asp

Use this agent when the user wants an autonomous IOC or artifact-led investigation on ASP. Trigger for requests like investigating an IP, domain, hash, URL, IOC, or artifact; pivoting from an artifact; or hunting around a concrete observable across artifact, SIEM, knowledge, enrichment, and parent alert/case follow-up paths without inventing unsupported graph relations. Examples: <example> Context: A user wants to pivot from a known observable. user: "Investigate this IP and tell me what else I should look at." assistant: "I'll use the asp-artifact-investigator-en agent to run an artifact-led investigation and pivot only through the supported ASP layers." <commentary> This should trigger because the investigation starts from a concrete observable rather than a case or alert. </commentary> </example> <example> Context: A user wants hunting around an IOC, likely including SIEM and knowledge pivots. user: "Hunt around this hash in ASP." assistant: "I'll use the asp-artifact-investigator-en agent to review the artifact context, look for useful pivots, and recommend the next evidence-gathering steps." <commentary> This should trigger because the user is asking for an IOC-led investigation workflow, not just a simple artifact lookup. </commentary> </example> <example> Context: A user asks to pivot from an existing artifact record. user: "Pivot from artifact 557 and see if it relates to anything important." assistant: "I'll use the asp-artifact-investigator-en agent to investigate from that artifact and summarize the highest-value supported pivots and follow-up actions." <commentary> This should trigger proactively because the request implies multi-step artifact analysis and follow-up rather than a single CRUD action. </commentary> </example>

当用户想在 ASP 上进行自主的 IOC 或 artifact 主导的调查时使用此 agent。适用于调查 IP、域名、hash、URL、IOC 或 artifact；从 artifact pivot；或围绕具体可观察对象在 artifact、SIEM、knowledge、enrichment 和父 alert/case 后续路径上进行 hunt，而不发明不受支持的图关系。示例： <example> Context: 用户想从已知可观察对象 pivot。 user: "调查这个 IP，告诉我还应该看什么。" assistant: "我将使用 asp-artifact-investigator-zh agent 运行 artifact 主导的调查，并只通过支持的 ASP 层 pivot。" <commentary> 这应该触发，因为调查从具体可观察对象开始，而不是 case 或 alert。 </commentary> </example> <example> Context: 用户想围绕 IOC 进行 hunting，可能包括 SIEM 和 knowledge pivot。 user: "在 ASP 中围绕这个 hash 进行 hunt。" assistant: "我将使用 asp-artifact-investigator-zh agent 审查 artifact 上下文，寻找有用的 pivot，并推荐下一步证据收集步骤。" <commentary> 这应该触发，因为用户要求的是 IOC 主导的调查工作流，而不只是简单的 artifact 查询。 </commentary> </example> <example> Context: 用户要求从现有 artifact 记录 pivot。 user: "从 artifact 557 pivot，看看它是否与重要内容相关。" assistant: "我将使用 asp-artifact-investigator-zh agent 从该 artifact 调查，并总结最高价值的支持 pivot 和后续操作。" <commentary> 这应该主动触发，因为请求暗示多步 artifact 分析和后续，而不是单个 CRUD 操作。 </commentary> </example>

Use this agent when the user wants an autonomous, case-led SOC investigation on ASP. Trigger for requests like reviewing, triaging, understanding, or investigating a case and producing the next best pivots across case, alert, artifact, SIEM, knowledge, enrichment, playbook, and ticket layers without duplicating CRUD behavior. Examples: <example> Context: A user has a case ID and wants the analyst to understand what happened. user: "Investigate case CASE-1042 and tell me what matters." assistant: "I'll use the asp-case-investigator-en agent to run a case-led investigation and summarize the most useful findings and next pivots." <commentary> This should trigger because the request is explicitly case-led and asks for investigation, not a single object lookup. </commentary> </example> <example> Context: A user asks for triage on a case and likely needs related evidence gathered. user: "Please review this case and check whether there is enough evidence to move it forward." assistant: "I'll use the asp-case-investigator-en agent to review the case, pull the most relevant surrounding context, and recommend next steps." <commentary> This should trigger because the user wants coordinated case review plus evidence-oriented follow-up, which fits an orchestration agent. </commentary> </example> <example> Context: A user asks to understand a case, but does not explicitly name all supporting layers. user: "Help me understand case 883." assistant: "I'll use the asp-case-investigator-en agent to analyze the case and pull in related alert, artifact, and evidence context only where useful." <commentary> This should trigger proactively because the user's wording is broad and investigation-oriented, so the agent should orchestrate the surrounding layers. </commentary> </example>

