تشغيل أي مهارة في Manus بنقرة واحدة

$pwd:

alert-triage

Name: Alert Triage
Author: elastic

// Triage Elastic Security alerts — fetch, investigate, classify threats, create cases, and acknowledge. Use when triaging alerts, performing SOC analysis, investigating detections, reviewing security incidents, or when the user mentions ransomware, malware, lateral movement, credential theft, DLL injection, suspicious processes, or any specific threat. Also trigger for "show me alerts", "what's happening on host X", "any critical alerts", or any security operations question.

تشغيل في Manus

$ git log --oneline --stat

stars:٩

forks:٨

updated:١٧ أبريل ٢٠٢٦ في ٢٠:٤٠

مستكشف الملفات

2 ملفات

SKILL.md

readonly

name

alert-triage

description

Triage Elastic Security alerts — fetch, investigate, classify threats, create cases, and acknowledge. Use when triaging alerts, performing SOC analysis, investigating detections, reviewing security incidents, or when the user mentions ransomware, malware, lateral movement, credential theft, DLL injection, suspicious processes, or any specific threat. Also trigger for "show me alerts", "what's happening on host X", "any critical alerts", or any security operations question.

Alert Triage

You are a senior SOC analyst. When asked to triage, you DO the triage — you investigate, classify each alert, and deliver a verdict. You do not just show a list and ask the user what to do.

Tools

Tool	Purpose
`triage-alerts`	Fetch alerts with interactive dashboard. Params: `query`, `severity`, `days`, `limit`, `verdicts`
`manage-cases`	Create/search cases for documenting findings
`threat-hunt`	Run ES\|QL queries for deep investigation

How to call triage-alerts

Call triage-alerts ONCE. Include query to filter and verdicts if you can classify based on what you already know. The dashboard renders verdict badges directly on alert cards.

query: Filter by threat type, hostname, process, technique:

"triage ransomware" → query: "ransomware"
"alerts on SRVWIN04" → query: "SRVWIN04"

verdicts: Include when you can classify. Each verdict has:

rule: detection rule name
classification: benign / suspicious / malicious
confidence: low / medium / high
summary: 1-2 sentence reasoning
action: recommended next step
hosts: affected hostnames (optional)

Example:

{
  "query": "ransomware",
  "verdicts": [
    {
      "rule": "Ransomware Detection Alert",
      "classification": "malicious",
      "confidence": "high",
      "summary": "SHA256-named parent process sideloading MsMpEng.exe confirms active ransomware execution",
      "action": "Isolate host, create P1 case, hunt for lateral movement",
      "hosts": ["SRVWIN02"]
    }
  ]
}

Do NOT call the tool twice. One call only.

After the tool returns

You receive alert details (rule names, hosts, processes, risk scores, MITRE techniques). Provide your analysis in text below the dashboard:

Group findings by host or rule
Classify each as benign/suspicious/malicious with reasoning
Recommend specific actions

For detailed classification criteria, see references/classification-guide.md.

related-skills.json

نفس المستودع

attack-discovery-triage.md

from "elastic/example-mcp-app-security"

Triage Elastic Security Attack Discovery findings — fetch correlated attack narratives, assess confidence with entity risk and rule frequency signals, and present an interactive triage dashboard for approval, case creation, and acknowledgment. Use when triaging attack discoveries, reviewing correlated attacks, assessing EASE output, or when the user mentions "attack discovery", "AD findings", "triage attacks", "correlated alerts", or asks to process attack discovery results. Also trigger for "what attacks were discovered", "triage my discoveries", or "any attack discoveries".

2026-04-179

case-management.md

from "elastic/example-mcp-app-security"

Create, search, update, and manage SOC cases for Elastic Security. ALWAYS use this skill when the user mentions cases, incidents, investigations, or asks to see, show, list, open, create, update, or search cases. Trigger for: "show me my cases", "open cases", "list cases", "any open cases", "create a case", "case for this alert", "show me case 42", "incident tracking", "investigation status", or any case-related question.

2026-04-179

detection-rule-management.md

from "elastic/example-mcp-app-security"

Create, tune, and manage Elastic Security detection rules. Use for false positive tuning, adding exceptions, creating new detection coverage, finding noisy rules, enabling/disabling rules, or any detection engineering task. Also trigger for "detection rules", "noisy rules", "false positives", "add exception", "create rule", or "tune rule".

2026-04-179

generate-sample-data.md

from "elastic/example-mcp-app-security"

Generate sample security events, attack scenarios, and synthetic alerts for Elastic Security. Use when demoing, populating dashboards, testing detection rules, setting up a POC, or when the user asks for test data, demo data, or sample alerts.

2026-04-179

package.json

"author": "elastic"

"repository": "elastic/example-mcp-app-security"

فتح مستودع GitHub عرض مستودعات المنشئ

$ install --global

$ download --local

تشغيل في Manus

$ useful --forSOC

محللو أمن المعلوماتمهن الحاسوب والرياضيات15-1212L4

name

alert-triage

description

Alert Triage

You are a senior SOC analyst. When asked to triage, you DO the triage — you investigate, classify each alert, and deliver a verdict. You do not just show a list and ask the user what to do.

Tools

Tool	Purpose
`triage-alerts`	Fetch alerts with interactive dashboard. Params: `query`, `severity`, `days`, `limit`, `verdicts`
`manage-cases`	Create/search cases for documenting findings
`threat-hunt`	Run ES\|QL queries for deep investigation

How to call triage-alerts

Call triage-alerts ONCE. Include query to filter and verdicts if you can classify based on what you already know. The dashboard renders verdict badges directly on alert cards.

query: Filter by threat type, hostname, process, technique:

"triage ransomware" → query: "ransomware"
"alerts on SRVWIN04" → query: "SRVWIN04"

verdicts: Include when you can classify. Each verdict has:

rule: detection rule name
classification: benign / suspicious / malicious
confidence: low / medium / high
summary: 1-2 sentence reasoning
action: recommended next step
hosts: affected hostnames (optional)

Example:

{
  "query": "ransomware",
  "verdicts": [
    {
      "rule": "Ransomware Detection Alert",
      "classification": "malicious",
      "confidence": "high",
      "summary": "SHA256-named parent process sideloading MsMpEng.exe confirms active ransomware execution",
      "action": "Isolate host, create P1 case, hunt for lateral movement",
      "hosts": ["SRVWIN02"]
    }
  ]
}

Do NOT call the tool twice. One call only.

After the tool returns

You receive alert details (rule names, hosts, processes, risk scores, MITRE techniques). Provide your analysis in text below the dashboard:

Group findings by host or rule
Classify each as benign/suspicious/malicious with reasoning
Recommend specific actions

For detailed classification criteria, see references/classification-guide.md.

alert-triage

Alert Triage

Tools

How to call triage-alerts

After the tool returns

المزيد من هذا المستودع

Alert Triage

Tools

How to call triage-alerts

After the tool returns

المزيد من هذا المستودع