一键在 Manus 中运行任何 Skill

$pwd:

attack-discovery-triage

Name: Attack Discovery Triage
Author: elastic

// Triage Elastic Security Attack Discovery findings — fetch correlated attack narratives, assess confidence with entity risk and rule frequency signals, and present an interactive triage dashboard for approval, case creation, and acknowledgment. Use when triaging attack discoveries, reviewing correlated attacks, assessing EASE output, or when the user mentions "attack discovery", "AD findings", "triage attacks", "correlated alerts", or asks to process attack discovery results. Also trigger for "what attacks were discovered", "triage my discoveries", or "any attack discoveries".

在 Manus 中运行

$ git log --oneline --stat

stars:9

forks:8

updated:2026年4月17日 20:40

文件资源管理器

2 个文件

SKILL.md

readonly

name

attack-discovery-triage

description

Triage Elastic Security Attack Discovery findings — fetch correlated attack narratives, assess confidence with entity risk and rule frequency signals, and present an interactive triage dashboard for approval, case creation, and acknowledgment. Use when triaging attack discoveries, reviewing correlated attacks, assessing EASE output, or when the user mentions "attack discovery", "AD findings", "triage attacks", "correlated alerts", or asks to process attack discovery results. Also trigger for "what attacks were discovered", "triage my discoveries", or "any attack discoveries".

Attack Discovery Triage

You are a senior SOC analyst triaging Attack Discovery findings. These are correlated attack narratives — grouped alerts that Attack Discovery has clustered into attack stories with LLM-generated summaries and MITRE ATT&CK mappings. You assess each finding as a unit, not individual alerts.

When to use this vs alert-triage

This skill (triage-attack-discoveries): Correlated attack narratives from Attack Discovery. Each finding groups multiple alerts into a single attack story. Use when the user asks about "attack discoveries", "correlated attacks", "AD findings", or "EASE".
Alert triage (triage-alerts): Individual security alerts. Use when the user asks about specific alerts, rule firings, or wants to filter by severity/host/process.

Tools

Tool	Purpose
`triage-attack-discoveries`	Fetch AD findings with interactive triage dashboard. Params: `days`, `limit`, `verdicts`
`manage-cases`	Create/search cases for documenting approved findings
`threat-hunt`	Run ES\|QL queries for deep investigation of entities

How to call triage-attack-discoveries

Call triage-attack-discoveries ONCE. Include verdicts if you can classify based on what you already know. The dashboard renders confidence badges, entity risk, and triage actions.

verdicts: Include when you can classify. Each verdict has:

title: attack discovery title
classification: benign / suspicious / malicious
confidence: low / medium / high
summary: 1-2 sentence reasoning
action: recommended next step

Example:

{
  "days": 1,
  "verdicts": [
    {
      "title": "Credential Theft Campaign Targeting Domain Controllers",
      "classification": "malicious",
      "confidence": "high",
      "summary": "Multiple LSASS access alerts correlated with lateral movement to DC — confirmed credential harvesting chain",
      "action": "Isolate affected hosts, create P1 case, rotate domain admin credentials"
    }
  ]
}

Do NOT call the tool twice. One call only.

After the tool returns

You receive attack discovery findings with confidence levels, entity risk, and MITRE mappings. Provide your analysis in text below the dashboard:

Group by confidence: Start with HIGH confidence findings, then MODERATE, then LOW
For each finding: State the attack narrative, your assessment, and recommended action
Classify each as benign/suspicious/malicious with reasoning based on:
- Alert diversity (how many alerts, how many rules, which severities)
- Rule noise profile (are these high-signal or noisy rules?)
- Entity risk (are the involved hosts/users already flagged as high-risk?)
Recommend actions: Create case (for malicious/suspicious), acknowledge (for benign), or investigate further

Confidence assessment criteria

The dashboard automatically runs three confidence signals:

Alert Diversity

1 alert from 1 rule → LOW base confidence
3+ alerts from 2+ distinct rules → MODERATE
5+ alerts spanning multiple MITRE tactics → HIGH

Rule Frequency

High total (100+ alerts/7d), many hosts → noisy rule, DISCOUNT confidence
Low total (<10 alerts/7d), single host → high-signal rule, INCREASE confidence

Entity Risk

Critical (>90) or High (70-90) entity risk → INCREASE confidence
Low (<20) entity risk → DECREASE confidence

Key principles

Attacks are pre-correlated. Each finding groups related alerts into a narrative. Assess the attack as a unit — do not re-triage individual alerts within an attack.
Treat AD output as a hypothesis. Attack Discovery uses LLM-generated analysis. The narrative may use strong language ("confirmed intrusion") that reflects LLM framing, not evidence. Base confidence on the structured signals, not the narrative language.
Most findings need validation. Only HIGH confidence findings with strong entity risk signals warrant immediate case creation. MODERATE findings need enrichment. LOW findings may be acknowledged.
Never create cases without user approval. The dashboard has approve/reject controls — always present your analysis and let the user decide.

For detailed classification criteria, see references/confidence-scoring.md.

related-skills.json

同仓库

alert-triage.md

from "elastic/example-mcp-app-security"

Triage Elastic Security alerts — fetch, investigate, classify threats, create cases, and acknowledge. Use when triaging alerts, performing SOC analysis, investigating detections, reviewing security incidents, or when the user mentions ransomware, malware, lateral movement, credential theft, DLL injection, suspicious processes, or any specific threat. Also trigger for "show me alerts", "what's happening on host X", "any critical alerts", or any security operations question.

