Cloud Vulnerability Triage & Contextualization#
Objective: Triage top critical/high SCC vulnerability findings for a given project (${PROJECT_ID}). Enrich the CVEs with GTI, check for related exploitation activity in SIEM, and summarize findings for remediation prioritization, potentially adding context to a SOAR case.
Uses Tools:
scc-mcp.top_vulnerability_findingsscc-mcp.get_finding_remediationgti-mcp.search_vulnerabilities(orget_threat_intelfor CVE summary)secops-mcp.search_security_eventssecops-mcp.lookup_entity(for affected resource)secops-soar.post_case_comment(optional)You may ask follow up question (optional)
sequenceDiagram
participant User
participant AutomatedAgent as Automated Agent (MCP Client)
participant SCC as scc-mcp
participant GTI as gti-mcp
participant SIEM as secops-mcp
participant SOAR as secops-soar %% Underlying tool for documentation
participant ConfirmAction as common_steps/confirm_action.md
participant DocumentInSOAR as common_steps/document_in_soar.md
User->>AutomatedAgent: Triage top vulnerabilities for project `${PROJECT_ID}`
AutomatedAgent->>SCC: top_vulnerability_findings(project_id=`${PROJECT_ID}`, max_findings=5)
SCC-->>AutomatedAgent: List of Top Findings (F1, F2... with CVE, Resource, Score)
Note over AutomatedAgent: Initialize triage_report
loop For each Finding Fi
Note over AutomatedAgent: Extract CVE Ci and Resource Ri from Finding Fi
AutomatedAgent->>SCC: get_finding_remediation(finding_id=Fi_ID)
SCC-->>AutomatedAgent: Remediation Steps for Fi
Note over AutomatedAgent: Add remediation to triage_report
AutomatedAgent->>GTI: search_vulnerabilities(query=Ci)
GTI-->>AutomatedAgent: GTI details for CVE Ci (Exploitation status, related threats)
Note over AutomatedAgent: Add GTI context to triage_report
AutomatedAgent->>SIEM: lookup_entity(entity_value=Ri, hours_back=168) %% Check resource activity (e.g., IP/hostname) for 7 days
SIEM-->>AutomatedAgent: SIEM Summary for Resource Ri
Note over AutomatedAgent: Add resource activity summary to triage_report
AutomatedAgent->>SIEM: search_security_events(text="Events related to CVE Ci or exploitation attempts on Ri", hours_back=168)
SIEM-->>AutomatedAgent: Potential exploitation events
Note over AutomatedAgent: Add relevant event findings to triage_report
end
Note over AutomatedAgent: Synthesize triage_report with findings, context, and prioritization based on Score/GTI/SIEM data
%% Optional: Confirm SOAR Update
AutomatedAgent->>ConfirmAction: Execute(Input: QUESTION_TEXT="Triage complete...", RESPONSE_OPTIONS=...)
ConfirmAction-->>AutomatedAgent: Results: USER_RESPONSE
%% Optional: Document in SOAR
alt USER_RESPONSE contains "Yes" %% Assumes format "Yes, Case [ID]"
Note over AutomatedAgent: Extract CASE_ID from USER_RESPONSE
Note over AutomatedAgent: Prepare COMMENT_TEXT for SOAR
AutomatedAgent->>DocumentInSOAR: Execute(Input: CASE_ID, COMMENT_TEXT="SCC Vuln Triage Summary...")
DocumentInSOAR-->>AutomatedAgent: Results: COMMENT_POST_STATUS
end
AutomatedAgent->>AutomatedAgent: attempt_completion(result="Cloud vulnerability triage for project `${PROJECT_ID}` complete. Findings synthesized. SOAR case potentially updated.")