Adverse Event Analysis

Build me an alert correlation automation in Tracecat. When a new Microsoft Sentinel alert arrives, search CrowdStrike for activity on the same host and user within the last hour, pull related alerts from both tools into one case, and build a timeline of what happened in what order. First help me understand how this maps to DE.AE-03 and why correlation across sources beats triaging alerts one at a time. Ask me which alert types fire most in my environment. Talk me through how wide the correlation window should be.

Build me an enrichment pipeline in Tracecat. For every new case, extract IPs, domains, and file hashes, check them against VirusTotal and GreyNoise, and write the verdicts back to the case as structured fields. Mark the case high priority when anything comes back known malicious. First help me understand how this maps to DE.AE-07 and what good threat intel integration looks like beyond hash lookups. Ask me which intel sources I have API keys for. Talk me through rate limits and caching before we wire it up.

Build me an impact assessment step for my triage in Tracecat. When a case is opened, look up the affected host and user, pull asset criticality and data sensitivity from my inventory table, count how many other systems the user can reach, and write an impact summary to the case. First help me understand how this maps to DE.AE-04 and how impact differs from severity. Ask me where asset criticality lives in my environment. Talk me through what a useful impact summary contains for an on-call analyst.

Build me an alert routing automation in Tracecat. Classify each new case by affected system and alert type, then notify the owning team in their Slack channel with the case summary and evidence. Page on-call through PagerDuty when the case is high severity. Keep a routing table I can edit without touching the automation. First help me understand how this maps to DE.AE-06 and why routing belongs in an editable table instead of hardcoded logic. Ask me which teams own which systems. Talk me through fallback routing when no owner matches.

Build me an incident declaration automation in Tracecat. Define my incident criteria as rules: confirmed malware on a critical asset, data leaving the network, or an account takeover. When a case meets one, escalate it to an incident, open an Incident.io incident with the case linked, and notify the security leadership channel. First help me understand how this maps to DE.AE-08 and why written incident criteria matter before automating the declaration. Ask me what my current criteria are, and help me sharpen them if they are vague. Talk me through which escalations should stay human-approved.