Tools Overview
7 workflow tools covering investigation, risk assessment, compliance, remediation, security overview, reporting, and cache management. Consolidated from 53 individual tools into intent-based workflows backed by 42 aggregator functions.
The 7 Workflow Tools
investigate — Investigation
Deep-dive investigation on any security topic: CVEs, threat actors, assets, endpoint events, vulnerability intelligence.
Use when: "tell me about CVE-2024-3400", "are we exposed to Lazarus Group?", "investigate this IP", "what ransomware vulns exist?", "what's happening on 10.0.0.1?"
| Parameter | Type | Default | Description |
|---|---|---|---|
target | str | (required) | CVE ID, threat actor/nation, hostname, IP address, or free-text topic |
depth | str | "standard" | "quick" (~10s) | "standard" (~20s) | "deep" (~45s, all sources + summary) |
scope | str | "all" | "all" | "vulns" | "threats" | "assets" | "edr" | "fim" |
tag | str | "" | Filter affected assets by tag |
asset_group | str | "" | Filter by asset group |
threat_type | str | "" | RTI filter: Ransomware, Active_Attacks, Cisa_Known_Exploited_Vulns, etc. |
software | str | "" | Software name filter for KB search (e.g. "Apache", "OpenSSL") |
days | int | 7 | Lookback window for events/vulns |
limit | int | 20 | Max results per data source |
detail | str | "standard" | "summary" | "standard" | "detailed" |
prior_context | str | "" | Summary from a previous investigation for chaining |
audience | str | "technical" | "technical" | "management" | "executive" |
assess_risk — Risk Assessment
Cross-domain risk assessment covering VMs, cloud (AWS/Azure/GCP/OCI), containers, web apps, certificates, and assets.
Use when: "what's our risk?", "show me cloud risk in AWS", "top risky assets", "container vulnerabilities", "expiring certificates", "EOL systems", "risk by business unit"
| Parameter | Type | Default | Description |
|---|---|---|---|
scope | str | "all" | "all" | "cloud" | "containers" | "web" | "certs" | "assets" |
tag | str | "" | Filter by tag/business group |
asset_group | str | "" | Filter by asset group |
asset_id | str | "" | Single asset deep-dive |
os | str | "" | OS filter |
query | str | "" | Hostname/asset name search |
days_since_seen | int | 0 | Stale asset filter (days) |
days_since_scan | int | 0 | Scan gap filter (days) |
eol_only | bool | False | Only end-of-life assets |
provider | str | "" | "aws" | "azure" | "gcp" (cloud scope) |
service | str | "" | Cloud service filter (S3, IAM, EC2, etc.) |
account_id | str | "" | Specific cloud account |
per_account | bool | False | Include per-account breakdown |
image_id | str | "" | Specific container image |
app_name | str | "" | Web application name filter |
owasp_category | str | "" | OWASP Top 10 category |
protocol_filter | str | "" | TLS version filter |
weak_ciphers | bool | False | Filter for weak cipher suites |
weak_only | bool | False | Only certificates with issues |
insecure_renegotiation | bool | False | Filter for insecure TLS renegotiation |
include_expired | bool | True | Include expired certificates |
days | int | 30 | Time window |
limit | int | 20 | Max results per data source |
detail | str | "standard" | "summary" | "standard" | "detailed" |
sort_by | str | "trurisk" | "trurisk" | "severity" |
breakdown_by | str | "tag" | "tag" | "none" |
check_compliance — Compliance
Compliance posture assessment: framework pass/fail rates, failing controls, risk acceptances.
Use when: "are we PCI compliant?", "compliance gaps", "show failing controls", "risk acceptances expiring", "HIPAA posture", "CIS benchmark results"
| Parameter | Type | Default | Description |
|---|---|---|---|
framework | str | "" | "PCI" | "HIPAA" | "SOC2" | "CIS" | "NIST" | "" (all) |
platform | str | "" | "windows" | "linux" |
tag | str | "" | Filter by tag |
asset_group | str | "" | Filter by asset group |
include_exceptions | bool | False | Include vulnerability exceptions/risk acceptances |
exception_status | str | "Active" | "Active" | "Expired" | "Pending" |
vuln_type | str | "" | "False Positive" | "Compensating Control" |
days_to_expiry | int | 30 | Show exceptions expiring within N days |
limit | int | 20 | Max results |
detail | str | "standard" | "summary" | "standard" | "detailed" |
plan_remediation — Remediation
Remediation planning: patch priorities, deployment status, mitigation coverage, program gaps.
Use when: "what should we patch?", "outstanding patches", "patch deployment status", "mitigation coverage", "is there a mitigation for CVE-X?"
| Parameter | Type | Default | Description |
|---|---|---|---|
scope | str | "all" | "all" | "patches" | "mitigations" | "program" |
tag | str | "" | Filter by tag |
asset_group | str | "" | Filter by asset group |
platform | str | "" | "windows" | "linux" |
severity | str | "" | "critical" | "high" | "moderate" |
status | str | "" | Patch job status filter |
qids | list | None | Check mitigation coverage for specific QIDs |
cves | list | None | Check mitigation coverage for specific CVEs |
limit | int | 20 | Max results |
detail | str | "standard" | "summary" | "standard" | "detailed" |
security_overview — Overview
Security briefing: daily/weekly/monthly summary with scanner health, scan status, findings, and risk trends.
Use when: "morning briefing", "what happened this week?", "security overview", "any new critical vulns?", "scanner status", "what needs attention today?"
| Parameter | Type | Default | Description |
|---|---|---|---|
period | str | "today" | "today" | "week" | "month" |
scope | str | "all" | "all" | "infrastructure" | "findings" | "risk" |
quick | bool | False | True for fast snapshot (~3s), False for full briefing (~10s) |
tag | str | "" | Filter by tag |
asset_group | str | "" | Filter by asset group |
qql | str | "" | QQL query for ETM findings |
severity | str | "" | Finding severity filter |
scan_state | str | "Running,Paused,Queued,Error" | Comma-separated scan states |
limit | int | 50 | Max results |
detail | str | "standard" | "summary" | "standard" | "detailed" |
reports — Reporting
Unified report operations: list, templates, generate, status, download, delete.
| Parameter | Type | Default | Description |
|---|---|---|---|
action | str | (required) | "list" | "templates" | "generate" | "status" | "download" | "delete" |
report_id | str | "" | Report ID (for status/download/delete) |
template_id | str | "" | Template ID (for generate) |
asset_group_ids | str | "" | Comma-separated asset group IDs (for generate) |
template_name | str | "" | Filter templates by name substring |
report_title | str | "" | Custom title for generated report |
output_format | str | "pdf" | "pdf" | "html" | "mht" | "xml" | "csv" | "docx" |
cache_status — Admin
Show cache stats or clear all caches.
| Parameter | Type | Default | Description |
|---|---|---|---|
clear | bool | False | True to clear all caches, False to show stats only |
Response Format
All workflow tools return a unified envelope with four sections:
- summary — headline, risk_level, key_findings
- data — per-source results from aggregator functions
- correlations — cross-source insights discovered during the workflow
- actions — prioritized next steps with tool_hints for follow-up queries
Threat Intel Categories
The following Real-Time Threat Indicator (RTI) categories are available for filtering with the investigate tool's threat_type parameter:
- Ransomware
- Malware
- Active_Attacks
- Exploit_Public
- Easy_Exploit
- Wormable
- Cisa_Known_Exploited_Vulns
- Denial_of_Service
- Privilege_Escalation
- Remote_Code_Execution
- Predicted_High_Risk
- Unauthenticated_Exploitation