Refresh alert triage source metadata

Floofy6 · Floofy6 · commit 71971e2e95a1 · 2026-06-04T06:52:01.000-04:00
diff --git a/index.yaml b/index.yaml
@@ -462,7 +462,7 @@ skills:
     role: [soc-analyst]
     phase: [operate, respond]
     activity: [triage, investigate]
-    frameworks: [MITRE-ATT&CK-v16, NIST-SP-800-61r2]
+    frameworks: [MITRE-ATT&CK-v19.1, NIST-SP-800-61r3, NIST-CSF-2.0]
     difficulty: beginner
     time_estimate: "10-20min per alert"
     file: skills/secops/alert-triage/SKILL.md
diff --git a/skills/secops/alert-triage/SKILL.md b/skills/secops/alert-triage/SKILL.md
@@ -2,18 +2,19 @@
 name: alert-triage
 description: >
   Guides structured triage of security alerts using a four-phase methodology
-  (collect, correlate, classify, escalate) mapped to MITRE ATT&CK v16 and
-  aligned with NIST SP 800-61 Rev 2 incident handling guidelines. Auto-invoked
-  when the user discusses alert investigation, asks "is this a true positive?",
-  or shares alert data requiring disposition. Produces a triage decision with
-  priority assignment, disposition category, and escalation recommendation.
+  (collect, correlate, classify, escalate) mapped to current MITRE ATT&CK v19.1
+  and aligned with NIST SP 800-61 Rev. 3 / CSF 2.0 incident-response guidance.
+  Auto-invoked when the user discusses alert investigation, asks "is this a
+  true positive?", or shares alert data requiring disposition. Produces a triage
+  decision with priority assignment, disposition category, source-version
+  evidence, and escalation recommendation.
 tags: [secops, triage, soc]
 role: [soc-analyst]
 phase: [operate, respond]
-frameworks: [MITRE-ATT&CK-v16, NIST-SP-800-61-Rev2]
+frameworks: [MITRE-ATT&CK-v19.1, NIST-SP-800-61r3, NIST-CSF-2.0]
 difficulty: beginner
 time_estimate: "10-20min per alert"
-version: "1.0.0"
+version: "1.0.1"
 author: unitoneai
 license: MIT
 allowed-tools: Read, Grep, Glob
@@ -23,7 +24,7 @@ argument-hint: "[CVE-ID-or-alert-ID]"
 
 # Alert Triage Playbook
 
-> **Frameworks:** MITRE ATT&CK v16, NIST SP 800-61 Rev 2
+> **Frameworks:** MITRE ATT&CK v19.1, NIST SP 800-61 Rev. 3 / CSF 2.0
 > **Role:** SOC Analyst
 > **Time:** 10-20 min per alert
 > **Output:** Alert disposition (TP/BTP/FP), priority assignment (P1-P4), escalation decision
@@ -52,7 +53,8 @@ Before beginning triage, gather or confirm:
 
 - [ ] **Alert details:** Rule name, severity, timestamp, source system (SIEM, EDR, IDS, cloud security).
 - [ ] **Alert data:** The raw event(s) that triggered the alert -- including all available fields (source IP, destination IP, username, hostname, process name, command line, file hash, URL).
-- [ ] **ATT&CK mapping:** If the alert rule maps to a MITRE ATT&CK technique, note the technique ID.
+- [ ] **ATT&CK mapping:** If the alert rule maps to a MITRE ATT&CK technique, note the technique ID, tactic, reviewed ATT&CK version, and technique URL.
+- [ ] **Source-version evidence:** Record whether ATT&CK v19.1 and NIST SP 800-61 Rev. 3 / CSF 2.0 were reviewed for this triage. If an organization still uses legacy ATT&CK v16 or NIST Rev. 2 labels internally, mark them as legacy mappings and verify any currentness claim against the current sources.
 - [ ] **Asset context:** What is the affected asset? (Server, workstation, cloud instance, network device.) What is its business criticality? (Revenue-generating, customer-facing, development, test.)
 - [ ] **User context:** Who is the associated user? (Role, department, normal working hours, recent activity patterns.)
 - [ ] **Historical context:** Has this alert fired before? What was the previous disposition? Has this user or host generated related alerts recently?
@@ -80,7 +82,7 @@ Gather all data associated with the alert. Do not make a disposition decision un
 | **Threat intelligence** | IOC lookups for IPs, domains, hashes, URLs | VirusTotal, OTX, MISP, TI platform |
 | **Previous alerts** | Historical alerts for same user, host, or IOC | SIEM, case management |
 
