triage-malware

Name: triage-malware
Author: dandye/ai-runbooks

$npx mdskill add dandye/ai-runbooks/triage-malware

Analyze malware hashes to detect threats and suggest containment.

Accelerates incident response by identifying affected hosts and threat actors.
Depends on GTI Enterprise, SOAR, and Chronicle for data access.
Recommends actions based on detection ratios, behavioral indicators, and MITRE TTPs.
Delivers structured reports on network IOCs, file changes, and registry modifications.

SKILL.md

.github/skills/triage-malwareView on GitHub ↗

---
name: triage-malware
description: "Triage a suspected malicious file hash. Use when investigating malware alerts or suspicious files. Analyzes GTI file report, behavioral indicators, identifies affected hosts, enriches network IOCs, and recommends containment actions."
required_roles:
  chronicle: roles/chronicle.viewer
  soar: roles/chronicle.editor
  gti: GTI Enterprise
personas: [tier2-analyst, tier3-analyst, incident-responder]
---

# Malware Triage Skill

Perform initial analysis and context gathering for a suspected malicious file hash identified during an investigation or alert.

## Inputs

- `FILE_HASH` - MD5, SHA1, or SHA256 hash of the suspected file
- `CASE_ID` - SOAR case ID for documentation
- `ALERT_GROUP_IDENTIFIERS` - Alert group identifiers from the case
- *(Optional)* `TIME_FRAME_HOURS` - Lookback period (default: 72)

## Workflow

### Step 1: Get Case Context

```
secops-soar.get_case_full_details(case_id=CASE_ID)
```

### Step 2: GTI File Report

```
gti-mcp.get_file_report(hash=FILE_HASH)
```

Record:
- Detection ratio (e.g., 45/70 engines)
- Malware family classification
- First/last seen dates
- Associated threat actors or campaigns

### Step 3: GTI Behavior Summary

```
gti-mcp.get_file_behavior_summary(hash=FILE_HASH)
```

Extract behavioral indicators:
- **Network**: Contacted IPs/domains → `NETWORK_IOCs_GTI`
- **File system**: Dropped files, modified files
- **Registry**: Modified keys
- **MITRE TTPs**: Observed techniques from sandbox

### Step 4: SIEM Execution Check

Search for file execution events:

```
secops-mcp.search_security_events(
    text='target.file.sha256 = "FILE_HASH" OR target.file.md5 = "FILE_HASH"',
    hours_back=TIME_FRAME_HOURS
)
```

Look for: `PROCESS_LAUNCH`, `FILE_CREATION`, `FILE_MODIFICATION`

Identify:
- `AFFECTED_HOSTS` - Machines where file was seen
- `AFFECTED_USERS` - Users who executed/accessed the file

### Step 5: SIEM Network Activity

Search for network connections from processes with this hash:

```
secops-mcp.search_security_events(
    text='principal.process.file.sha256 = "FILE_HASH"',
    hours_back=TIME_FRAME_HOURS
)
```

Extract: `NETWORK_IOCs_SIEM` (contacted IPs/domains)

### Step 6: Enrich Network IOCs

Combine `NETWORK_IOCs_GTI` + `NETWORK_IOCs_SIEM` → `ALL_NETWORK_IOCs`

For each network IOC, use `/enrich-ioc`:
- Check GTI reputation
- Check SIEM presence
- Check IOC match status

### Step 7: Check Related Cases

Use `/find-relevant-case` with:
```
SEARCH_TERMS = AFFECTED_HOSTS + AFFECTED_USERS + ALL_NETWORK_IOCs
```

### Step 8: Synthesize & Document

Use `/document-in-case` with assessment:

```
Malware Triage for Hash FILE_HASH:
- GTI Classification: [family, detection ratio]
- Behavior: [network, files, registry]
- Affected Hosts: [list]
- Network IOCs: [with enrichment]
- Related Cases: [list]

Assessment: [severity level]

Recommendation:
- [ ] Isolate affected hosts
- [ ] Block network IOCs
- [ ] Escalate to IR
- [ ] Monitor only
```

## Required Outputs

**After completing this skill, you MUST report these outputs:**

| Output | Description |
|--------|-------------|
| `MALWARE_CLASSIFICATION` | GTI verdict and malware family (e.g., "Emotet - Banking Trojan") |
| `BEHAVIORAL_IOCS` | Network IOCs from sandbox analysis (contacted IPs/domains) |
| `AFFECTED_HOSTS` | Hosts where this malware was executed or detected |
| `AFFECTED_USERS` | Users who executed or accessed the malware |
| `TRIAGE_VERDICT` | Overall verdict: `malicious`, `suspicious`, or `clean` |

## Severity Assessment Matrix

| Factor | Low | Medium | High | Critical |
|--------|-----|--------|------|----------|
| GTI Detection | < 5 engines | 5-20 engines | 20-50 engines | > 50 engines |
| Execution | Not executed | Downloaded only | Executed | Active C2 |
| Spread | Single host | 2-5 hosts | 5-20 hosts | > 20 hosts |
| Network IOCs | None observed | Benign | Suspicious | Known malicious |
| Data at Risk | None | Low value | PII/credentials | Critical systems |

## Recommended Actions by Severity

**Critical/High:**
1. Immediately isolate affected hosts
2. Block network IOCs at firewall
3. Escalate to Incident Response
4. Preserve forensic evidence

**Medium:**
1. Monitor affected hosts closely
2. Block known malicious IOCs
3. Schedule endpoint scan
4. Escalate to Tier 2

**Low:**
1. Document findings
2. Monitor for recurrence
3. Close with detailed notes

More from dandye/ai-runbooks

Skill	Description
analyze-content-gaps	Identify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
audit-content	Comprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
check-duplicates	"Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
close-case-artifact	"Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
cluster-documents	Automated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
confirm-action	"Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response."
correlate-ioc	"Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
deep-dive-ioc	"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
design-metadata-schema	Design comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
document-in-case	"Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."