/v2/prioritize, then investigate the top signals instead of deep-diving every result.
Scenario
A customer asks:What should a US healthcare company running Microsoft Exchange, Okta, Kubernetes, and public APIs care about this week?
REST Flow
1. Rank signals
2. Validate a Top Signal
Use the signal’s subject, title, or evidence references to run focused evidence and relationships calls. For a CVE-like signal, use a CVE assessment. For an actor or IOC-like signal, use the matching assessment endpoint.Final Answer Example
Top action: Validate Exchange/OWA exposure first. Why now: Kyberis ranked the Exchange-related signal highest because it matched Microsoft Exchange, OWA exposure, US healthcare context, and recent supporting evidence. Confidence: High for prioritization fit, medium-high for immediate action until exposure is confirmed. Supporting evidence:report--sample-exchange-activity. Request ID: req_sample_prioritize.
Action plan:
- Confirm whether public OWA is exposed and whether affected versions are present.
- Review recent authentication, proxy, and endpoint telemetry for Exchange exploitation indicators.
- Then evaluate identity phishing activity tied to federated identity and Okta.
Decision Gates
- Do not turn the entire signal list into equal-priority work.
- Validate the top one to three signals with evidence or relationships before recommending disruptive action.
- Use
suppression_reasonsand caveats when a signal is lowered or confidence is partial.
