Identify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.

Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause.

Automated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.

Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response.

Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases.

Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation.

Design comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.

Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text.

Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status.

Search for existing cases related to specific indicators or entities. Use to find correlation with other investigations before starting new analysis. Takes search terms and returns matching case IDs.

Complete Tier 2 investigation workflow. Orchestrates deep investigation of escalated cases: deep-dive-ioc, correlate-ioc, specialized triage (malware/login), pivot-on-ioc, and generate comprehensive report. Use for escalated cases requiring thorough analysis.

Complete Tier 1 triage workflow. Orchestrates the full alert triage process: check-duplicates, triage-alert, enrich-ioc for each entity, and either close (FP/BTP) or escalate (TP/Suspicious). Use for end-to-end alert processing.

Save investigation findings to a markdown report file. Use after completing triage, enrichment, or investigation to create a permanent record. Generates timestamped files in ./reports/ directory.

Generate hierarchical site structure and navigation maps. Creates visual representations of information architecture and content relationships.

Develop hierarchical classification systems. Creates parent-child categorical structures for content organization.

Generate controlled vocabulary thesaurus for content domains. Creates comprehensive thesauri with preferred terms, broader/narrower/related terms.

Hunt for credential access techniques like LSASS dumping or browser credential theft. Use when searching for evidence of credential harvesting. Takes MITRE technique IDs and searches for behavioral indicators in SIEM.

Hunt for lateral movement using PsExec, WMI, or similar techniques. Use when proactively searching for attackers moving through your network using admin tools. Searches for service installations, remote process execution, and suspicious network correlations.

Conduct proactive, hypothesis-driven threat hunting. Use when performing advanced hunting based on threat intelligence, TTPs, or anomalies. For Tier 3 analysts or dedicated threat hunters. Supports iterative search, pivoting, and comprehensive documentation.

Systematic cataloging of information assets. Creates comprehensive inventories of all content with metadata and characteristics.