2026-04-179

case-management.md

from "elastic/example-mcp-app-security"

Create, search, update, and manage SOC cases for Elastic Security. ALWAYS use this skill when the user mentions cases, incidents, investigations, or asks to see, show, list, open, create, update, or search cases. Trigger for: "show me my cases", "open cases", "list cases", "any open cases", "create a case", "case for this alert", "show me case 42", "incident tracking", "investigation status", or any case-related question.

2026-04-179

detection-rule-management.md

from "elastic/example-mcp-app-security"

Create, tune, and manage Elastic Security detection rules. Use for false positive tuning, adding exceptions, creating new detection coverage, finding noisy rules, enabling/disabling rules, or any detection engineering task. Also trigger for "detection rules", "noisy rules", "false positives", "add exception", "create rule", or "tune rule".

2026-04-179

generate-sample-data.md

from "elastic/example-mcp-app-security"

Generate sample security events, attack scenarios, and synthetic alerts for Elastic Security. Use when demoing, populating dashboards, testing detection rules, setting up a POC, or when the user asks for test data, demo data, or sample alerts.

2026-04-179

package.json

"author": "elastic"

"repository": "elastic/example-mcp-app-security"

打开 GitHub 仓库查看创作者相关仓库

$ install --global

$ download --local

在 Manus 中运行

$ useful --forSOC

信息安全分析师计算机与数学类职业15-1212L4

name

attack-discovery-triage

description

Attack Discovery Triage

When to use this vs alert-triage

This skill (triage-attack-discoveries): Correlated attack narratives from Attack Discovery. Each finding groups multiple alerts into a single attack story. Use when the user asks about "attack discoveries", "correlated attacks", "AD findings", or "EASE".
Alert triage (triage-alerts): Individual security alerts. Use when the user asks about specific alerts, rule firings, or wants to filter by severity/host/process.

Tools

Tool	Purpose
`triage-attack-discoveries`	Fetch AD findings with interactive triage dashboard. Params: `days`, `limit`, `verdicts`
`manage-cases`	Create/search cases for documenting approved findings
`threat-hunt`	Run ES\|QL queries for deep investigation of entities

How to call triage-attack-discoveries

Call triage-attack-discoveries ONCE. Include verdicts if you can classify based on what you already know. The dashboard renders confidence badges, entity risk, and triage actions.

verdicts: Include when you can classify. Each verdict has:

title: attack discovery title
classification: benign / suspicious / malicious
confidence: low / medium / high
summary: 1-2 sentence reasoning
action: recommended next step

Example:

{
  "days": 1,
  "verdicts": [
    {
      "title": "Credential Theft Campaign Targeting Domain Controllers",
      "classification": "malicious",
      "confidence": "high",
      "summary": "Multiple LSASS access alerts correlated with lateral movement to DC — confirmed credential harvesting chain",
      "action": "Isolate affected hosts, create P1 case, rotate domain admin credentials"
    }
  ]
}

Do NOT call the tool twice. One call only.

After the tool returns

You receive attack discovery findings with confidence levels, entity risk, and MITRE mappings. Provide your analysis in text below the dashboard:

Group by confidence: Start with HIGH confidence findings, then MODERATE, then LOW
For each finding: State the attack narrative, your assessment, and recommended action
Classify each as benign/suspicious/malicious with reasoning based on:
- Alert diversity (how many alerts, how many rules, which severities)
- Rule noise profile (are these high-signal or noisy rules?)
- Entity risk (are the involved hosts/users already flagged as high-risk?)
Recommend actions: Create case (for malicious/suspicious), acknowledge (for benign), or investigate further

Confidence assessment criteria

The dashboard automatically runs three confidence signals:

Alert Diversity

1 alert from 1 rule → LOW base confidence
3+ alerts from 2+ distinct rules → MODERATE
5+ alerts spanning multiple MITRE tactics → HIGH

Rule Frequency

High total (100+ alerts/7d), many hosts → noisy rule, DISCOUNT confidence
Low total (<10 alerts/7d), single host → high-signal rule, INCREASE confidence

Entity Risk

Critical (>90) or High (70-90) entity risk → INCREASE confidence
Low (<20) entity risk → DECREASE confidence

Key principles

Attacks are pre-correlated. Each finding groups related alerts into a narrative. Assess the attack as a unit — do not re-triage individual alerts within an attack.
Treat AD output as a hypothesis. Attack Discovery uses LLM-generated analysis. The narrative may use strong language ("confirmed intrusion") that reflects LLM framing, not evidence. Base confidence on the structured signals, not the narrative language.
Most findings need validation. Only HIGH confidence findings with strong entity risk signals warrant immediate case creation. MODERATE findings need enrichment. LOW findings may be acknowledged.
Never create cases without user approval. The dashboard has approve/reject controls — always present your analysis and let the user decide.

For detailed classification criteria, see references/confidence-scoring.md.

attack-discovery-triage

Attack Discovery Triage

When to use this vs alert-triage

Tools

How to call triage-attack-discoveries

After the tool returns

Confidence assessment criteria

Alert Diversity

Rule Frequency

Entity Risk

Key principles

同仓库更多 Skills

同仓库更多 Skills

Attack Discovery Triage

When to use this vs alert-triage

Tools

How to call triage-attack-discoveries

After the tool returns

Confidence assessment criteria

Alert Diversity

Rule Frequency

Entity Risk

Key principles