Initial SOC memory POC implementation
This commit is contained in:
39
skills/retrieve_context_skill/SKILL.md
Normal file
39
skills/retrieve_context_skill/SKILL.md
Normal file
@ -0,0 +1,39 @@
|
||||
# retrieve_context_skill
|
||||
|
||||
## 用途
|
||||
|
||||
在 SOC case 研判时,为 agent 检索最相关的历史 case 和知识上下文。
|
||||
|
||||
## 输入
|
||||
|
||||
- `scenario`: 场景,如 `phishing`、`o365_suspicious_login`
|
||||
- `alert_type`: 告警类型
|
||||
- `summary`: 当前 case 摘要
|
||||
- `entities`: 用户、主机、邮箱等
|
||||
- `observables`: 域名、IP、URL、Hash 等
|
||||
- `top_k`: 期望返回条数
|
||||
|
||||
## 输出
|
||||
|
||||
- 相关历史 case 列表
|
||||
- 相关 KB / Playbook 列表
|
||||
- 关键 evidence / decision points
|
||||
- 推荐下一步调查动作
|
||||
|
||||
## 默认检索顺序
|
||||
|
||||
1. `session/<session_id>`
|
||||
2. `soc/case`
|
||||
3. `soc/knowledge`
|
||||
4. `agent/<agent_id>`
|
||||
5. `user/<user_id>`
|
||||
|
||||
## Mock 阶段工作方式
|
||||
|
||||
在没有真实数据和完整 OpenViking 检索链路时,先使用 `evaluation/datasets/mock_cases/` 和 `evaluation/datasets/mock_kb/` 做本地检索验证。
|
||||
|
||||
## 成功标准
|
||||
|
||||
- 钓鱼 case 能召回钓鱼 playbook 和相似 phishing case
|
||||
- O365 异常登录 case 能召回登录异常 KB 和相似 case
|
||||
- 返回结果对人工 reviewer 看起来是“有帮助的上下文”,而不是泛资料堆积
|
||||
Reference in New Issue
Block a user