Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases.
Check for existing SIEM alerts and cases related to specific Indicators of Compromise.
IOC_LIST - Single IOC or list of IOCs (e.g., ["198.51.100.10", "evil-domain.com"])TIME_FRAME_HOURS - Lookback period for SIEM alerts (default: 168 = 7 days)SOAR_CASE_FILTER - Additional filter for SOAR cases (e.g., status="OPEN")Search for alerts containing any IOC in the list:
secops-mcp.get_security_alerts(
query=IOC_based_query,
hours_back=TIME_FRAME_HOURS
)
Store summary in RELATED_SIEM_ALERTS:
Search for cases containing any IOC:
secops-soar.list_cases(
filter=IOC_based_filter + SOAR_CASE_FILTER
)
Store summary in RELATED_SOAR_CASES:
After completing this skill, you MUST report these outputs:
| Output | Description |
|---|---|
RELATED_SIEM_ALERTS | Summary of SIEM alerts related to the IOC(s) |
RELATED_CASES | Summary of cases related to the IOC(s) |
CORRELATION_STATUS | Success/failure status of the correlation |
MALICIOUS_CONFIDENCE | Derived confidence based on alert history: high, medium, low, or none |
IOC Correlation Summary for [IOC_LIST]:
SIEM Alerts (last [TIME_FRAME_HOURS] hours):
- Total alerts: [count]
- Alert types: [list]
- Affected hosts: [list]
Related Cases:
- Open cases: [count] - [IDs]
- Closed cases: [count]
- Related investigations: [summary]