Skip to main content
Use this sample when a single observable is not enough. Relationship pivots help an agent find related malware, campaigns, actors, sectors, and indicators, but the final answer should still depend on evidence.

Scenario

An incident responder asks:
This domain appeared in proxy logs. Can Kyberis show whether it links to malware or campaign activity?

Workflow

  1. Resolve the domain with expected_types: ["domain"].
  2. Pull relationships for malware, campaign, actor, and indicator.
  3. Retrieve evidence for malware_association and campaign_association.
  4. Run an IOC assessment.
  5. Return a recommendation that separates relationship pivots from confirmed evidence.

Representative MCP Session

User: Use Kyberis to investigate suspicious-domain.example and pivot to malware or campaigns. Agent: I will resolve the domain first, then pivot relationships and validate high-impact links with evidence before recommending action.

Resolve the Domain

{
  "tool": "entity_resolution",
  "arguments": {
    "query": "suspicious-domain.example",
    "expected_types": ["domain"],
    "agent_context": {
      "workflow_stage": "resolve",
      "run_id": "run-domain-pivot-sample",
      "step_id": "resolve-domain"
    }
  }
}
Representative result excerpt:
{
  "resolution": { "status": "resolved", "confidence": "medium" },
  "entity_type": "domain",
  "canonical_name": "suspicious-domain.example",
  "request_id": "req_sample_domain_resolve"
}

Pivot Relationships

{
  "tool": "relationships",
  "arguments": {
    "subject": {
      "entity_type": "domain",
      "canonical_name": "suspicious-domain.example"
    },
    "relationship_types": ["campaign", "malware", "sector", "ioc", "technique"],
    "max_results": 10,
    "agent_context": {
      "workflow_stage": "relationships",
      "run_id": "run-domain-pivot-sample",
      "step_id": "relationships-domain"
    }
  }
}
Representative result excerpt:
{
  "relationships": [
    {
      "relationship_type": "malware",
      "target_name": "sample-loader",
      "confidence": "medium",
      "supporting_evidence": ["report--sample-loader-infra"]
    }
  ],
  "request_id": "req_sample_domain_relationships"
}

Validate the Malware Association

{
  "tool": "evidence",
  "arguments": {
    "query": "suspicious-domain.example",
    "claim_type": "malware_association",
    "max_results": 5,
    "agent_context": {
      "workflow_stage": "evidence",
      "run_id": "run-domain-pivot-sample",
      "step_id": "evidence-malware-association"
    }
  }
}
Representative result excerpt:
{
  "items": [
    {
      "evidence_id": "report--sample-loader-infra",
      "confidence": "medium",
      "summary": "Reporting links infrastructure using this domain pattern to loader activity."
    }
  ],
  "request_id": "req_sample_domain_evidence"
}

REST Evidence Call

curl -sS -X POST "$KYBERIS_BASE_URL/v2/evidence" \
  -H "Authorization: ApiKey $KYBERIS_API_KEY_ID:$KYBERIS_API_KEY_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_context": {
      "objective": "Validate malware association for suspicious-domain.example.",
      "requested_outcome": "Evidence that supports or weakens the malware pivot.",
      "workflow_stage": "evidence",
      "run_id": "run-domain-pivot-sample",
      "step_id": "evidence-malware-association"
    },
    "query": "suspicious-domain.example",
    "claim_type": "malware_association",
    "max_results": 5
  }' | jq .

Final Answer Example

Recommendation: Treat suspicious-domain.example as suspicious and block it while hunting for related loader activity. Facts: Kyberis resolved the domain with medium confidence and found a malware relationship pivot to sample-loader. Evidence report--sample-loader-infra supports the infrastructure association. Inference: The observed proxy hit may indicate exposure to loader infrastructure, but Kyberis evidence alone does not prove endpoint compromise. Confidence: Medium. Next actions: Block the domain, search for related domains from the relationship pivot, and review endpoint telemetry around the first observed proxy event.

Decision Gates

  • Do not treat relationship results as proof by themselves.
  • Validate malware and campaign links with evidence before recommending containment.
  • If evidence is weak, recommend monitoring or targeted hunting rather than broad response.