Full Investigation Workflow
A composite skill that orchestrates comprehensive Tier 2/3 investigation of escalated security cases.
Inputs
CASE_ID- The escalated case to investigate (required)PRIMARY_IOCS- Key IOCs identified during Tier 1 triage (optional)ALERT_TYPE- Type of alert (malware, authentication, network, etc.)ESCALATION_REASON- Why this was escalated from Tier 1
Orchestrated Workflow
┌─────────────────────────────────────────────────────────────────┐
│ FULL INVESTIGATION │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ESCALATED CASE │
│ │ │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ /deep-dive-ioc │ (for each primary IOC) │
│ └──────────┬──────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ /correlate-ioc │ │
│ └──────────┬──────────┘ │
│ │ │
│ ┌───────┴───────────────────┐ │
│ │ ALERT TYPE ROUTING │ │
│ └───────────────────────────┘ │
│ │ │
│ ┌─────────┼───────────┬─────────┐ │
│ ▼ ▼ ▼ ▼ │
│ MALWARE AUTH NETWORK OTHER │
│ │ │ │ │ │
│ ▼ ▼ ▼ ▼ │
│ /triage /triage /pivot Continue │
│ -malware -suspicious -on-ioc with pivoting │
│ │ -login │ │ │
│ └─────────┴───────────┴─────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ /pivot-on-ioc │ (expand investigation) │
│ └──────────┬──────────┘ │
│ │ │
│ ┌───────┴───────┐ │
│ │ DECISION │ │
│ └───────┬───────┘ │
│ │ │
│ ┌─────────┼─────────┐ │
│ ▼ ▼ ▼ │
│ INCIDENT RESOLVED ESCALATE │
│ │ │ TO IR │
│ ▼ ▼ │ │
│ Create /close │ │
│ Incident -case │ │
│ │ -artifact │ │
│ │ │ │ │
│ └─────────┴─────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ /generate-report │ │
│ └──────────┬──────────┘ │
│ │ │
│ ▼ │
│ END │
│ │
└─────────────────────────────────────────────────────────────────┘
Detailed Steps
Phase 1: Deep Analysis
Step 1.0: Extract Primary IOCs (if not provided)
If PRIMARY_IOCS is not provided as input, extract key entities from the case:
secops-soar.get_case_full_details(case_id=CASE_ID)
From the case details, extract IOCs:
- IP addresses from alert entities
- Domain names from network indicators
- File hashes from endpoint alerts
- URLs from web security alerts
Populate PRIMARY_IOCS with extracted IOCs.
Step 1.1: Deep Dive on Primary IOCs
For each IOC in PRIMARY_IOCS:
Invoke: /deep-dive-ioc IOC_VALUE=$ioc CASE_ID=$CASE_ID
Collect:
GTI_DEEP_FINDINGS- Full threat intelligence analysisSIEM_DEEP_CONTEXT- Detailed SIEM contextRELATED_ENTITIES- Discovered related IOCs and entitiesTHREAT_ATTRIBUTION- Any threat actor/campaign links
Step 1.2: Aggregate Discovered IOCs
Combine all RELATED_ENTITIES collected from deep-dive steps into ALL_DISCOVERED_IOCS:
ALL_DISCOVERED_IOCS = PRIMARY_IOCS + all(RELATED_ENTITIES from each deep-dive)
This aggregated list is used for correlation in Phase 2.
Phase 2: Correlation
Step 2.1: Correlate with Existing Cases
Invoke: /correlate-ioc IOC_LIST=$ALL_DISCOVERED_IOCS
Collect:
RELATED_CASES- Other cases with same IOCsRELATED_ALERTS- Alerts involving same entitiesPATTERN_ANALYSIS- Detected patterns across cases
Step 2.2: Find Related Open Cases
Invoke: /find-relevant-case with key entities
Document any linked investigations.
Phase 3: Specialized Analysis
Step 3.1: Route by Alert Type
Based on ALERT_TYPE, invoke specialized triage:
| Alert Type | Skill | Focus |
|---|---|---|
| Malware | /triage-malware | File analysis, behavior, persistence |
| Authentication | /triage-suspicious-login | User activity, login patterns |
| Network | /pivot-on-ioc | Network IOC relationships |
| Other | Continue to pivoting | General IOC expansion |
For Malware:
Invoke: /triage-malware FILE_HASH=$hash CASE_ID=$CASE_ID
Collect:
- Malware family identification
- Behavioral analysis
- Affected systems
- Containment recommendations
For Authentication:
Invoke: /triage-suspicious-login USER=$user CASE_ID=$CASE_ID
Collect:
- Login anomaly analysis
- User activity timeline
- Compromised account indicators
- Account status recommendations
Phase 4: Expansion
Step 4.1: Pivot on High-Confidence IOCs
For each high-confidence malicious IOC:
Invoke: /pivot-on-ioc IOC_VALUE=$ioc
Collect:
RELATED_INFRASTRUCTURE- Connected domains, IPs, filesCAMPAIGN_LINKS- Associated campaigns or actorsADDITIONAL_IOCS- New IOCs to hunt for
Step 4.2: Validate Expanded IOCs
For significant new IOCs discovered:
- Quick GTI lookup
- SIEM presence check
- Add to investigation scope if relevant
Phase 5: Assessment
Step 5.1: Determine Investigation Outcome
Assess all findings and classify:
| Outcome | Criteria | Action |
|---|---|---|
| Incident Confirmed | Active compromise, ongoing threat | Escalate to IR |
| Resolved - Contained | Threat neutralized, no ongoing risk | Document & Close |
| Resolved - False Positive | Deep analysis confirms benign | Document & Close |
| Requires IR Escalation | Containment/eradication needed | Escalate to IR |
Step 5.2: Execute Disposition
If Incident Confirmed / Requires IR:
- Invoke:
/document-in-casewith full findings - Output escalation recommendation:
- Recommend specific IR skill:
- Ransomware indicators →
/respond-ransomware - Malware persistence →
/respond-malware - Phishing origin →
/respond-phishing - Account compromise →
/respond-compromised-account
- Ransomware indicators →
- Recommend specific IR skill:
- Prepare handoff package for IR team
If Resolved:
- Invoke:
/document-in-casewith:- Investigation summary
- All queries and findings
- Resolution rationale
- If closing: Invoke:
/close-case-artifactwith appropriate reason
Phase 6: Documentation
Step 6.1: Generate Investigation Report
Invoke: /generate-report REPORT_TYPE=investigation
Include:
- Executive summary
- Investigation timeline
- All IOCs analyzed (with verdicts)
- SIEM queries used
- GTI findings
- Correlation results
- Attack chain (if identified)
- Recommendations
- Lessons learned
Outputs
| Output | Description |
|---|---|
INVESTIGATION_OUTCOME | Incident, Resolved, or Escalated |
THREAT_ASSESSMENT | Severity, scope, and attribution |
ALL_IOCS | Complete list of analyzed IOCs with verdicts |
ATTACK_CHAIN | Reconstructed attack timeline (if applicable) |
REPORT_PATH | Path to investigation report |
ESCALATION_DETAILS | If escalated, target and handoff package |
Error Handling
- If
/deep-dive-iocfails → Fall back to/enrich-ioc, continue - If GTI Enterprise features unavailable → Document limitation, use Standard features
- If specialized triage fails → Document, continue with general analysis
- If correlation timeout → Proceed with available data, note gap
Performance Targets
- Total workflow time: < 2 hours
- Deep dive per IOC: < 15 minutes
- Correlation: < 10 minutes
- Specialized triage: < 30 minutes
- Report generation: < 15 minutes
- Target accuracy: > 95% correct assessment