-**NIST SP 800-61 alignment:** This phase corresponds to Section 3.2 "Detection and Analysis" -- specifically the initial analysis and validation of the alert before classification.
+**NIST SP 800-61 Rev. 3 / CSF 2.0 alignment:** This phase supports Detect and Respond activities by collecting event, asset, user, and response-context evidence before classification. If using legacy NIST Rev. 2 lifecycle wording, label it as a legacy crosswalk rather than current NIST guidance.
 
 ### Phase 2: Correlate
 
@@ -91,8 +93,9 @@ Connect the alert data with surrounding context to build a picture of what happe
 1. **Temporal correlation:** What other events occurred on the same host or by the same user within +/- 30 minutes of the alert?
 2. **Lateral correlation:** Are there related alerts on other hosts or from other security tools for the same time period?
 3. **Behavioral correlation:** Does this activity match known ATT&CK technique patterns? Does it match the user's or system's normal behavior baseline?
-4. **Threat intel correlation:** Do any indicators match known threat actor infrastructure, malware campaigns, or published IOCs?
-5. **Kill chain correlation:** Where does this activity fall in the attack lifecycle? Is there evidence of preceding (reconnaissance, initial access) or subsequent (persistence, lateral movement, exfiltration) stages?
+4. **Source-version check:** Is the rule's ATT&CK mapping current for ATT&CK v19.1? If the rule metadata is pinned to v16, verify that the technique, tactic, and URL still match the current Enterprise matrix before using the mapping for priority.
+5. **Threat intel correlation:** Do any indicators match known threat actor infrastructure, malware campaigns, or published IOCs?
+6. **Kill chain correlation:** Where does this activity fall in the attack lifecycle? Is there evidence of preceding (reconnaissance, initial access) or subsequent (persistence, lateral movement, exfiltration) stages?
 
 **ATT&CK-based correlation framework:**
 
@@ -154,7 +157,7 @@ Determine whether the alert requires escalation and to whom.
 | Alert matches a known active threat campaign | Threat intelligence team + IR team |
 | Multiple correlated alerts suggest a coordinated attack | IR team lead for incident declaration |
 
-**NIST SP 800-61 alignment:** This phase corresponds to Section 3.2.6 "Incident Notification" and Section 3.2.7 "Escalation." NIST recommends predefined escalation procedures with clear criteria and contact information.
+**NIST SP 800-61 Rev. 3 / CSF 2.0 alignment:** This phase supports Respond outcomes by documenting the decision, affected context, escalation target, and recommended next response actions. Use current Rev. 3 / CSF 2.0 terminology for new reports, and only use Rev. 2 section references as legacy crosswalk evidence.
 
