Malware Triage Runbook

Malware Triage Runbook#

Objective#

Perform initial analysis and context gathering for a suspected malicious file hash identified during an investigation or alert triage. This helps determine the nature of the file and its potential impact.

Scope#

This runbook covers the initial triage steps for a file hash using GTI and SIEM tools. It does not include full reverse engineering or deep forensic analysis of the affected host.

Inputs#

  • ${FILE_HASH}: The MD5, SHA1, or SHA256 hash of the suspected malicious file.

  • ${CASE_ID}: The relevant SOAR case ID for documentation.

  • ${ALERT_GROUP_IDENTIFIERS}: Relevant alert group identifiers from the SOAR case.

  • (Optional) ${TIME_FRAME_HOURS}: Lookback period in hours for SIEM searches (default: 72).

Tools#

Workflow Steps & Diagram#

  1. Receive Input & Context: Obtain ${FILE_HASH}, ${CASE_ID}, ${ALERT_GROUP_IDENTIFIERS}, and optionally ${TIME_FRAME_HOURS}. Get case details via soar-mcp_get_case_full_details.

  2. GTI File Report:

    • Use gti-mcp_get_file_report with hash=${FILE_HASH}.

    • Record key details (${GTI_REPORT_DETAILS}): detection ratio, malware family classification, first/last seen, associated threats.

  3. GTI Behavior Summary:

    • Use gti-mcp_get_file_behavior_summary with hash=${FILE_HASH}.

    • Record key behavioral indicators (${GTI_BEHAVIOR_SUMMARY}): network connections (contacted IPs/domains - NETWORK_IOCs_GTI), dropped files, registry keys modified, MITRE TTPs observed in sandbox.

  4. SIEM Execution Check:

    • Use secops-mcp_search_security_events with hours_back=${TIME_FRAME_HOURS} and queries like:

      • target.file.sha256 = "${FILE_HASH}" OR target.file.md5 = "${FILE_HASH}" OR target.file.sha1 = "${FILE_HASH}"

      • Look for PROCESS_LAUNCH, FILE_CREATION, FILE_MODIFICATION events (${SIEM_EXECUTION_EVENTS}).

    • Identify hosts (AFFECTED_HOSTS) and users (AFFECTED_USERS) associated with these events.

  5. SIEM Network Activity Check:

    • Use secops-mcp_search_security_events to check for network connections (NETWORK_CONNECTION, NETWORK_DNS) originating from processes associated with ${FILE_HASH} (using principal.process.file.sha256 = "${FILE_HASH}" or similar). Let these be ${SIEM_NETWORK_EVENTS}.

    • Extract contacted IPs/domains (NETWORK_IOCs_SIEM) from these events.

  6. Enrich Network IOCs:

    • Combine unique IOCs from NETWORK_IOCs_GTI and NETWORK_IOCs_SIEM into ALL_NETWORK_IOCs.

    • Initialize NETWORK_IOC_ENRICHMENT. For each IOC Ni in ALL_NETWORK_IOCs:

      • Execute common_steps/enrich_ioc.md with IOC_VALUE=Ni and appropriate IOC_TYPE.

      • Store results in NETWORK_IOC_ENRICHMENT[Ni].

  7. Check Related SOAR Cases:

    • Prepare list of key entities to search: SEARCH_TERMS = AFFECTED_HOSTS + AFFECTED_USERS + ALL_NETWORK_IOCs.

    • Execute common_steps/find_relevant_soar_case.md with SEARCH_TERMS and CASE_STATUS_FILTER="Opened".

    • Obtain ${RELATED_SOAR_CASES} (list of potentially relevant open case summaries/IDs).

  8. Synthesize & Document:

    • Combine findings: ${GTI_REPORT_DETAILS}, ${GTI_BEHAVIOR_SUMMARY}, ${SIEM_EXECUTION_EVENTS}, ${SIEM_NETWORK_EVENTS}, NETWORK_IOC_ENRICHMENT, AFFECTED_HOSTS, ${RELATED_SOAR_CASES}.

