> ## Documentation Index
> Fetch the complete documentation index at: https://developer.kyberis.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Sample Domain and Malware Pivot

> Start from a domain, pivot to related malware or campaigns, then validate claims with evidence.

Use this sample when a single observable is not enough. Relationship pivots help an agent find related malware, campaigns, actors, sectors, and indicators, but the final answer should still depend on evidence.

## Scenario

An incident responder asks:

> This domain appeared in proxy logs. Can Kyberis show whether it links to malware or campaign activity?

## Workflow

1. Resolve the domain with `expected_types: ["domain"]`.
2. Pull relationships for `malware`, `campaign`, `actor`, and `indicator`.
3. Retrieve evidence for `malware_association` and `campaign_association`.
4. Run an IOC assessment.
5. Return a recommendation that separates relationship pivots from confirmed evidence.

## Representative MCP Session

**User:** Use Kyberis to investigate suspicious-domain.example and pivot to malware or campaigns.

**Agent:** I will resolve the domain first, then pivot relationships and validate high-impact links with evidence before recommending action.

### Resolve the Domain

```json theme={null}
{
  "tool": "entity_resolution",
  "arguments": {
    "query": "suspicious-domain.example",
    "expected_types": ["domain"],
    "agent_context": {
      "workflow_stage": "resolve",
      "run_id": "run-domain-pivot-sample",
      "step_id": "resolve-domain"
    }
  }
}
```

Representative result excerpt:

```json theme={null}
{
  "resolution": { "status": "resolved", "confidence": "medium" },
  "entity_type": "domain",
  "canonical_name": "suspicious-domain.example",
  "request_id": "req_sample_domain_resolve"
}
```

### Pivot Relationships

```json theme={null}
{
  "tool": "relationships",
  "arguments": {
    "subject": {
      "entity_type": "domain",
      "canonical_name": "suspicious-domain.example"
    },
    "relationship_types": ["campaign", "malware", "sector", "ioc", "technique"],
    "max_results": 10,
    "agent_context": {
      "workflow_stage": "relationships",
      "run_id": "run-domain-pivot-sample",
      "step_id": "relationships-domain"
    }
  }
}
```

Representative result excerpt:

```json theme={null}
{
  "relationships": [
    {
      "relationship_type": "malware",
      "target_name": "sample-loader",
      "confidence": "medium",
      "supporting_evidence": ["report--sample-loader-infra"]
    }
  ],
  "request_id": "req_sample_domain_relationships"
}
```

### Validate the Malware Association

```json theme={null}
{
  "tool": "evidence",
  "arguments": {
    "query": "suspicious-domain.example",
    "claim_type": "malware_association",
    "max_results": 5,
    "agent_context": {
      "workflow_stage": "evidence",
      "run_id": "run-domain-pivot-sample",
      "step_id": "evidence-malware-association"
    }
  }
}
```

Representative result excerpt:

```json theme={null}
{
  "items": [
    {
      "evidence_id": "report--sample-loader-infra",
      "confidence": "medium",
      "summary": "Reporting links infrastructure using this domain pattern to loader activity."
    }
  ],
  "request_id": "req_sample_domain_evidence"
}
```

## REST Evidence Call

```bash theme={null}
curl -sS -X POST "$KYBERIS_BASE_URL/v2/evidence" \
  -H "Authorization: ApiKey $KYBERIS_API_KEY_ID:$KYBERIS_API_KEY_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_context": {
      "objective": "Validate malware association for suspicious-domain.example.",
      "requested_outcome": "Evidence that supports or weakens the malware pivot.",
      "workflow_stage": "evidence",
      "run_id": "run-domain-pivot-sample",
      "step_id": "evidence-malware-association"
    },
    "query": "suspicious-domain.example",
    "claim_type": "malware_association",
    "max_results": 5
  }' | jq .
```

## Final Answer Example

**Recommendation:** Treat suspicious-domain.example as suspicious and block it while hunting for related loader activity.

**Facts:** Kyberis resolved the domain with medium confidence and found a malware relationship pivot to sample-loader. Evidence `report--sample-loader-infra` supports the infrastructure association.

**Inference:** The observed proxy hit may indicate exposure to loader infrastructure, but Kyberis evidence alone does not prove endpoint compromise.

**Confidence:** Medium.

**Next actions:** Block the domain, search for related domains from the relationship pivot, and review endpoint telemetry around the first observed proxy event.

## Decision Gates

* Do not treat relationship results as proof by themselves.
* Validate malware and campaign links with `evidence` before recommending containment.
* If evidence is weak, recommend monitoring or targeted hunting rather than broad response.