 **Escalation documentation (minimum required):**
 
@@ -194,8 +197,8 @@ Produce the triage decision as a structured report:
 ```markdown
 ## Alert Triage Report
 **Date:** [YYYY-MM-DD HH:MM UTC]
-**Skill:** alert-triage v1.0.0
-**Frameworks:** MITRE ATT&CK v16, NIST SP 800-61 Rev 2
+**Skill:** alert-triage v1.0.1
+**Frameworks:** MITRE ATT&CK v19.1, NIST SP 800-61 Rev. 3 / CSF 2.0
 **Analyst:** [Name or AI-assisted]
 
 ### Alert Summary
@@ -208,6 +211,13 @@ Produce the triage decision as a structured report:
 | ATT&CK Technique | [T1059.001 -- PowerShell or N/A] |
 | ATT&CK Tactic | [Execution (TA0002) or N/A] |
 
+### Source Version Evidence
+| Source | Reviewed Version / Date | Currentness Decision |
+|--------|--------------------------|----------------------|
+| MITRE ATT&CK | [v19.1 / reviewed YYYY-MM-DD] | [Current / Legacy mapping verified / Needs refresh] |
+| NIST incident response guidance | [SP 800-61 Rev. 3 and CSF 2.0 / reviewed YYYY-MM-DD] | [Current / Legacy Rev. 2 crosswalk only / Needs refresh] |
+| Alert rule metadata | [ATT&CK/NIST labels embedded in rule] | [Matches current sources / legacy labels documented / unmapped] |
+
 ### Affected Entities
 | Entity | Value | Context |
 |--------|-------|---------|
@@ -249,13 +259,14 @@ exclude known-good IP range, adjust threshold.]
 
 ## 6. Framework Reference
 
-### MITRE ATT&CK v16
+### MITRE ATT&CK v19.1
 
 For alert triage, ATT&CK provides the shared vocabulary for understanding what adversary behavior the alert represents and what to look for next. Key uses during triage:
 
 - **Technique identification:** Map the alert to a specific ATT&CK technique to understand the adversary's objective.
 - **Kill chain positioning:** Determine where the detected activity falls in the attack lifecycle to assess urgency and look for related activity.
 - **Correlation guidance:** Use ATT&CK's tactic flow to predict what an adversary would do before and after the detected technique.
+- **Version verification:** ATT&CK v19.1 is the current ATT&CK website version as of April 28, 2026. Legacy ATT&CK v16/v16.1 mappings should not be reported as current without checking the current technique page, tactic, and source URL.
 
 **ATT&CK tactic flow (simplified attack progression):**
 
@@ -267,27 +278,23 @@ Discovery -> Lateral Movement -> Collection -> Exfiltration -> Impact
 
 Alerts that map to later-stage tactics (Lateral Movement, Collection, Exfiltration, Impact) generally warrant higher priority because they indicate deeper compromise.
 
-### NIST SP 800-61 Rev 2 -- Computer Security Incident Handling Guide
+### NIST SP 800-61 Rev. 3 / CSF 2.0 -- Incident Response Guidance
 
-NIST SP 800-61 Revision 2 (published August 2012) provides the foundational framework for incident handling in organizations. The alert triage process maps to the "Detection and Analysis" phase of the NIST incident response lifecycle:
+NIST SP 800-61 Rev. 3 (published April 2025) supersedes Rev. 2 and reframes incident response recommendations as a CSF 2.0 Community Profile. For alert triage, use Rev. 3 / CSF 2.0 as the current source baseline:
 
-**NIST Incident Response Lifecycle:**
+**Current CSF 2.0 mapping for alert triage:**
 
-| Phase | Description | Triage Relevance |
-|-------|-------------|------------------|
-| 1. Preparation | Establishing IR capability, tools, procedures | Defines triage playbooks and escalation paths |
-| 2. Detection and Analysis | Identifying and validating potential incidents | **Primary triage phase** -- collect, correlate, classify |
-| 3. Containment, Eradication, and Recovery | Limiting damage, removing threat, restoring operations | Post-triage for confirmed TPs |
-| 4. Post-Incident Activity | Lessons learned, metric collection, process improvement | Feeds back into triage process improvement |
