一键导入
alert-judgment
Use when judging whether a NetFlow alert is credible, suspicious, or unsupported from alert metadata and matched flow evidence.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Use when judging whether a NetFlow alert is credible, suspicious, or unsupported from alert metadata and matched flow evidence.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | alert-judgment |
| description | Use when judging whether a NetFlow alert is credible, suspicious, or unsupported from alert metadata and matched flow evidence. |
| allowed-tools | Read, Grep, Glob, Edit, Write |
credible, suspicious, or unsupported.real-data/*.json, and paired CSV flow evidence.Each alert should include:
target_ipstart_time or startTimeend_time or endTimeIf the input is already pre-denoised into events, each event should include:
event_idtarget_ipevent_start_timeevent_end_timeattack_typeIf judge_alerts.py is used, the event input should already carry structured evidence for scoring, for example:
pre_denoiseevidence.matched_flow_summaryevidence.bad_flow_summaryevidence.good_flow_summaryevidence.label_distributionevidence.artifact_refsIf a paired NetFlow CSV exists, the final judgment must go through relabel_netflows.py first.
In that case, do not treat light_evidence alone as sufficient final evidence.
light_evidence is only a fallback for preliminary triage when relabeled evidence is not yet available or when no paired CSV is available.
Judgment-object requirements:
Never use Read to open a full CSV.
If you need CSV inspection, only do one of the following:
scripts/summarize_netflows.py first to get structured statisticsDo not read the raw CSV line by line when the helper scripts can be used directly; prefer the scripts’ structured output as the primary evidence source.
When resolving files, always treat user-provided paths as project-relative first.
Do not hardcode repository-absolute paths; if a real-data path does not exist from the current working directory, rely on the helper scripts' project-local fallback search by filename.
Prefer the local helper scripts instead of re-reading raw evidence manually.
scripts/summarize_netflows.pyUse it to inspect one NetFlow CSV safely without returning the whole file content. The script streams the CSV locally and returns:
Example:
python .claude/skills/alert-judgment/scripts/summarize_netflows.py \
--json-path real-data/1.2.3.4.json \
--pretty
python .claude/skills/alert-judgment/scripts/summarize_netflows.py \
--csv-path real-data/1.2.3.4_ddos.csv \
--target-ip 1.2.3.4 \
--label udp_flood \
--sample-limit 5 \
--pretty
Use the script when:
Read would exceed token limitsjudge_alerts.pyscripts/normalize_alerts.pyUse it to turn raw real-data/<target>.json anomaly windows into canonical alerts.
Example:
python .claude/skills/alert-judgment/scripts/normalize_alerts.py \
--json-path real-data/1.2.3.4.json \
--pretty
python .claude/skills/alert-judgment/scripts/normalize_alerts.py \
--json-path real-data/1.2.3.4.json \
--record-index 0 \
--csv-path real-data/1.2.3.4_ddos.csv \
--pretty
Use the script when:
real-data/<target>.json bundlesource_json and source_csv preserved automaticallyscripts/pre_denoise_alerts.pyUse it to merge adjacent or overlapping anomaly windows into candidate events before final judgment. The current implementation is intentionally conservative:
target_ip + attack_typekeep or filteredExample:
python .claude/skills/alert-judgment/scripts/pre_denoise_alerts.py \
--json-path real-data/1.2.3.4.json \
--output-json /tmp/events.json \
--pretty
python .claude/skills/alert-judgment/scripts/pre_denoise_alerts.py \
--alerts-json alerts.json \
--output-json events.json \
--merge-gap-seconds 120 \
--raw-match-threshold 1 \
--pretty
Use the script when:
events.json and avoid rerunning pre-denoise just to feed downstream scriptsscripts/judge_alerts.pyUse it to score and judge events that have already been prepared by earlier helper scripts. This script no longer normalizes raw alerts, merges windows, or scans raw CSV on its own. Its responsibility is to:
events.jsonpre_denoise_alerts.py light evidence as a fallback for preliminary triage when relabeled evidence is not yet availableauto_handle_score and importance_scoreExample:
python .claude/skills/alert-judgment/scripts/judge_alerts.py \
--events-json events.json \
--pretty
Use the script when:
pre_denoise_alerts.py output and need one fallback triage judgment before richer evidence is attachedscripts/relabel_netflows.pyUse it to rewrite the row-level label column in NetFlow CSV data with fine-grained attack labels.
The script now focuses only on the attack types currently used by alert-judgment:
udp_flood, syn_flood, and icmp_flood.
It applies attack-window matching plus lightweight attack-specific row scoring.
Example:
python .claude/skills/alert-judgment/scripts/relabel_netflows.py \
--json-path real-data/1.2.3.4.json \
--csv-out real-data/1.2.3.4_fine_grained.csv \
--pretty
python .claude/skills/alert-judgment/scripts/relabel_netflows.py \
--alerts-json alerts.json \
--csv-in real-data/1.2.3.4_ddos.csv \
--csv-out real-data/1.2.3.4_fine_grained.csv \
--pretty
python .claude/skills/alert-judgment/scripts/relabel_netflows.py \
--events-json events.json \
--csv-in flows.csv \
--csv-out flows_fine_grained.csv
Use the script when:
udp_flood, syn_flood, or icmp_floodreal-data/<target>.json, canonical alerts.json, or reference-style events.jsonlabelnormalize_alerts.py.pre_denoise_alerts.py.relabel_netflows.py before the final judgment. This is mandatory for the final judgment path.summarize_netflows.py for compact context or reporting, but do not treat it as a substitute for relabel_netflows.py when a paired CSV exists.matched_flow_summary, bad_flow_summary, good_flow_summary, label_distribution, and artifact_refs.judge_alerts.py only after the event and its evidence are ready. If a paired CSV exists, the final judgment input must include relabeled evidence rather than only light_evidence.judge_alerts.py, calculate two separate scores:
auto_handle_score for whether the event can be handled automaticallyimportance_score for event priority and sortingcredible if matched evidence is strong and auto_handle_score is high enoughsuspicious if evidence is partial or mixed, or evidence is strong but auto_handle_score is not high enoughunsupported if evidence is missing, inconsistent, or pre-denoise has already filtered the eventReturn:
{
"stage": "alert-judgment",
"status": "completed",
"event_count": 1,
"events": [
{
"event_id": "",
"target_ip": "",
"member_alert_count": 0,
"member_alert_ids": [],
"judgment": "credible | suspicious | unsupported",
"confidence": 0.0,
"judged_attack_type": "",
"reason": "",
"scale_band": "small | medium | large | unknown",
"automation": {
"auto_handle_score": 0.0,
"auto_handle_level": "low | medium | high",
"evidence_strength": 0.0,
"attack_certainty": 0.0,
"completeness_score": 0.0,
"minimum_required_score": 0.6
},
"importance": {
"target_value_score": 0.0,
"scale_score": 0.0,
"completeness_score": 0.0,
"importance_score": 0.0,
"importance_level": "low | medium | high"
},
"analyst_action": {
"mode": "auto_handle | manual_review | drop",
"note": ""
},
"evidence": {
"source_json": "",
"source_csv": "",
"event_window": {
"start_time": "",
"end_time": ""
},
"member_alerts": [],
"bad_flow_summary": {},
"good_flow_summary": {},
"other_attack_summaries": [],
"label_distribution": {},
"artifact_refs": {},
"mixed_attack_hints": [],
"matched_flow_summary": {
"matched_flow_count": 0,
"total_packets": 0,
"total_bytes": 0,
"unique_source_count": 0
},
"data_gaps": []
}
}
]
}