تشغيل أي مهارة في Manus بنقرة واحدة

close-case-artifact

Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause.

تشغيل في Manus

نظرة عامة

Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause.

أمر التثبيت

npx skills add https://github.com/dandye/ai-runbooks --skill close-case-artifact

انسخ والصق هذا الأمر في Claude Code لتثبيت المهارة

المصدر

dandye/ai-runbooks

النجوم١١٠

التفرعات٣١

آخر تحديث٤ فبراير ٢٠٢٦ في ١١:١٠

SKILL.md

readonly

name	close-case-artifact
description	Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause.
required_roles	{"soar":"roles/chronicle.editor"}
personas	["tier1-analyst","tier2-analyst","tier3-analyst","incident-responder"]

Close Case Artifact Skill

Close a case or alert with the required reason, root cause, and justification comment.

Inputs

ARTIFACT_ID - The ID of the case or alert to close
ARTIFACT_TYPE - Either "Case" or "Alert"
CLOSURE_REASON - Must be one of:
- MALICIOUS - Confirmed threat
- NOT_MALICIOUS - False positive or benign
- MAINTENANCE - System/maintenance activity
- INCONCLUSIVE - Unable to determine
- UNKNOWN - Unknown/other
ROOT_CAUSE - Must match a predefined root cause (use get_case_settings_root_causes to list options)
CLOSURE_COMMENT - Detailed justification for closure
(Optional) ALERT_GROUP_IDENTIFIERS - Alert group identifiers
(Optional, for alerts) ASSIGN_TO_USER - User to assign closed alert to
(Optional, for alerts) TAGS - Comma-separated tags

Workflow

Step 1: Execute Closure

For Cases:

secops-soar.siemplify_close_case(
    case_id=ARTIFACT_ID,
    reason=CLOSURE_REASON,
    root_cause=ROOT_CAUSE,
    comment=CLOSURE_COMMENT,
    alert_group_identifiers=ALERT_GROUP_IDENTIFIERS
)

For Alerts:

secops-soar.siemplify_close_alert(
    alert_id=ARTIFACT_ID,
    reason=CLOSURE_REASON,
    root_cause=ROOT_CAUSE,
    comment=CLOSURE_COMMENT,
    assign_to_user=ASSIGN_TO_USER,
    tags=TAGS
)

Outputs

Output	Description
`CLOSURE_STATUS`	Success/failure status of the closure

Common Closure Patterns

Scenario	Reason	Typical Root Cause
False Positive	`NOT_MALICIOUS`	"Legit action", "Normal behavior"
Duplicate	`NOT_MALICIOUS`	"Similar case is already under investigation"
Benign True Positive	`NOT_MALICIOUS`	"Legit action"
Confirmed Threat (remediated)	`MALICIOUS`	Varies by threat type
Unable to determine	`INCONCLUSIVE`	"Insufficient data"

Get Valid Root Causes

If unsure of valid root cause values:

secops-soar.get_case_settings_root_causes()

المزيد من هذا المستودع

نفس المستودع

deep-dive-ioc

dandye/ai-runbooks

Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation.

2026-02-04110

full-triage-alert

dandye/ai-runbooks

Complete Tier 1 triage workflow. Orchestrates the full alert triage process: check-duplicates, triage-alert, enrich-ioc for each entity, and either close (FP/BTP) or escalate (TP/Suspicious). Use for end-to-end alert processing.

2026-02-04110

full-investigation

dandye/ai-runbooks

Complete Tier 2 investigation workflow. Orchestrates deep investigation of escalated cases: deep-dive-ioc, correlate-ioc, specialized triage (malware/login), pivot-on-ioc, and generate comprehensive report. Use for escalated cases requiring thorough analysis.

2026-02-04110

check-duplicates

dandye/ai-runbooks

Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases.

2026-02-04110

correlate-ioc

dandye/ai-runbooks

Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases.

2026-02-04110

document-in-case

dandye/ai-runbooks

Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text.

2026-02-04110

المصدر

dandye

dandye/ai-runbooks

فتح مستودع GitHub عرض مستودعات المنشئ

أمر التثبيت

تنزيل

تشغيل في Manus

مفيد لـSOC

المحققون والمحققون الجنائيونمهن الخدمات الوقائية33-3021L4

name	close-case-artifact
description	Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause.
required_roles	{"soar":"roles/chronicle.editor"}
personas	["tier1-analyst","tier2-analyst","tier3-analyst","incident-responder"]

Close Case Artifact Skill

Close a case or alert with the required reason, root cause, and justification comment.

Inputs

ARTIFACT_ID - The ID of the case or alert to close
ARTIFACT_TYPE - Either "Case" or "Alert"
CLOSURE_REASON - Must be one of:
- MALICIOUS - Confirmed threat
- NOT_MALICIOUS - False positive or benign
- MAINTENANCE - System/maintenance activity
- INCONCLUSIVE - Unable to determine
- UNKNOWN - Unknown/other
ROOT_CAUSE - Must match a predefined root cause (use get_case_settings_root_causes to list options)
CLOSURE_COMMENT - Detailed justification for closure
(Optional) ALERT_GROUP_IDENTIFIERS - Alert group identifiers
(Optional, for alerts) ASSIGN_TO_USER - User to assign closed alert to
(Optional, for alerts) TAGS - Comma-separated tags

Workflow

Step 1: Execute Closure

For Cases:

secops-soar.siemplify_close_case(
    case_id=ARTIFACT_ID,
    reason=CLOSURE_REASON,
    root_cause=ROOT_CAUSE,
    comment=CLOSURE_COMMENT,
    alert_group_identifiers=ALERT_GROUP_IDENTIFIERS
)

For Alerts:

secops-soar.siemplify_close_alert(
    alert_id=ARTIFACT_ID,
    reason=CLOSURE_REASON,
    root_cause=ROOT_CAUSE,
    comment=CLOSURE_COMMENT,
    assign_to_user=ASSIGN_TO_USER,
    tags=TAGS
)

Outputs

Output	Description
`CLOSURE_STATUS`	Success/failure status of the closure

Common Closure Patterns

Scenario	Reason	Typical Root Cause
False Positive	`NOT_MALICIOUS`	"Legit action", "Normal behavior"
Duplicate	`NOT_MALICIOUS`	"Similar case is already under investigation"
Benign True Positive	`NOT_MALICIOUS`	"Legit action"
Confirmed Threat (remediated)	`MALICIOUS`	Varies by threat type
Unable to determine	`INCONCLUSIVE`	"Insufficient data"

Get Valid Root Causes

If unsure of valid root cause values:

secops-soar.get_case_settings_root_causes()