By name: triage-malware description: "Triage a suspected malicious file hash. Use when investigating malware alerts or suspicious files. Analyzes GTI file report, behavioral indicators, identifies affected hosts, enriches network IOCs, and recommends containment actions." required_roles: chronicle: roles/chronicle.viewer soar: roles/chronicle.editor gti: GTI Enterprise personas: [tier2-analyst, tier3-analyst, incident-responder]
Malware Triage Skill
Perform initial analysis and context gathering for a suspected malicious file hash identified during an investigation or alert.
Inputs
FILE_HASH- MD5, SHA1, or SHA256 hash of the suspected fileCASE_ID- SOAR case ID for documentationALERT_GROUP_IDENTIFIERS- Alert group identifiers from the case- (Optional)
TIME_FRAME_HOURS- Lookback period (default: 72)
Workflow
Step 1: Get Case Context
secops-soar.get_case_full_details(case_id=CASE_ID)
Step 2: GTI File Report
gti-mcp.get_file_report(hash=FILE_HASH)
Record:
- Detection ratio (e.g., 45/70 engines)
- Malware family classification
- First/last seen dates
- Associated threat actors or campaigns
Step 3: GTI Behavior Summary
gti-mcp.get_file_behavior_summary(hash=FILE_HASH)
Extract behavioral indicators:
- Network: Contacted IPs/domains →
NETWORK_IOCs_GTI - File system: Dropped files, modified files
- Registry: Modified keys
- MITRE TTPs: Observed techniques from sandbox
Step 4: SIEM Execution Check
Search for file execution events:
secops-mcp.search_security_events(
text='target.file.sha256 = "FILE_HASH" OR target.file.md5 = "FILE_HASH"',
hours_back=TIME_FRAME_HOURS
)
Look for: PROCESS_LAUNCH, FILE_CREATION, FILE_MODIFICATION
Identify:
AFFECTED_HOSTS- Machines where file was seenAFFECTED_USERS- Users who executed/accessed the file
Step 5: SIEM Network Activity
Search for network connections from processes with this hash:
secops-mcp.search_security_events(
text='principal.process.file.sha256 = "FILE_HASH"',
hours_back=TIME_FRAME_HOURS
)
Extract: NETWORK_IOCs_SIEM (contacted IPs/domains)
Step 6: Enrich Network IOCs
Combine NETWORK_IOCs_GTI + NETWORK_IOCs_SIEM → ALL_NETWORK_IOCs
For each network IOC, use /enrich-ioc:
- Check GTI reputation
- Check SIEM presence
- Check IOC match status
Step 7: Check Related Cases
Use /find-relevant-case with:
SEARCH_TERMS = AFFECTED_HOSTS + AFFECTED_USERS + ALL_NETWORK_IOCs
Step 8: Synthesize & Document
Use /document-in-case with assessment:
Malware Triage for Hash FILE_HASH:
- GTI Classification: [family, detection ratio]
- Behavior: [network, files, registry]
- Affected Hosts: [list]
- Network IOCs: [with enrichment]
- Related Cases: [list]
Assessment: [severity level]
Recommendation:
- [ ] Isolate affected hosts
- [ ] Block network IOCs
- [ ] Escalate to IR
- [ ] Monitor only
Required Outputs
After completing this skill, you MUST report these outputs:
| Output | Description |
|---|---|
MALWARE_CLASSIFICATION |
GTI verdict and malware family (e.g., "Emotet - Banking Trojan") |
BEHAVIORAL_IOCS |
Network IOCs from sandbox analysis (contacted IPs/domains) |
AFFECTED_HOSTS |
Hosts where this malware was executed or detected |
AFFECTED_USERS |
Users who executed or accessed the malware |
TRIAGE_VERDICT |
Overall verdict: malicious, suspicious, or clean |
Severity Assessment Matrix
| Factor | Low | Medium | High | Critical |
|---|---|---|---|---|
| GTI Detection | < 5 engines | 5-20 engines | 20-50 engines | > 50 engines |
| Execution | Not executed | Downloaded only | Executed | Active C2 |
| Spread | Single host | 2-5 hosts | 5-20 hosts | > 20 hosts |
| Network IOCs | None observed | Benign | Suspicious | Known malicious |
| Data at Risk | None | Low value | PII/credentials | Critical systems |
Recommended Actions by Severity
Critical/High:
- Immediately isolate affected hosts
- Block network IOCs at firewall
- Escalate to Incident Response
- Preserve forensic evidence
Medium:
- Monitor affected hosts closely
- Block known malicious IOCs
- Schedule endpoint scan
- Escalate to Tier 2
Low:
- Document findings
- Monitor for recurrence
- Close with detailed notes