Skill

asp-enrichment-en

From asp

Saves structured analysis as enrichment in ASP and attaches to cases, alerts, or artifacts. Persists SIEM findings, threat intel, and investigation notes in cyber security workflows.

security

npx claudepluginhub funnywolf/agentic-soc-platform --plugin ASP

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Use this skill when analysis results should be saved back into ASP as structured context.

SKILL.md

Similar Skills

asp-enrichment-zh

683

Creates and attaches structured enrichments to cases, alerts, or artifacts in ASP cyber security platform. Persists analysis, threat intelligence, and investigation context.

asp

security-case-management

383

Manages SOC cases in Elastic Security via Kibana Cases API: create, search, update, link alerts, add notes. Use for incident tracking, triage, investigation.

3 files

elastic-agent-skills

case-investigation

Investigates LimaCharlie security cases holistically: initial access hunting, org-wide scope, lateral movement, host context. Enriches with telemetry, IOCs, notes, summaries for SOC triage, threat hunting, incident response.

4 tools

lc-essentials

Stats

Parent Repo Stars683

Parent Repo Forks98

Last CommitApr 2, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

ASP Enrichment

Use this skill when analysis results should be saved back into ASP as structured context.

When to Use

The user wants to save structured analysis, intel, or investigation notes.
The user wants to attach context to a case, alert, or artifact.
The user wants to persist SIEM findings, threat intel, asset context, or analyst conclusions.
The user wants to reuse an existing enrichment and attach it to a target object.

Operating Rules

Treat enrichment as the platform's structured result layer, not as a generic comment field.
Use this skill when the goal is to persist analysis on a case, alert, or artifact.
Separate creation from attachment.
Use create_enrichment for a new result record.
Use attach_enrichment_to_target only after you have the enrichment row ID.
Keep the payload compact and operational.
Prefer object-local skills for reviewing the object itself, and this skill for saving the result.

Decision Flow

If the user wants to save a new structured result, call create_enrichment first.
If the user wants to attach that result to a case, alert, or artifact, call attach_enrichment_to_target.
If the user already has an existing enrichment row ID, skip creation and attach it directly.
If the user is still exploring the object rather than saving a result, use the corresponding object skill first.

SOP

Create And Attach New Enrichment

Require target_type and target_id.
Convert the user's analysis into a compact structured enrichment payload.
Call create_enrichment and keep the returned enrichment row ID.
Call attach_enrichment_to_target(target_type=<target_type>, target_id=<target_id>, enrichment_rowid=<created_rowid>).
Confirm that the enrichment was created and attached.

Preferred response structure:

Target: target type and target ID
Enrichment: created enrichment row ID
Attachment: attached to target
Next useful step: optional, usually continue investigation, review the enriched object, or run follow-up automation

Attach Existing Enrichment

Require target_type, target_id, and enrichment_rowid.
Call attach_enrichment_to_target(target_type=<target_type>, target_id=<target_id>, enrichment_rowid=<enrichment_rowid>).
Confirm that the enrichment was attached.

Clarification Rules

Ask for target_type and target_id only when missing.
Ask for the enrichment row ID only when the user wants to reuse an existing enrichment and did not provide it.
If the user only says "save this result", infer the most obvious target object from the current request when it is clear.
If the user wants a note rather than a structured result, still prefer enrichment when the content is investigative context.

Output Rules

Be concise.
Do not dump raw JSON unless the user explicitly asks for it.
Prefer analyst-facing wording over storage wording.
Emphasize what was saved, where it was attached, and why it is useful.

Failure Handling

If the target object is missing, say so directly.
If the enrichment payload is incomplete, ask one focused follow-up instead of guessing.
If attachment fails because the enrichment row ID is missing, ask for it or create a new enrichment first.