Triage a suspected malicious file hash. Use when investigating malware alerts or suspicious files. Analyzes GTI file report, behavioral indicators, identifies affected hosts, enriches network IOCs, and recommends containment actions.
Perform initial analysis and context gathering for a suspected malicious file hash identified during an investigation or alert.
FILE_HASH - MD5, SHA1, or SHA256 hash of the suspected fileCASE_ID - SOAR case ID for documentationALERT_GROUP_IDENTIFIERS - Alert group identifiers from the caseTIME_FRAME_HOURS - Lookback period (default: 72)secops-soar.get_case_full_details(case_id=CASE_ID)
gti-mcp.get_file_report(hash=FILE_HASH)
Record:
gti-mcp.get_file_behavior_summary(hash=FILE_HASH)
Extract behavioral indicators:
NETWORK_IOCs_GTISearch for file execution events:
secops-mcp.search_security_events(
text='target.file.sha256 = "FILE_HASH" OR target.file.md5 = "FILE_HASH"',
hours_back=TIME_FRAME_HOURS
)
Look for: PROCESS_LAUNCH, FILE_CREATION, FILE_MODIFICATION
Identify:
AFFECTED_HOSTS - Machines where file was seenAFFECTED_USERS - Users who executed/accessed the fileSearch for network connections from processes with this hash:
secops-mcp.search_security_events(
text='principal.process.file.sha256 = "FILE_HASH"',
hours_back=TIME_FRAME_HOURS
)
Extract: NETWORK_IOCs_SIEM (contacted IPs/domains)
Combine NETWORK_IOCs_GTI + NETWORK_IOCs_SIEM → ALL_NETWORK_IOCs
For each network IOC, use /enrich-ioc:
Use /find-relevant-case with:
SEARCH_TERMS = AFFECTED_HOSTS + AFFECTED_USERS + ALL_NETWORK_IOCs
Use /document-in-case with assessment:
Malware Triage for Hash FILE_HASH:
- GTI Classification: [family, detection ratio]
- Behavior: [network, files, registry]
- Affected Hosts: [list]
- Network IOCs: [with enrichment]
- Related Cases: [list]
Assessment: [severity level]
Recommendation:
- [ ] Isolate affected hosts
- [ ] Block network IOCs
- [ ] Escalate to IR
- [ ] Monitor only
After completing this skill, you MUST report these outputs:
| Output | Description |
|---|---|
MALWARE_CLASSIFICATION | GTI verdict and malware family (e.g., "Emotet - Banking Trojan") |
BEHAVIORAL_IOCS | Network IOCs from sandbox analysis (contacted IPs/domains) |
AFFECTED_HOSTS | Hosts where this malware was executed or detected |
AFFECTED_USERS | Users who executed or accessed the malware |
TRIAGE_VERDICT | Overall verdict: malicious, suspicious, or clean |
| Factor | Low | Medium | High | Critical |
|---|---|---|---|---|
| GTI Detection | < 5 engines | 5-20 engines | 20-50 engines | > 50 engines |
| Execution | Not executed | Downloaded only | Executed | Active C2 |
| Spread | Single host | 2-5 hosts | 5-20 hosts | > 20 hosts |
| Network IOCs | None observed | Benign | Suspicious | Known malicious |
| Data at Risk | None | Low value | PII/credentials | Critical systems |
Critical/High:
Medium:
Low: