Scenario
An incident responder asks:This domain appeared in proxy logs. Can Kyberis show whether it links to malware or campaign activity?
Workflow
- Resolve the domain with
expected_types: ["domain"]. - Pull relationships for
malware,campaign,actor, andindicator. - Retrieve evidence for
malware_associationandcampaign_association. - Run an IOC assessment.
- Return a recommendation that separates relationship pivots from confirmed evidence.
Representative MCP Session
User: Use Kyberis to investigate suspicious-domain.example and pivot to malware or campaigns. Agent: I will resolve the domain first, then pivot relationships and validate high-impact links with evidence before recommending action.Resolve the Domain
Pivot Relationships
Validate the Malware Association
REST Evidence Call
Final Answer Example
Recommendation: Treat suspicious-domain.example as suspicious and block it while hunting for related loader activity. Facts: Kyberis resolved the domain with medium confidence and found a malware relationship pivot to sample-loader. Evidencereport--sample-loader-infra supports the infrastructure association.
Inference: The observed proxy hit may indicate exposure to loader infrastructure, but Kyberis evidence alone does not prove endpoint compromise.
Confidence: Medium.
Next actions: Block the domain, search for related domains from the relationship pivot, and review endpoint telemetry around the first observed proxy event.
Decision Gates
- Do not treat relationship results as proof by themselves.
- Validate malware and campaign links with
evidencebefore recommending containment. - If evidence is weak, recommend monitoring or targeted hunting rather than broad response.
