Cloud Vulnerability Triage & Contextualization

Cloud Vulnerability Triage & Contextualization#

Objective: Triage top critical/high SCC vulnerability findings for a given project (${PROJECT_ID}). Enrich the CVEs with GTI, check for related exploitation activity in SIEM, and summarize findings for remediation prioritization, potentially adding context to a SOAR case.

Uses Tools:

  • scc-mcp.top_vulnerability_findings

  • scc-mcp.get_finding_remediation

  • gti-mcp_search_vulnerabilities (or get_threat_intel for CVE summary)

  • secops-mcp_search_security_events

  • secops-mcp_lookup_entity (for affected resource)

  • soar-mcp_post_case_comment (optional)

  • You may ask follow up question (optional)

        sequenceDiagram
    participant User
    participant AutomatedAgent as Automated Agent (MCP Client)
    participant SCC as scc-mcp
    participant GTI as gti-mcp
    participant SIEM as secops-mcp
    participant SOAR as secops-soar %% Underlying tool for documentation
    participant ConfirmAction as common_steps/confirm_action.md
    participant DocumentInSOAR as common_steps/document_in_soar.md

    User->>AutomatedAgent: Triage top vulnerabilities for project `${PROJECT_ID}`
    AutomatedAgent->>SCC: top_vulnerability_findings(project_id=`${PROJECT_ID}`, max_findings=5)
    SCC-->>AutomatedAgent: List of Top Findings (F1, F2... with CVE, Resource, Score)

    Note over AutomatedAgent: Initialize triage_report
    loop For each Finding Fi
        Note over AutomatedAgent: Extract CVE Ci and Resource Ri from Finding Fi
        AutomatedAgent->>SCC: get_finding_remediation(finding_id=Fi_ID)
        SCC-->>AutomatedAgent: Remediation Steps for Fi
        Note over AutomatedAgent: Add remediation to triage_report

        AutomatedAgent->>GTI: search_vulnerabilities(query=Ci)
        GTI-->>AutomatedAgent: GTI details for CVE Ci (Exploitation status, related threats)
        Note over AutomatedAgent: Add GTI context to triage_report

        AutomatedAgent->>SIEM: lookup_entity(entity_value=Ri, hours_back=168) %% Check resource activity (e.g., IP/hostname) for 7 days
        SIEM-->>AutomatedAgent: SIEM Summary for Resource Ri
        Note over AutomatedAgent: Add resource activity summary to triage_report

        AutomatedAgent->>SIEM: search_security_events(text="Events related to CVE Ci or exploitation attempts on Ri", hours_back=168)
        SIEM-->>AutomatedAgent: Potential exploitation events
        Note over AutomatedAgent: Add relevant event findings to triage_report
    end

    Note over AutomatedAgent: Synthesize triage_report with findings, context, and prioritization based on Score/GTI/SIEM data

    %% Optional: Confirm SOAR Update
    AutomatedAgent->>ConfirmAction: Execute(Input: QUESTION_TEXT="Triage complete...", RESPONSE_OPTIONS=...)
    ConfirmAction-->>AutomatedAgent: Results: USER_RESPONSE

    %% Optional: Document in SOAR
    alt USER_RESPONSE contains "Yes" %% Assumes format "Yes, Case [ID]"
        Note over AutomatedAgent: Extract CASE_ID from USER_RESPONSE
        Note over AutomatedAgent: Prepare COMMENT_TEXT for SOAR
        AutomatedAgent->>DocumentInSOAR: Execute(Input: CASE_ID, COMMENT_TEXT="SCC Vuln Triage Summary...")
        DocumentInSOAR-->>AutomatedAgent: Results: COMMENT_POST_STATUS
    end

    AutomatedAgent->>AutomatedAgent: attempt_completion(result="Cloud vulnerability triage for project `${PROJECT_ID}` complete. Findings synthesized. SOAR case potentially updated.")

## Rubrics

The following rubric is used to evaluate the execution of this **Triage/Response** runbook by an LLM agent.

### Grading Scale (0-100 Points)

| Criteria | Points | Description |
| :--- | :--- | :--- |
| **Context & Enrichment** | 25 | Correctly extracted entities and enriched them with relevant context (GTI, SIEM). |
| **Analysis & Decision** | 25 | Analyzed the enriched data to make a sound decision (FP/TP, Escalate/Close). |
| **Action Execution** | 20 | Performed the required response actions (e.g., isolation, containment) correctly. |
| **Documentation** | 15 | Clearly documented findings and actions in the case/ticket. |
| **Operational Artifacts** | 15 | Produced required artifacts: Sequence diagram, execution metadata (date/cost), and summary. |

### Evaluation Criteria Details

#### 1. Context & Enrichment (25 Points)
- **10 pts**: Accurately extracted key entities (IPs, users, hashes) from the input.
- **15 pts**: Performed necessary enrichment (e.g., `enrich_ioc`) to gather reputation and history.

#### 2. Analysis & Decision (25 Points)
- **15 pts**: Interpreted the context correctly to determine the nature of the alert.
- **10 pts**: Reached a logical conclusion or next step (e.g., "Escalate to Tier 2" or "Isolate Host").

#### 3. Action Execution (20 Points)
- **10 pts**: Called the correct tools to perform response actions (if applicable) or investigative steps.
- **10 pts**: Verified the success of actions or handled errors appropriately.

#### 4. Documentation (15 Points)
- **15 pts**: Posted a comprehensive comment or update to the SOAR case summarizing the triage.

#### 5. Operational Artifacts (15 Points)
- **5 pts**: **Sequence Diagram**: Produced a Mermaid sequence diagram visualizing the steps taken.
- **5 pts**: **Execution Metadata**: Recorded the date, duration, and estimated token cost.
- **5 pts**: **Summary Report**: Generated a concise summary of the actions and outcomes.