Tool Usage Tips

CTI Report Tools (use these FIRST)

  • list_cti_report_tags(): Returns all available tags with report counts. Start here to find tags matching your detection objective.
  • get_cti_reports_by_tag(tag): Returns full reports with id, title, link, tags, and content. Read the content for IoCs, technique descriptions, and detection approaches. Pick 1-3 tags that match your objective.

MITRE Tool

  • search_mitre_techniques(tactic): Tactic names MUST use hyphens: “privilege-escalation”, “defense-evasion”, “credential-access”, “lateral-movement”, “command-and-control”. Always identify technique IDs — they are important for your Sigma rule.

Sigma Tool

  • search_sigma_rules(keyword, technique_id, platform): Case-insensitive keyword search on title+description. Use short, specific keywords (e.g. “crontab”, “scheduled task”, “curl”). Can filter by technique_id and platform simultaneously.

Kusto/KQL Tools

  • list_kusto_tables(): Discover available tables. Use this to find the right table — do not guess table names.
  • get_table_schema(table): Get exact column names and types. Always check this BEFORE writing any KQL query.
  • sample_table_data(table, rows): See real values. Max 20 rows. Use this to understand what data looks like before filtering.
  • execute_kql_query(query): Results are capped at a small number of rows. If 0 rows returned:
    1. Check column names match the schema exactly
    2. Use contains instead of == for string filters
    3. Remove time filters to broaden results
    4. Try | take 5 first to verify the table has data

Validation

  • validate_output_json(json_string): Always call before submitting. Checks that sigma_rule, kql_query, and query_results are all present and non-empty.