Add SOAR disposition provenance to alert triage

[malb200710-dev]

Bounty type

Skill Improvement bounty

Modified skill

skills/secops/alert-triage/SKILL.md

Issue

Fixes #1525

What was missing

The alert triage workflow could accept a closed, downgraded, or BTP/FP alert as if it had been analyst-validated, even when the disposition came from SOAR automation, suppression, ML/vendor auto-triage, or case deduplication.

What changed

• Bumped �lert-triage to v1.0.1.
• Added disposition provenance to required context.
• Added SOAR / automation history to Phase 1 data collection.
• Added an automation disposition provenance gate with source, actor, playbook run, review status, and status-history evidence.
• Added playbook-closed sibling alert checks to Phase 2 correlation.
• Added automation-only disposition rules before TP/BTP/FP classification.
• Added escalation criteria for automation-only closure on high-risk scope and cross-tool status mismatches.
• Added disposition provenance fields to the report output.
• Added a pitfall for treating SOAR closure as analyst validation.
• Added prompt-injection safety guidance for automation comments and suppression rationales.

Validation

• Confirmed v1.0.1 version bump.
• Confirmed automation provenance gate is present.
• Confirmed playbook-closed sibling alert checks are present.
• Confirmed report output includes disposition provenance fields.
• Confirmed Markdown fence balance.
• Confirmed no non-ASCII characters were introduced.

Bounty request

Requesting consideration for the SecuritySkills improver bounty if accepted/merged. Payment details can be provided privately after acceptance.