一键在 Manus 中运行任何 Skill

document-in-case

Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text.

在 Manus 中运行

概览

Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text.

安装命令

npx skills add https://github.com/dandye/ai-runbooks --skill document-in-case

复制此命令并粘贴到 Claude Code 中以安装该技能

来源

dandye/ai-runbooks

星标110

分支31

更新时间2026年2月4日 11:10

SKILL.md

readonly

name	document-in-case
description	Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text.
required_roles	{"soar":"roles/chronicle.editor"}
personas	["tier1-analyst","tier2-analyst","tier3-analyst","threat-hunter","incident-responder"]

Document in Case Skill

Add a standardized comment to a case to document findings, actions taken, or recommendations.

Inputs

CASE_ID - The SOAR case ID to add the comment to
COMMENT_TEXT - The full text of the comment to be added
(Optional) ALERT_GROUP_IDENTIFIERS - Alert group identifiers if required

Workflow

Step 1: Post Comment

secops-soar.post_case_comment(
    case_id=CASE_ID,
    comment=COMMENT_TEXT,
    alert_group_identifiers=ALERT_GROUP_IDENTIFIERS  // if provided
)

Step 2: Verify Status

Check the API response to confirm the comment was posted successfully.

Outputs

Output	Description
`COMMENT_POST_STATUS`	Success/failure status of the comment posting

Comment Templates

Enrichment Summary:

IOC Enrichment for [IOC_VALUE] ([IOC_TYPE]):
- GTI Reputation: [score/classification]
- SIEM Activity: [first/last seen, alert count]
- IOC Match: [Yes/No]
- Assessment: [Low/Medium/High risk]
- Recommendation: [next steps]

Triage Decision:

Alert Triage Complete:
- Classification: [FP/BTP/TP/Suspicious]
- Key Findings: [summary]
- Rationale: [why this classification]
- Action Taken: [closed/escalated]

Investigation Update:

Investigation Update [timestamp]:
- Actions Completed: [list]
- Findings: [summary]
- Next Steps: [planned actions]

同仓库更多 Skills

同仓库

deep-dive-ioc

dandye/ai-runbooks

Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation.

2026-02-04110

full-triage-alert

dandye/ai-runbooks

Complete Tier 1 triage workflow. Orchestrates the full alert triage process: check-duplicates, triage-alert, enrich-ioc for each entity, and either close (FP/BTP) or escalate (TP/Suspicious). Use for end-to-end alert processing.

2026-02-04110

full-investigation

dandye/ai-runbooks

Complete Tier 2 investigation workflow. Orchestrates deep investigation of escalated cases: deep-dive-ioc, correlate-ioc, specialized triage (malware/login), pivot-on-ioc, and generate comprehensive report. Use for escalated cases requiring thorough analysis.

2026-02-04110

check-duplicates

dandye/ai-runbooks

Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases.

2026-02-04110

close-case-artifact

dandye/ai-runbooks

Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause.

2026-02-04110

correlate-ioc

dandye/ai-runbooks

Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases.

2026-02-04110

来源

dandye

dandye/ai-runbooks

打开 GitHub 仓库查看创作者相关仓库

安装命令

下载

在 Manus 中运行

适用职业SOC

软件开发工程师计算机与数学类职业15-1252L4

name	document-in-case
description	Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text.
required_roles	{"soar":"roles/chronicle.editor"}
personas	["tier1-analyst","tier2-analyst","tier3-analyst","threat-hunter","incident-responder"]

Document in Case Skill

Add a standardized comment to a case to document findings, actions taken, or recommendations.

Inputs

CASE_ID - The SOAR case ID to add the comment to
COMMENT_TEXT - The full text of the comment to be added
(Optional) ALERT_GROUP_IDENTIFIERS - Alert group identifiers if required

Workflow

Step 1: Post Comment

secops-soar.post_case_comment(
    case_id=CASE_ID,
    comment=COMMENT_TEXT,
    alert_group_identifiers=ALERT_GROUP_IDENTIFIERS  // if provided
)

Step 2: Verify Status

Check the API response to confirm the comment was posted successfully.

Outputs

Output	Description
`COMMENT_POST_STATUS`	Success/failure status of the comment posting

Comment Templates

Enrichment Summary:

IOC Enrichment for [IOC_VALUE] ([IOC_TYPE]):
- GTI Reputation: [score/classification]
- SIEM Activity: [first/last seen, alert count]
- IOC Match: [Yes/No]
- Assessment: [Low/Medium/High risk]
- Recommendation: [next steps]

Triage Decision:

Alert Triage Complete:
- Classification: [FP/BTP/TP/Suspicious]
- Key Findings: [summary]
- Rationale: [why this classification]
- Action Taken: [closed/escalated]

Investigation Update:

Investigation Update [timestamp]:
- Actions Completed: [list]
- Findings: [summary]
- Next Steps: [planned actions]