+| CSF 2.0 Function | Triage Relevance |
+|-------|------------------|
+| Detect | Collect and correlate alert, telemetry, asset, user, and threat-intelligence evidence before deciding disposition. |
+| Respond | Classify priority, document rationale, communicate escalation, and hand off confirmed true positives for response. |
+| Recover / Govern | Preserve triage evidence for lessons learned, metrics, policy updates, and future playbook tuning. |
 
-**Key NIST 800-61 Rev 2 recommendations for triage:**
+**Legacy Rev. 2 crosswalk:**
 
-- **Section 3.2.4 -- Incident Analysis:** Use multiple data sources for correlation. Do not rely on a single alert in isolation.
-- **Section 3.2.5 -- Incident Documentation:** Document all triage decisions, evidence, and rationale. Maintain an incident log from the first alert.
-- **Section 3.2.6 -- Incident Prioritization:** Prioritize based on the functional impact, information impact, and recoverability of the incident.
-- **Section 3.2.7 -- Incident Notification:** Notify designated personnel based on predefined criteria. Over-communication is preferred to under-communication during active incidents.
+Older programs may still refer to NIST Rev. 2 "Detection and Analysis" and "Incident Notification" sections. These labels can be useful for continuity, but they are superseded by Rev. 3 and should be recorded as legacy crosswalk evidence in new triage reports.
 
-**NIST prioritization factors (SP 800-61 Rev 2, Section 3.2.6):**
+**Legacy NIST Rev. 2 prioritization factors (crosswalk-only):**
 
 | Factor | Rating Levels |
 |--------|---------------|
@@ -317,7 +324,11 @@ Investigating an alert in isolation without checking for activity before and aft
 
 ### Pitfall 5: Delaying Escalation While Seeking Perfect Information
 
-Waiting for complete certainty before escalating a high-priority alert costs response time. NIST SP 800-61 recommends erring on the side of over-notification. If 20 minutes of investigation has not resolved the disposition and the alert involves a critical asset or privileged account, escalate to Tier 2 or the IR team with your current findings and continue investigation in parallel.
+Waiting for complete certainty before escalating a high-priority alert costs response time. If 20 minutes of investigation has not resolved the disposition and the alert involves a critical asset or privileged account, escalate to Tier 2 or the IR team with your current findings and continue investigation in parallel.
+
+### Pitfall 6: Treating Legacy Framework Labels as Current Evidence
+
+Many detection rules still embed ATT&CK v16 or NIST SP 800-61 Rev. 2 labels. Do not copy those labels into a triage report as current framework evidence without verifying them against ATT&CK v19.1 and NIST SP 800-61 Rev. 3 / CSF 2.0. If the rule metadata has not been refreshed, mark the mapping as legacy and include the reviewed current-source date.
 
 ---
 
@@ -335,12 +346,13 @@ This skill processes user-supplied content that may include alert payloads, log
 
 ## 9. References
 
-1. **NIST SP 800-61 Rev 2 -- Computer Security Incident Handling Guide** -- https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
-2. **MITRE ATT&CK Enterprise Matrix v16** -- https://attack.mitre.org/matrices/enterprise/
-3. **MITRE ATT&CK Tactics** -- https://attack.mitre.org/tactics/enterprise/
-4. **FIRST CSIRT Services Framework** -- https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1
-5. **SANS Incident Handler's Handbook** -- https://www.sans.org/white-papers/33901/
-6. **SOC Analyst Triage Best Practices (SANS)** -- https://www.sans.org/reading-room/
-7. **Microsoft Sentinel Incident Triage** -- https://learn.microsoft.com/en-us/azure/sentinel/investigate-incidents
