Correlate IOC Skill

Name: correlate-ioc
Rating: 92
Author: dandye

Check for existing SIEM alerts and SOAR cases related to specific Indicators of Compromise.

Inputs

•IOC_LIST - Single IOC or list of IOCs (e.g., ["198.51.100.10", "evil-domain.com"])
•(Optional) TIME_FRAME_HOURS - Lookback period for SIEM alerts (default: 168 = 7 days)
•(Optional) SOAR_CASE_FILTER - Additional filter for SOAR cases (e.g., status="OPEN")

Workflow

Step 1: Correlate SIEM Alerts

Search for alerts containing any IOC in the list:

code

secops-mcp.get_security_alerts(
    query=IOC_based_query,
    hours_back=TIME_FRAME_HOURS
)

Store summary in RELATED_SIEM_ALERTS:

•Alert count
•Alert types/names
•Severity distribution
•Affected assets

Step 2: Correlate SOAR Cases

Search for cases containing any IOC:

code

secops-soar.list_cases(
    filter=IOC_based_filter + SOAR_CASE_FILTER
)

Store summary in RELATED_SOAR_CASES:

•Case IDs and names
•Case status
•Case priority

Required Outputs

After completing this skill, you MUST report these outputs:

Output	Description
`RELATED_SIEM_ALERTS`	Summary of SIEM alerts related to the IOC(s)
`RELATED_SOAR_CASES`	Summary of SOAR cases related to the IOC(s)
`CORRELATION_STATUS`	Success/failure status of the correlation
`MALICIOUS_CONFIDENCE`	Derived confidence based on alert history: `high`, `medium`, `low`, or `none`

Use Cases

•Before Investigation - Check if IOC is already under investigation
•During Enrichment - Understand internal activity for an IOC
•Threat Hunt - Find all alerts/cases related to campaign indicators
•Incident Response - Identify scope of compromise across cases

Correlation Summary Template

code

IOC Correlation Summary for [IOC_LIST]:

SIEM Alerts (last [TIME_FRAME_HOURS] hours):
- Total alerts: [count]
- Alert types: [list]
- Affected hosts: [list]

SOAR Cases:
- Open cases: [count] - [IDs]
- Closed cases: [count]
- Related investigations: [summary]