// 当用户提供域名、IP、URL、文件哈希、邮箱等 IOC,并希望反查关联的攻击者组织、相关恶意软件、基础设施、报告和候选组织时触发此技能。
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | ioc-linked-actor-lookup |
| description | 当用户提供域名、IP、URL、文件哈希、邮箱等 IOC,并希望反查关联的攻击者组织、相关恶意软件、基础设施、报告和候选组织时触发此技能。 |
当用户有以下任一意图时触发本技能:
intrusion-set、threat-actor 或其他组织类对象。本技能仅使用 opencti 数据源做只读分析,不扩展到车辆侧对象或 TARA 风险图谱。
优先提取以下槽位:
ioc_type: 允许值为 domain-name、ipv4-addr、url、file-hash、email-addr、other。ioc_value: IOC 实际值。time_range: 可选增强条件。若用户提供,则用于限制报告时间窗;否则不是硬性必需。lookup_goal: 默认值为 actor_lookup_from_ioc。提取与追问规则:
other 并在 Gaps 中说明。执行任何查询前,先声明:
ai4x_query 完成。catalog,再读取目标源 schema;若 sourceId="opencti",只将 schema 作为最小目录,并在需要具体字段时追加 detail,之后再 query。Facts 与 Inferences。先调用:
ai4x_query(command="catalog")
检查 sourceId="opencti" 是否存在。
如果不存在:
Gaps 中输出缺失数据源。在构造任何 Cypher 前,必须调用:
ai4x_query(command="schema", sourceId="opencti")
ai4x_query(command="detail", sourceId="opencti", detailKind="object|relationship-type|relationship-schema", typeName="...")
重点确认以下对象是否可消费:
indicatordomain-nameipv4-addrurlfileemail-addrmalwaretoolinfrastructurereportintrusion-setthreat-actorcampaignrelationship如果 Schema 未覆盖计划使用的对象或关系,必须在 Gaps 中说明并缩减后续查询链。
IOC 查询优先策略:
indicator。domain-name、ipv4-addr、url、file、email-addr 等 observable。ai4x_query(
command="query",
sourceId="opencti",
cypher="MATCH (i {type: 'indicator'}) WHERE toLower(coalesce(i.name, '')) CONTAINS toLower($ioc_value) OR toLower(coalesce(i.pattern, '')) CONTAINS toLower($ioc_value) OPTIONAL MATCH (i)-[rel]-(m) RETURN i, rel, m"
)
根据 ioc_type 选择对应对象类型,例如:
ai4x_query(
command="query",
sourceId="opencti",
cypher="MATCH (o) WHERE o.type IN ['domain-name','ipv4-addr','url','file','email-addr'] AND toLower(coalesce(o.name, coalesce(o.value, ''))) CONTAINS toLower($ioc_value) OPTIONAL MATCH (o)-[rel]-(m) RETURN o, rel, m"
)
入口判定规则:
indicator,优先以该对象为主事实锚点。本技能主查询链为:
indicator / observable -> malware / tool -> intrusion-set / threat-actor补充链可包括:
indicator / observable -> report -> intrusion-set / threat-actorindicator / observable -> infrastructure -> intrusion-set / threat-actor推荐查询模板:
ai4x_query(
command="query",
sourceId="opencti",
cypher="MATCH (seed) WHERE (seed.type = 'indicator' AND (toLower(coalesce(seed.name, '')) CONTAINS toLower($ioc_value) OR toLower(coalesce(seed.pattern, '')) CONTAINS toLower($ioc_value))) OR (seed.type IN ['domain-name','ipv4-addr','url','file','email-addr'] AND toLower(coalesce(seed.name, coalesce(seed.value, ''))) CONTAINS toLower($ioc_value)) OPTIONAL MATCH path1=(seed)-[*1..2]-(mt) WHERE mt.type IN ['malware','tool'] OPTIONAL MATCH path2=(seed)-[*1..2]-(rep {type: 'report'}) OPTIONAL MATCH path3=(seed)-[*1..2]-(infra {type: 'infrastructure'}) OPTIONAL MATCH path4=(mt)-[*1..2]-(actor) WHERE actor.type IN ['intrusion-set','threat-actor'] OPTIONAL MATCH path5=(rep)-[*1..2]-(actor2) WHERE actor2.type IN ['intrusion-set','threat-actor'] OPTIONAL MATCH path6=(infra)-[*1..2]-(actor3) WHERE actor3.type IN ['intrusion-set','threat-actor'] RETURN seed, path1, mt, path2, rep, path3, infra, path4, actor, path5, actor2, path6, actor3"
