Full Alert Triage Workflow
A composite skill that orchestrates the complete Tier 1 alert triage process from initial receipt to disposition (close or escalate).
Inputs
CASE_IDorALERT_ID- The alert/case to triage (required)
Orchestrated Workflow
┌─────────────────────────────────────────────────────────────────┐
│ FULL ALERT TRIAGE │
├─────────────────────────────────────────────────────────────────┤
│ │
│ START │
│ │ │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ /check-duplicates │ │
│ └──────────┬──────────┘ │
│ │ │
│ ┌───────┴───────┐ │
│ ▼ ▼ │
│ DUPLICATE NOT DUPLICATE │
│ │ │ │
│ ▼ ▼ │
│ Close & ┌─────────────────────┐ │
│ Document │ /triage-alert │ │
│ │ └───────────┬─────────┘ │
│ │ │ │
│ │ ┌───────────┴─────────┐ │
│ │ │ For each entity: │ │
│ │ │ /enrich-ioc │ │
│ │ └───────────┬─────────┘ │
│ │ │ │
│ │ ┌───────────┴─────────┐ │
│ │ │ DECISION │ │
│ │ └───────────┬─────────┘ │
│ │ │ │
│ │ ┌───────────────┼────────────────┐ │
│ │ ▼ ▼ ▼ │
│ │ FP/BTP TP/Suspicious Inconclusive │
│ │ │ │ │ │
│ │ ▼ ▼ ▼ │
│ │ /document-in-case /document-in-case /document-in-case │
│ │ /close-case-artifact ESCALATE Request more info │
│ │ │ │ │ │
│ └─────┴──────────────────┴──────────────────┘ │
│ │ │
│ ▼ │
│ /generate-report │
│ │ │
│ ▼ │
│ END │
│ │
└─────────────────────────────────────────────────────────────────┘
Detailed Steps
Phase 1: Pre-Check
Step 1.1: Check for Duplicates
Invoke: /check-duplicates CASE_ID=$CASE_ID
- If duplicate confirmed:
- Invoke:
/document-in-casewith "Closing as duplicate of [Similar Case ID]" - Invoke:
/close-case-artifactwith reason NOT_MALICIOUS - END WORKFLOW
- Invoke:
- If not duplicate: Continue to Phase 2
Phase 2: Initial Triage
Step 2.1: Perform Alert Triage
Invoke: /triage-alert CASE_ID=$CASE_ID
Extract from results:
CLASSIFICATION- FP, BTP, TP, or SuspiciousKEY_ENTITIES- List of IOCs (IPs, domains, hashes, URLs)ALERT_TYPE- Type of alert (malware, authentication, network, etc.)PRIORITY- Suggested priority level
Phase 3: Enrichment
Step 3.1: Enrich Each Entity
For each entity in KEY_ENTITIES:
Invoke: /enrich-ioc IOC_VALUE=$entity
Collect:
GTI_FINDINGS- Threat intelligence resultsSIEM_CONTEXT- SIEM entity summaryIOC_MATCH_STATUS- Whether IOC appears in threat feeds
Update CLASSIFICATION if enrichment reveals new information.
Phase 4: Decision & Action
Step 4.1: Make Final Classification
Based on triage and enrichment, confirm classification:
| Classification | Criteria | Action |
|---|---|---|
| False Positive (FP) | No malicious indicators, known benign | Close |
| Benign True Positive (BTP) | Real but authorized/expected | Close |
| True Positive (TP) | Confirmed malicious | Escalate |
| Suspicious | Inconclusive, warrants investigation | Escalate |
Step 4.2: Execute Disposition
If FP or BTP:
- Invoke:
/document-in-casewith:- Classification and rationale
- Evidence summary from enrichment
- Closure justification
- Invoke:
/close-case-artifactwith:- Reason: NOT_MALICIOUS
- Root cause: Appropriate option (e.g., "Legit action", "Normal behavior")
If TP or Suspicious:
- Invoke:
/document-in-casewith:- Classification and rationale
- Evidence summary
- Recommended next steps
- Output escalation recommendation:
- Escalate to Tier 2
- Suggest appropriate follow-up skill based on alert type:
- Malware →
/triage-malware - Authentication →
/triage-suspicious-login - IOC-focused →
/deep-dive-ioc
- Malware →
Phase 5: Report
Step 5.1: Generate Triage Report
Invoke: /generate-report REPORT_TYPE=triage
Include:
- Case/Alert ID
- Classification with rationale
- Key entities and enrichment results
- SIEM queries executed
- Disposition taken
- Next steps (if escalated)
Outputs
| Output | Description |
|---|---|
FINAL_CLASSIFICATION | FP, BTP, TP, or Suspicious |
DISPOSITION | Closed or Escalated |
EVIDENCE_SUMMARY | Key findings from triage and enrichment |
REPORT_PATH | Path to generated triage report |
ESCALATION_TARGET | If escalated, recommended next skill/tier |
Error Handling
- If
/check-duplicatesfails → Log warning, continue with triage - If
/enrich-iocfails for an entity → Log warning, continue with other entities - If
/close-case-artifactfails → Log error, manual closure required - If any MCP tool unavailable → Document limitation, proceed with available data
Performance Targets
- Total workflow time: < 15 minutes
- Duplicate detection: < 1 minute
- Per-entity enrichment: < 2 minutes
- Target accuracy: > 90% correct classification