier 2]
```
## Required Outputs
**After completing this skill, you MUST report these outputs:**
| Output | Description |
|--------|-------------|
| `LOGIN_VERDICT` | Assessment: `legitimate`, `suspicious`, or `malicious` |
| `ANOMALY_INDICATORS` | What made the login suspicious (impossible travel, new device, etc.) |
| `RELATED_ACTIVITY` | Other suspicious activity from user or source IP |
| `RISK_SCORE` | Numerical risk assessment (0-100) based on findings |
## Decision Matrix
| Finding | Recommendation |
|---------|----------------|
| Known VPN/corporate IP + normal pattern | Close as FP |
| User confirmed travel + MFA used | Close as Benign TP |
| Malicious IP reputation | Escalate |
| Impossible travel + no MFA | Escalate urgently |
| Multiple failures then success from new IP | Escalate |
| Pattern matches user's normal behavior | Close as FP |
## Key Patterns to Detect
**Impossible Travel:**
- Login from NYC, then London 30 mins later
- Check if VPN or cloud service could explain
**Credential Stuffing:**
- Many failures across multiple accounts from same IP
- Success after many failures
**Account Takeover:**
- Login from new device/location
- Followed by password change or MFA modification
**Lateral Movement:**
- Same user logging into many systems rapidly
- Unusual service account activity
More from dandye/ai-runbooks
- analyze-content-gapsIdentify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
- audit-contentComprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
- check-duplicates"Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
- close-case-artifact"Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
- cluster-documentsAutomated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
- confirm-action"Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response."
- correlate-ioc"Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
- deep-dive-ioc"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
- design-metadata-schemaDesign comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
- document-in-case"Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."