| name | task-naming |
| description | Naming conventions for Analysi Security Tasks. Use when creating or proposing new tasks to ensure consistent, descriptive names. Covers human-readable names and auto-generated cy_names. |
Task Naming Conventions
Overview
Tasks have two name fields:
name: Human-readable display name (Title Case, descriptive)
cy_name: Machine identifier (snake_case, auto-generated from name during task creation)
When proposing or creating tasks, you only specify the name field. The cy_name is automatically generated by the MCP when the task is created.
Human-Readable Name (name) Patterns
Pattern 1: Integration-Specific Tasks
Format: {Integration}: {Function/Action}
Examples:
- "VirusTotal: IP Reputation Analysis"
- "VirusTotal: Domain Reputation Analysis"
- "Splunk: Triggering Event Retrieval with SPL Generation and LLM Summarization"
- "Echo EDR: Terminal History Analysis"
- "Echo EDR: Process Behavior Analysis"
- "AD LDAP: User Lookup and Enrichment"
- "AD LDAP: Privileged User Group Membership Check"
- "AbuseIPDB: IP Reputation Analysis"
Rules:
- Integration name comes first, followed by colon
- Use proper capitalization (VirusTotal, not virustotal)
- Function/action describes what the task does
- Be specific about the type of analysis or data retrieved
Pattern 2: Domain-Specific Tasks
Format: {Domain/Attack} {Function}
Examples:
- "ProxyNotShell Hypothesis Validation"
- "ProxyNotShell Attack Success Determination"
- "Exchange Server Request Pattern Analysis"
- "URL Decoder and SQL Injection Analyzer"
Rules:
- Domain or attack name comes first
- Use proper nouns for specific attacks (ProxyNotShell, not proxy-not-shell)
- Function describes the analytical purpose
Pattern 3: Generic Analysis Tasks
Format: {Subject} {Function}
Examples:
- "Alert Summary Generation"
- "Alert Detailed Analysis"
- "Alert Disposition Determination"
- "Alert Context Generation"
Rules:
- Start with the subject being analyzed (Alert, User, etc.)
- Follow with the analytical function
- Keep it concise but descriptive
- Use Title Case
Best Practices
DO:
- Use Title Case for all name fields
- Be specific about the type of analysis
- Include integration name with colon separator for integration tasks
- Use proper nouns for technologies and attacks
- Keep names under 100 characters
- Use descriptive verbs: Analysis, Validation, Determination, Assessment, Generation
DON'T:
- Use snake_case or kebab-case in the
name field
- Include technical jargon that obscures meaning
- Make names too generic ("Process Data", "Check Things")
- Duplicate existing task names
- Use acronyms without context (bad: "VT IP Check", good: "VirusTotal: IP Reputation Analysis")
Common Mistakes to Avoid
Too Generic
- "Check IP" → "VirusTotal: IP Reputation Analysis"
- "Get User Info" → "AD LDAP: User Lookup and Enrichment"
Missing Integration Context
- "IP Reputation Check" → "VirusTotal: IP Reputation Analysis" or "AbuseIPDB: IP Reputation Analysis"
- "Search Logs" → "Splunk: Supporting Evidence Search with Observable Scoring"
Inconsistent Capitalization
- "virustotal: ip reputation" → "VirusTotal: IP Reputation Analysis"
- "ECHO EDR: PROCESS ANALYSIS" → "Echo EDR: Process Behavior Analysis"
Using Machine Identifier Format
- "virustotal_ip_reputation_analysis" → "VirusTotal: IP Reputation Analysis"
- "splunk-event-search" → "Splunk: Triggering Event Retrieval"
Quick Reference
| Task Category | Name Pattern | Example |
|---|
| Integration-based | {Integration}: {Action} | "VirusTotal: IP Reputation Analysis" |
| Domain-specific | {Domain} {Function} | "ProxyNotShell Hypothesis Validation" |
| Generic | {Subject} {Function} | "Alert Detailed Analysis" |
Examples by Task Function
Enrichment Tasks (function: "enrichment")
- "Splunk: Triggering Event Retrieval with SPL Generation and LLM Summarization"
- "Echo EDR: Comprehensive Behavioral Analysis"
- "AD LDAP: User Lookup and Enrichment"
- "Alert Context Generation"
Reasoning Tasks (function: "reasoning")
- "VirusTotal: IP Reputation Analysis"
- "ProxyNotShell Hypothesis Validation"
- "Alert Detailed Analysis"
- "Alert Disposition Determination"
Summarization Tasks (function: "summarization")
- "Alert Summary Generation"
cy_name Auto-Generation
The cy_name is auto-generated from the name field:
- Convert to lowercase
- Replace spaces and special characters with underscores
- Remove colons and other punctuation
Examples:
- "VirusTotal: IP Reputation Analysis" →
virustotal_ip_reputation_analysis
- "Alert Context Generation" →
alert_context_generation
- "ProxyNotShell Hypothesis Validation" →
proxynotshell_hypothesis_validation
You do not specify cy_name - focus on creating a clear, descriptive name and the system handles the rest.