Skip to content

feat: upgrade SAFE-UC-0022 (Security operations investigation assistant) from seed to full draft#30

Merged
bishnubista merged 2 commits into
secure-agentic-framework:mainfrom
arjunastha:use-case/SAFE-UC-0022-soc-investigation-assistant
Apr 25, 2026
Merged

feat: upgrade SAFE-UC-0022 (Security operations investigation assistant) from seed to full draft#30
bishnubista merged 2 commits into
secure-agentic-framework:mainfrom
arjunastha:use-case/SAFE-UC-0022-soc-investigation-assistant

Conversation

@arjunastha
Copy link
Copy Markdown
Contributor

@arjunastha arjunastha commented Apr 24, 2026

Summary

Promotes SAFE-UC-0022 from seed to full draft, aligned with the latest community precedent. Covers the adversarial-input-by-design SOC investigation assistant workflow — fundamentally distinct from prior UCs (0018 read-only summarization, 0024 privileged shell execution, 0011 consumer-facing banking) in that the data being investigated is authored by the parties under investigation.

Changes

  • Seed stub (33 lines) → full draft (~620 lines).
  • Seven-stage kill chain with four novel stages vs prior UCs: adversarial-content ingestion, cross-tenant pivot (MSSP), SOAR action authorization, evidence / chain-of-custody tampering.
  • §8 SAFE-MCP maps 26 techniques across seven stages.
  • Evidence: 10 live-verified citations — standards (OWASP LLM Top 10 2025, NIST AI 600-1, NIST SP 800-61 Rev 3, NIST CSF 2.0, MITRE ATT&CK), vendor products (Microsoft Security Copilot, CrowdStrike Charlotte AI, Dropzone AI), and public research/disclosures (Simon Willison "lethal trifecta", Invariant Labs GitHub MCP exploitation, Greshake et al. indirect prompt injection).
  • Appendix B: 6-subsection references list (SAFE-MCP / AI frameworks / IR & digital-forensics fabric / public incidents / vendor patterns / sector & jurisdiction overlays).
  • Crosswalk: status seed → draft, maturity draft, workflow_family "Security operations & incident response", NAICS expanded to 54 + 5415 + 541512.
  • Root README index row updated from Seed → Draft.

Citation accuracy

All URLs live-verified via WebFetch / WebSearch (77 tool calls across research agents). Local validator (scripts/validate_contributions.sh) passes.

Safety attestation

No exploit steps, no sensitive info, defender-friendly throughout.

Requesting DSO review per CONTRIBUTING.md.

@arjunastha
feat: upgrade SAFE-UC-0022 (Security operations investigation assista…
d967b3e 
…nt) from seed to full draft

Seven-stage kill chain with four novel stages (adversarial-content ingestion,
cross-tenant pivot, SOAR action authorization, evidence / chain-of-custody
tampering). SAFE-MCP mapping covers 26 techniques. Evidence spans OWASP LLM
Top 10 2025, NIST AI 600-1, NIST SP 800-61 Rev 3, NIST CSF 2.0, MITRE ATT&CK,
vendor products (Microsoft Security Copilot, CrowdStrike Charlotte AI, Dropzone
AI), and public research (Simon Willison lethal trifecta, Invariant Labs GitHub
MCP exploitation, Greshake et al. indirect prompt injection). Crosswalk
promoted to draft with MSSP/SOC-oriented NAICS coverage.

Signed-off-by: arjunastha <arjun@astha.ai>
@arjunastha arjunastha marked this pull request as ready for review April 24, 2026 04:25
@bishnubista
Copy link
Copy Markdown
Member

bishnubista commented Apr 24, 2026

Hey @arjunastha — merged #27, #28, #29, #31 today. This one now has conflicts on README.md and use-cases.naics2022.crosswalk.json from the neighbouring sibling upgrades landing. Could you rebase on main? Should be mechanical (index-table row + adjacent JSON entry). Happy to merge once it's green.

@arjunastha
Merge remote-tracking branch 'origin/main' into use-case/SAFE-UC-0022…
87e2680 
…-soc-investigation-assistant

Signed-off-by: arjunastha <arjun@astha.ai>

# Conflicts:
#	README.md
@arjunastha
Copy link
Copy Markdown
Contributor Author

arjunastha commented Apr 25, 2026

@bishnubista addressed

@bishnubista bishnubista merged commit 5ff5bca into secure-agentic-framework:main Apr 25, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arjunastha @bishnubista