)
事实抽取要求:
主输出中的组织类对象允许为:
intrusion-setthreat-actor进入主输出的门槛:
malware、tool、report 或 infrastructure。Direct Actor Hits。除直接命中的组织外,还允许输出候选组织,但必须与直接事实分开。
候选组织允许类型:
intrusion-setthreat-actorcampaign候选门槛:
malware / tool 或同一 report。允许作为第二条辅助证据的对象:
report 邻接关系malware / toolinfrastructure候选搜索查询示例:
ai4x_query(
command="query",
sourceId="opencti",
cypher="MATCH (seed) WHERE (seed.type = 'indicator' AND (toLower(coalesce(seed.name, '')) CONTAINS toLower($ioc_value) OR toLower(coalesce(seed.pattern, '')) CONTAINS toLower($ioc_value))) OR (seed.type IN ['domain-name','ipv4-addr','url','file','email-addr'] AND toLower(coalesce(seed.name, coalesce(seed.value, ''))) CONTAINS toLower($ioc_value)) MATCH (seed)-[*1..2]-(bridge) WHERE bridge.type IN ['malware','tool','report'] MATCH (candidate)-[*1..2]-(bridge) WHERE candidate.type IN ['intrusion-set','threat-actor','campaign'] OPTIONAL MATCH (seed)-[*1..2]-(aux {type: 'infrastructure'}) OPTIONAL MATCH (candidate)-[*1..2]-(aux) RETURN seed, bridge, candidate, collect(DISTINCT aux) AS auxiliary_evidence"
)
判定规则:
Candidate Organizations。Exclusions。必须列出搜索过但证据不足的组织或路径,例如:
后续建议应聚焦于继续验证 IOC 与组织关联,而不是宣布确定归因。例如:
当前 opencti 聚合 Schema 可以支撑 IOC 到组织的基本反查,但仍有以下改进空间:
indicator 增加更统一的 pattern_type、valid_from、valid_until、置信度字段,便于后续做时效性和优先级筛选。name 与 value 并存带来的查询歧义。report 和组织类对象补充更明确的证据来源标识和验证状态,帮助区分“直接证据链”与“弱共现”。最终输出必须采用以下 Markdown 结构:
## Facts
- IOC Anchor:
- sourceId: opencti
- object: [indicator 或 observable]
- Evidence Chain:
- [IOC(type)] --[relationship]--> [malware/tool/report/infrastructure(type)] --[relationship]--> [organization(type)]
## Direct Actor Hits
- [组织名称]
- type: intrusion-set|threat-actor
- confidence: high|medium|low
- supporting_facts:
- [可回溯事实链]
## Candidate Organizations
- [候选名称]
- type: intrusion-set|threat-actor|campaign
- confidence: high|medium|low
- supporting_facts:
- [桥接对象]
- [第二条辅助证据]
- inference: [只能写候选性结论]
- review_required: yes
## Exclusions
- [对象名称]
- reason: [证据不足原因]
## Gaps
- Missing Sources:
- [缺失 sourceId,若无则写 none]
- Unresolved Links:
- [未命中的链路或语义不稳定的路径]
## Recommendations
- Next Steps:
- [进一步验证建议]
## Empty Result Contract
- query_status: empty|partial|complete
- retained_facts:
- [若有已命中事实则列出,否则为空数组]
- empty_segments:
- [未命中的入口或扩展链路]
- next_questions:
- [建议用户补充的 IOC、时间范围或相关报告]
输出约束:
high、medium、low。Direct Actor Hits 只收录可回溯事实链支持的组织。Candidate Organizations 必须与直接事实分开。