document-in-case

Name: document-in-case
Author: dandye/ai-runbooks

$npx mdskill add dandye/ai-runbooks/document-in-case

Document case findings and recommendations via a single comment.

Creates an audit trail for investigators reviewing SOAR cases.
Depends on the SOAR API to post comments to specific cases.
Uses input templates to structure findings and triage decisions.
Returns a status code confirming whether the comment succeeded.

SKILL.md

.github/skills/document-in-caseView on GitHub ↗

---
name: document-in-case
description: "Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."
required_roles:
  soar: roles/chronicle.editor
personas: [tier1-analyst, tier2-analyst, tier3-analyst, threat-hunter, incident-responder]
---

# Document in Case Skill

Add a standardized comment to a case to document findings, actions taken, or recommendations.

## Inputs

- `CASE_ID` - The SOAR case ID to add the comment to
- `COMMENT_TEXT` - The full text of the comment to be added
- *(Optional)* `ALERT_GROUP_IDENTIFIERS` - Alert group identifiers if required

## Workflow

### Step 1: Post Comment

```
secops-soar.post_case_comment(
    case_id=CASE_ID,
    comment=COMMENT_TEXT,
    alert_group_identifiers=ALERT_GROUP_IDENTIFIERS  // if provided
)
```

### Step 2: Verify Status

Check the API response to confirm the comment was posted successfully.

## Outputs

| Output | Description |
|--------|-------------|
| `COMMENT_POST_STATUS` | Success/failure status of the comment posting |

## Comment Templates

**Enrichment Summary:**
```
IOC Enrichment for [IOC_VALUE] ([IOC_TYPE]):
- GTI Reputation: [score/classification]
- SIEM Activity: [first/last seen, alert count]
- IOC Match: [Yes/No]
- Assessment: [Low/Medium/High risk]
- Recommendation: [next steps]
```

**Triage Decision:**
```
Alert Triage Complete:
- Classification: [FP/BTP/TP/Suspicious]
- Key Findings: [summary]
- Rationale: [why this classification]
- Action Taken: [closed/escalated]
```

**Investigation Update:**
```
Investigation Update [timestamp]:
- Actions Completed: [list]
- Findings: [summary]
- Next Steps: [planned actions]
```

More from dandye/ai-runbooks

Skill	Description
analyze-content-gaps	Identify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
audit-content	Comprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
check-duplicates	"Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
close-case-artifact	"Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
cluster-documents	Automated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
confirm-action	"Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response."
correlate-ioc	"Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
deep-dive-ioc	"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
design-metadata-schema	Design comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
enrich-ioc	"Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status."