dandye

Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation.

Complete Tier 1 triage workflow. Orchestrates the full alert triage process: check-duplicates, triage-alert, enrich-ioc for each entity, and either close (FP/BTP) or escalate (TP/Suspicious). Use for end-to-end alert processing.

Complete Tier 2 investigation workflow. Orchestrates deep investigation of escalated cases: deep-dive-ioc, correlate-ioc, specialized triage (malware/login), pivot-on-ioc, and generate comprehensive report. Use for escalated cases requiring thorough analysis.

Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases.

Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause.

Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases.

Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text.

Search for existing cases related to specific indicators or entities. Use to find correlation with other investigations before starting new analysis. Takes search terms and returns matching case IDs.

Normalize named entities and concept variants into canonical forms using controlled vocabularies or standard taxonomies.

Analyze vocabulary overlap and identify named entities unique to domain/document corpora.

Transform lengthy documents into a semantic tree structure. It extracts sections, summaries, and hierarchies optimized for use with Large Language Models (LLMs).

Design formal ontologies using OWL/RDFS. Defines classes, properties, and relationships for complex semantic modeling.

Systematic cataloging of information assets. Creates comprehensive inventories or card sorting materials from content.

Generate JSON-LD structured data for web content. Maps content to Schema.org types to improve search engine understanding and rich result eligibility.

Analyze multiple documents to extract entities and relationships, generating a knowledge graph structure (RDF/Turtle).

Map local tags, categories, or terms to standard formal ontologies (like SKOS or industry-specific standards) to ensure interoperability.

Helps the user configure the Google SecOps Remote MCP Server for Antigravity. Use this when the user asks to "set up" or "configure" the security tools for Antigravity.

List recent SOAR cases. Use this for "list cases" or "show cases".

Expert guidance for proactive threat hunting. Use this when the user asks to "hunt" for threads, IOCs, or specific TTPs.

Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident.

Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.

Enables the agent to communicate with human security analysts for notifications and high-stakes confirmations (Human-in-the-loop).

A foundational skill for extracting, contextualizing, and evaluating an Indicator of Compromise (IOC) against internal and external threat intelligence.

A comprehensive skill that provides logic, instructions, and workflows for properly identifying, analyzing, and containing malware samples discovered in the environment.