当用户想在 ASP 上进行自主的、以 case 为主导的 SOC 调查时使用此 agent。适用于审查、分诊、理解或调查 case，并在 case、alert、artifact、SIEM、knowledge、enrichment、playbook 和 ticket 层之间产生最佳 pivot，而不重复 CRUD 行为。示例： <example> Context: 用户有一个 case ID，想让分析师理解发生了什么。 user: "调查 case CASE-1042，告诉我重要的是什么。" assistant: "我将使用 asp-case-investigator-zh agent 运行以 case 为主导的调查，并总结最有用的发现和下一步 pivot。" <commentary> 这应该触发，因为请求明确以 case 为主导并要求调查，而不是单个对象查询。 </commentary> </example> <example> Context: 用户要求对 case 进行分诊，可能需要收集相关证据。 user: "请审查这个 case，检查是否有足够证据推进它。" assistant: "我将使用 asp-case-investigator-zh agent 审查 case，拉取最相关的周边上下文，并推荐下一步。" <commentary> 这应该触发，因为用户想要协调的 case 审查加上面向证据的后续，这符合编排 agent。 </commentary> </example> <example> Context: 用户要求理解一个 case，但没有明确命名所有支持层。 user: "帮我理解 case 883。" assistant: "我将使用 asp-case-investigator-zh agent 分析 case，并在有用时拉入相关 alert、artifact 和证据上下文。" <commentary> 这应该主动触发，因为用户的措辞是广泛的、面向调查的，所以 agent 应该编排周边层。 </commentary> </example>

Review ASP alerts, update AI triage, create and attach new artifacts, inspect alert discussions, or attach enrichment to alerts.

审查 ASP 告警、更新 AI 分析字段、查看告警讨论。

Find artifacts by IOC, create new artifacts, attach artifacts to alerts, or save enrichment on artifacts.

按 IOC 查找 artifact

Manage ASP security cases. Use when users ask to review a case, list cases, inspect case discussions, check related alerts or playbook runs for a case, or update case workflow and AI analysis fields.

管理 ASP 安全 case。适用于审查 case、列出 case、查看 case 讨论、检查 case 相关告警，或更新 case 工作流和 AI 分析字段,附加外部 ticket 到 case。

Save structured analysis results as enrichment and attach them to a case, alert, or artifact.

把结构化数据保存为 enrichment，并附加到 case、alert 或 artifact。

Find internal guidance for a case or alert, check whether knowledge already exists, or update existing ASP knowledge records.

ASP 平台存储的内部知识，通过RAG技术在内部知识库搜索,检查是否已有知识记录，或更新knowledge 记录。

Operate ASP playbook definitions and playbook run records. Use when users ask which playbooks can run, want to execute a playbook on a case, alert, or artifact, or want to inspect existing playbook runs.

操作 ASP playbook definition 和 playbook run 记录。适用于查看可运行的 playbook、对 case/alert/artifact 执行 playbook，或查看已有 playbook run。

Investigate ASP SIEM data with schema exploration, keyword search, and adaptive field queries. Use when users ask to find the right index, inspect available fields, search logs by IOC, or run structured hunts with exact filters and aggregations.

通过 schema 探索、关键词搜索和自适应字段查询来调查 ASP SIEM 数据。适用于查找正确索引、检查可用字段、按 IOC 搜索日志，或用精确过滤和聚合运行结构化 hunt。

Sync external tickets into ASP, link tickets to cases, list synced tickets, or update existing ticket records.

把外部 ticket 同步到 ASP、把 ticket 关联到 case、列出已同步 ticket，或更新已有 ticket 记录。