    • Assess the severity based on GTI classification, behavior, observed activity, and relation to other cases.

    • Prepare COMMENT_TEXT: “Malware Triage for Hash ${FILE_HASH}: GTI Class: […], Behavior Summary: […]. Observed on Hosts: [${AFFECTED_HOSTS}]. Network Activity: […]. Network IOC Enrichment: […]. Related Open Cases: [${RELATED_SOAR_CASES}]. Assessment: […]. Recommendation: [Trigger Endpoint Triage/Isolation for affected hosts] | [Block related Network IOCs (Trigger IOC Containment)] | [Escalate to Tier 3/IR for deeper analysis] | [Monitor]”.

    • Execute common_steps/document_in_soar.md with ${CASE_ID} and ${COMMENT_TEXT}. Obtain ${COMMENT_POST_STATUS}.

  9. (Optional) Generate Report:

    • You may ask follow up question to ask the user: “Generate a markdown report file for this triage?”. Obtain ${REPORT_CHOICE}.

    • If ${REPORT_CHOICE} is “Yes”:

      • Prepare REPORT_CONTENT summarizing findings (similar to ${COMMENT_TEXT} but formatted for a report, including a Mermaid diagram).

      • Execute common_steps/generate_report_file.md with REPORT_CONTENT, REPORT_TYPE="malware_triage", REPORT_NAME_SUFFIX=${FILE_HASH}. Obtain ${REPORT_GENERATION_STATUS}.

    • Else: Set ${REPORT_GENERATION_STATUS} = “Skipped”.

  10. Completion: Conclude the runbook execution. Inform analyst of completion status and report generation status (if applicable).

        sequenceDiagram
    participant Analyst
    participant AutomatedAgent as Automated Agent (MCP Client)
    participant GTI as gti-mcp
    participant SIEM as secops-mcp
    participant SOAR as secops-soar
    participant EnrichIOC as common_steps/enrich_ioc.md
    participant FindCase as common_steps/find_relevant_soar_case.md
    participant DocumentInSOAR as common_steps/document_in_soar.md
    participant GenerateReport as common_steps/generate_report_file.md
    participant Endpoint_Triage as Endpoint Triage Runbook %% Still potentially triggered

    Analyst->>AutomatedAgent: Start Malware Triage\nInput: FILE_HASH, CASE_ID, ALERT_GROUP_IDS, TIME_FRAME_HOURS (opt)

    %% Step 1: Context
    AutomatedAgent->>SOAR: get_case_full_details(case_id=CASE_ID)
    SOAR-->>AutomatedAgent: Case Details

    %% Step 2: GTI File Report
    AutomatedAgent->>GTI: get_file_report(hash=FILE_HASH)
    GTI-->>AutomatedAgent: Detailed File Report (GTI_REPORT_DETAILS)

    %% Step 3: GTI Behavior Summary
    AutomatedAgent->>GTI: get_file_behavior_summary(hash=FILE_HASH)
    GTI-->>AutomatedAgent: Behavior Summary (NETWORK_IOCs_GTI)

    %% Step 4: SIEM Execution Check
    AutomatedAgent->>SIEM: search_security_events(text="Events for hash FILE_HASH", hours_back=TIME_FRAME_HOURS)
    SIEM-->>AutomatedAgent: Execution Events (SIEM_EXECUTION_EVENTS, AFFECTED_HOSTS, AFFECTED_USERS)

    %% Step 5: SIEM Network Activity Check
    AutomatedAgent->>SIEM: search_security_events(text="Network activity from process hash FILE_HASH", hours_back=TIME_FRAME_HOURS)
    SIEM-->>AutomatedAgent: Network Events (SIEM_NETWORK_EVENTS, NETWORK_IOCs_SIEM)

    %% Step 6: Enrich Network IOCs
    Note over AutomatedAgent: Combine NETWORK_IOCs_GTI and NETWORK_IOCs_SIEM into ALL_NETWORK_IOCs
    loop For each key Network IOC Ni in ALL_NETWORK_IOCs
        AutomatedAgent->>EnrichIOC: Execute(Input: IOC_VALUE=Ni, IOC_TYPE=...)
        EnrichIOC-->>AutomatedAgent: Results: Store in NETWORK_IOC_ENRICHMENT[Ni]
    end