-8. **Splunk Enterprise Security Notable Event Triage** -- https://docs.splunk.com/Documentation/ES/latest/User/TriageNotableEvents
-9. **NIST Cybersecurity Framework (CSF) 2.0 -- Detect Function** -- https://www.nist.gov/cyberframework
+1. **NIST SP 800-61 Rev. 3 -- Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile** -- https://csrc.nist.gov/pubs/sp/800/61/r3/final
+2. **NIST SP 800-61 Rev. 3 DOI / PDF** -- https://doi.org/10.6028/NIST.SP.800-61r3
+3. **NIST Cybersecurity Framework (CSF) 2.0** -- https://www.nist.gov/cyberframework
+4. **MITRE ATT&CK Version History** -- https://attack.mitre.org/resources/versions/
+5. **MITRE ATT&CK Enterprise Matrix** -- https://attack.mitre.org/matrices/enterprise/
+6. **MITRE ATT&CK Tactics** -- https://attack.mitre.org/tactics/enterprise/
+7. **FIRST CSIRT Services Framework** -- https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1
+8. **SANS Incident Handler's Handbook** -- https://www.sans.org/white-papers/33901/
+9. **Microsoft Sentinel Incident Triage** -- https://learn.microsoft.com/en-us/azure/sentinel/investigate-incidents
+10. **Splunk Enterprise Security Notable Event Triage** -- https://docs.splunk.com/Documentation/ES/latest/User/TriageNotableEvents
diff --git a/skills/secops/alert-triage/tests/benign/current-attack-v19-nist-r3-source-report.md b/skills/secops/alert-triage/tests/benign/current-attack-v19-nist-r3-source-report.md
@@ -0,0 +1,30 @@
+## Alert Triage Report
+**Date:** 2026-06-04 14:30 UTC
+**Skill:** alert-triage v1.0.1
+**Frameworks:** MITRE ATT&CK v19.1, NIST SP 800-61 Rev. 3 / CSF 2.0
+**Analyst:** AI-assisted
+
+### Alert Summary
+| Field | Value |
+|-------|-------|
+| Alert ID | SIEM-44821 |
+| Rule Name | Suspicious PowerShell Encoded Command |
+| Source System | SIEM |
+| Timestamp | 2026-06-04 13:43:10 UTC |
+| ATT&CK Technique | T1059.001 -- PowerShell |
+| ATT&CK Tactic | Execution (TA0002) |
+
+### Source Version Evidence
+| Source | Reviewed Version / Date | Currentness Decision |
+|--------|--------------------------|----------------------|
+| MITRE ATT&CK | v19.1 / reviewed 2026-06-04 | Current source reviewed; rule URL verified against Enterprise matrix |
+| NIST incident response guidance | SP 800-61 Rev. 3 and CSF 2.0 / reviewed 2026-06-04 | Current source reviewed |
+| Alert rule metadata | Legacy ATT&CK v16 and NIST Rev 2 labels embedded in rule | Legacy labels documented; report uses refreshed current-source evidence |
+
+### Triage Decision
+| Field | Value |
+|-------|-------|
+| **Disposition** | **Benign True Positive** |
+| **Priority** | **P4 Low** |
+| **Confidence** | Medium |
+| **Escalation Required** | No |
diff --git a/skills/secops/alert-triage/tests/vulnerable/stale-attack-v16-rev2-current-report.md b/skills/secops/alert-triage/tests/vulnerable/stale-attack-v16-rev2-current-report.md
@@ -0,0 +1,28 @@
+## Alert Triage Report
+**Date:** 2026-06-04 14:00 UTC
+**Skill:** alert-triage v1.0.0
+**Frameworks:** MITRE ATT&CK v16, NIST SP 800-61 Rev 2
+**Analyst:** AI-assisted
+
+### Alert Summary
+| Field | Value |
+|-------|-------|
+| Alert ID | SIEM-44821 |
+| Rule Name | Suspicious PowerShell Encoded Command |
+| Source System | SIEM |
+| Timestamp | 2026-06-04 13:43:10 UTC |
+| ATT&CK Technique | T1059.001 -- PowerShell |
+| ATT&CK Tactic | Execution (TA0002) |
+
+### Triage Decision
+| Field | Value |
+|-------|-------|
+| **Disposition** | **Benign True Positive** |
+| **Priority** | **P4 Low** |
+| **Confidence** | High |
+| **Escalation Required** | No |
+
+### Evidence Summary
+1. Report claims current framework coverage while using ATT&CK v16 and NIST Rev 2 labels.
+2. No ATT&CK version history, current technique URL, NIST Rev. 3, or CSF 2.0 review date is recorded.
+3. The old framework labels are copied from the detection rule metadata without current-source verification.
