원클릭으로
alert-judgment
Use when judging whether a NetFlow alert is credible, suspicious, or unsupported from alert metadata and matched flow evidence.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Use when judging whether a NetFlow alert is credible, suspicious, or unsupported from alert metadata and matched flow evidence.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | alert-judgment |
| description | Use when judging whether a NetFlow alert is credible, suspicious, or unsupported from alert metadata and matched flow evidence. |
| allowed-tools | Read, Grep, Glob, Edit, Write |
credible, suspicious, or unsupported.real-data/*.json, and paired CSV flow evidence.Each alert should include:
target_ipstart_time or startTimeend_time or endTimeIf the input is already pre-denoised into events, each event should include:
event_idtarget_ipevent_start_timeevent_end_timeattack_typeIf judge_alerts.py is used, the event input should already carry structured evidence for scoring, for example:
pre_denoiseevidence.matched_flow_summaryevidence.bad_flow_summaryevidence.good_flow_summaryevidence.label_distributionevidence.artifact_refsIf a paired NetFlow CSV exists, the final judgment must go through relabel_netflows.py first.
In that case, do not treat light_evidence alone as sufficient final evidence.
light_evidence is only a fallback for preliminary triage when relabeled evidence is not yet available or when no paired CSV is available.
Judgment-object requirements:
Never use Read to open a full CSV.
If you need CSV inspection, only do one of the following:
scripts/summarize_netflows.py first to get structured statisticsDo not read the raw CSV line by line when the helper scripts can be used directly; prefer the scripts’ structured output as the primary evidence source.
When resolving files, always treat user-provided paths as project-relative first.
Do not hardcode repository-absolute paths; if a real-data path does not exist from the current working directory, rely on the helper scripts' project-local fallback search by filename.
Prefer the local helper scripts instead of re-reading raw evidence manually.
scripts/summarize_netflows.pyUse it to inspect one NetFlow CSV safely without returning the whole file content. The script streams the CSV locally and returns:
Example:
python .claude/skills/alert-judgment/scripts/summarize_netflows.py \
--json-path real-data/1.2.3.4.json \
--pretty
python .claude/skills/alert-judgment/scripts/summarize_netflows.py \
--csv-path real-data/1.2.3.4_ddos.csv \
--target-ip 1.2.3.4 \
--label udp_flood \
--sample-limit 5 \
--pretty
Use the script when:
Read would exceed token limitsjudge_alerts.pyscripts/normalize_alerts.pyUse it to turn raw real-data/<target>.json anomaly windows into canonical alerts.
Example:
python .claude/skills/alert-judgment/scripts/normalize_alerts.py \
--json-path real-data/1.2.3.4.json \
--pretty
python .claude/skills/alert-judgment/scripts/normalize_alerts.py \
--json-path real-data/1.2.3.4.json \
--record-index 0 \
--csv-path real-data/1.2.3.4_ddos.csv \
--pretty
Use the script when:
real-data/<target>.json bundlesource_json and source_csv preserved automaticallyscripts/pre_denoise_alerts.pyUse it to merge adjacent or overlapping anomaly windows into candidate events before final judgment. The current implementation is intentionally conservative:
target_ip + attack_typekeep or filteredExample:
python .claude/skills/alert-judgment/scripts/pre_denoise_alerts.py \
--json-path real-data/1.2.3.4.json \
--output-json /tmp/events.json \
--pretty
python .claude/skills/alert-judgment/scripts/pre_denoise_alerts.py \
--alerts-json alerts.json \
--output-json events.json \
--merge-gap-seconds 120 \
--raw-match-threshold 1 \
--pretty
Use the script when:
events.json and avoid rerunning pre-denoise just to feed downstream scriptsscripts/judge_alerts.pyUse it to score and judge events that have already been prepared by earlier helper scripts. This script no longer normalizes raw alerts, merges windows, or scans raw CSV on its own. Its responsibility is to:
events.jsonpre_denoise_alerts.py light evidence as a fallback for preliminary triage when relabeled evidence is not yet availableauto_handle_score and importance_scoreExample:
python .claude/skills/alert-judgment/scripts/judge_alerts.py \
--events-json events.json \
--pretty
Use the script when:
pre_denoise_alerts.py output and need one fallback triage judgment before richer evidence is attachedscripts/relabel_netflows.pyUse it to rewrite the row-level label column in NetFlow CSV data with fine-grained attack labels.
The script now focuses only on the attack types currently used by alert-judgment:
udp_flood, syn_flood, and icmp_flood.
It applies attack-window matching plus lightweight attack-specific row scoring.
Example:
python .claude/skills/alert-judgment/scripts/relabel_netflows.py \
--json-path real-data/1.2.3.4.json \
--csv-out real-data/1.2.3.4_fine_grained.csv \
--pretty
python .claude/skills/alert-judgment/scripts/relabel_netflows.py \
--alerts-json alerts.json \
--csv-in real-data/1.2.3.4_ddos.csv \
--csv-out real-data/1.2.3.4_fine_grained.csv \
--pretty
python .claude/skills/alert-judgment/scripts/relabel_netflows.py \
--events-json events.json \
--csv-in flows.csv \
--csv-out flows_fine_grained.csv
Use the script when:
udp_flood, syn_flood, or icmp_floodreal-data/<target>.json, canonical alerts.json, or reference-style events.jsonlabelnormalize_alerts.py.pre_denoise_alerts.py.relabel_netflows.py before the final judgment. This is mandatory for the final judgment path.summarize_netflows.py for compact context or reporting, but do not treat it as a substitute for relabel_netflows.py when a paired CSV exists.matched_flow_summary, bad_flow_summary, good_flow_summary, label_distribution, and artifact_refs.judge_alerts.py only after the event and its evidence are ready. If a paired CSV exists, the final judgment input must include relabeled evidence rather than only light_evidence.judge_alerts.py, calculate two separate scores:
auto_handle_score for whether the event can be handled automaticallyimportance_score for event priority and sortingcredible if matched evidence is strong and auto_handle_score is high enoughsuspicious if evidence is partial or mixed, or evidence is strong but auto_handle_score is not high enoughunsupported if evidence is missing, inconsistent, or pre-denoise has already filtered the eventReturn:
{
"stage": "alert-judgment",
"status": "completed",
"event_count": 1,
"events": [
{
"event_id": "",
"target_ip": "",
"member_alert_count": 0,
"member_alert_ids": [],
"judgment": "credible | suspicious | unsupported",
"confidence": 0.0,
"judged_attack_type": "",
"reason": "",
"scale_band": "small | medium | large | unknown",
"automation": {
"auto_handle_score": 0.0,
"auto_handle_level": "low | medium | high",
"evidence_strength": 0.0,
"attack_certainty": 0.0,
"completeness_score": 0.0,
"minimum_required_score": 0.6
},
"importance": {
"target_value_score": 0.0,
"scale_score": 0.0,
"completeness_score": 0.0,
"importance_score": 0.0,
"importance_level": "low | medium | high"
},
"analyst_action": {
"mode": "auto_handle | manual_review | drop",
"note": ""
},
"evidence": {
"source_json": "",
"source_csv": "",
"event_window": {
"start_time": "",
"end_time": ""
},
"member_alerts": [],
"bad_flow_summary": {},
"good_flow_summary": {},
"other_attack_summaries": [],
"label_distribution": {},
"artifact_refs": {},
"mixed_attack_hints": [],
"matched_flow_summary": {
"matched_flow_count": 0,
"total_packets": 0,
"total_bytes": 0,
"unique_source_count": 0
},
"data_gaps": []
}
}
]
}