    %% Step 7: Check Related SOAR Cases
    Note over AutomatedAgent: Prepare SEARCH_TERMS list (Hosts, Users, Network IOCs)
    AutomatedAgent->>FindCase: Execute(Input: SEARCH_TERMS, CASE_STATUS_FILTER="Opened")
    FindCase-->>AutomatedAgent: Results: RELATED_SOAR_CASES

    %% Step 8: Synthesize, Document & Recommend
    Note over AutomatedAgent: Synthesize findings (incl. related cases), assess severity, prepare COMMENT_TEXT with Recommendation
    AutomatedAgent->>DocumentInSOAR: Execute(Input: CASE_ID, COMMENT_TEXT)
    DocumentInSOAR-->>AutomatedAgent: Results: COMMENT_POST_STATUS

    %% Step 9: Optional Report Generation
    AutomatedAgent->>AskReport: Confirm: "Generate markdown report? (Yes/No)"
    AskReport-->>AutomatedAgent: User Response (REPORT_CHOICE)
    alt REPORT_CHOICE is "Yes"
        Note over AutomatedAgent: Prepare REPORT_CONTENT (incl. Mermaid diagram)
        AutomatedAgent->>GenerateReport: Execute(Input: REPORT_CONTENT, REPORT_TYPE="malware_triage", REPORT_NAME_SUFFIX=FILE_HASH)
        GenerateReport-->>AutomatedAgent: Results: REPORT_GENERATION_STATUS
    else REPORT_CHOICE is "No"
        Note over AutomatedAgent: REPORT_GENERATION_STATUS = "Skipped"
    end

    %% Step 10: Completion
    AutomatedAgent->>Analyst: attempt_completion(result="Malware Triage complete for FILE_HASH. Findings documented in case CASE_ID. Report Status: REPORT_GENERATION_STATUS.")

## Rubrics

The following rubric is used to evaluate the execution of this **Triage/Response** runbook by an LLM agent.

### Grading Scale (0-100 Points)

| Criteria | Points | Description |
| :--- | :--- | :--- |
| **Context & Enrichment** | 25 | Correctly extracted entities and enriched them with relevant context (GTI, SIEM). |
| **Analysis & Decision** | 25 | Analyzed the enriched data to make a sound decision (FP/TP, Escalate/Close). |
| **Action Execution** | 20 | Performed the required response actions (e.g., isolation, containment) correctly. |
| **Documentation** | 15 | Clearly documented findings and actions in the case/ticket. |
| **Operational Artifacts** | 15 | Produced required artifacts: Sequence diagram, execution metadata (date/cost), and summary. |

### Evaluation Criteria Details

#### 1. Context & Enrichment (25 Points)
- **10 pts**: Accurately extracted key entities (IPs, users, hashes) from the input.
- **15 pts**: Performed necessary enrichment (e.g., `enrich_ioc`) to gather reputation and history.

#### 2. Analysis & Decision (25 Points)
- **15 pts**: Interpreted the context correctly to determine the nature of the alert.
- **10 pts**: Reached a logical conclusion or next step (e.g., "Escalate to Tier 2" or "Isolate Host").

#### 3. Action Execution (20 Points)
- **10 pts**: Called the correct tools to perform response actions (if applicable) or investigative steps.
- **10 pts**: Verified the success of actions or handled errors appropriately.

#### 4. Documentation (15 Points)
- **15 pts**: Posted a comprehensive comment or update to the SOAR case summarizing the triage.

#### 5. Operational Artifacts (15 Points)
- **5 pts**: **Sequence Diagram**: Produced a Mermaid sequence diagram visualizing the steps taken.
- **5 pts**: **Execution Metadata**: Recorded the date, duration, and estimated token cost.
- **5 pts**: **Summary Report**: Generated a concise summary of the actions and outcomes.
Contents