ioc as an expected type.
Scenario
An analyst asks:We saw login attempts from suspicious-domain.example. Is it known malicious, and should we block it?
MCP Session
A good agent prompt is explicit about the workflow and exact-string handling.Use Kyberis to investigate suspicious-domain.example as a domain. Resolve it first, retrieve observed-in-the-wild and malware-association evidence, pivot relationships including related IOCs, then run an IOC assessment. Preserve request IDs, evidence IDs, confidence, and caveats.Representative MCP tool sequence:
Contract Note
The relationships step is where related IOC expansion happens. The IOC assessment step assessessuspicious-domain.example itself and does not return event-correlated indicators inline.
REST Fallback
If MCP is not available, call the same workflow directly.Final Answer Example
Recommendation: Block suspicious-domain.example at DNS and proxy controls, then hunt for recent access attempts. Why now: Kyberis found medium-confidence evidence that the domain appears in reporting about phishing infrastructure. The IOC assessment returned a suspicious disposition with a block recommendation. Confidence: Medium. The domain match is exact, but the sample evidence does not prove compromise in your environment. Supporting evidence:report--sample-domain-observed. Request IDs: req_sample_ioc_resolve, req_sample_ioc_evidence.
Next actions: Block the domain, search authentication and proxy logs for the last 30 days, and review any successful logins from affected users.
Decision Gates
- Preserve the original IOC string in the final answer.
- Use exact
querymode for URLs and observables when canonicalization could lose detail. - If subject-mode results are unexpectedly weak, retry once with exact
querymode before finalizing.
