AgentSkillsCN

Incident Response

事件响应

SKILL.md

Incident Response

Skill Purpose: Detect, triage, contain, and recover from security incidents with clear communication and evidence.


Core Skill Pattern

Objective: Minimize impact and restore service while preserving forensic evidence.

Universal Pattern:

  1. Detect and validate the incident
  2. Triage severity and scope
  3. Contain and mitigate impact
  4. Eradicate root cause and recover
  5. Conduct post-incident review

Key Decisions (Project-Specific):

  • Severity classification criteria
  • On-call and escalation paths
  • Evidence collection requirements
  • Communication protocols

Project-Specific Implementation Notes

Customize per project:

  • Define on-call rotations and contacts
  • Ensure log retention meets forensic needs
  • Pre-approve emergency access procedures

Example Incident Checklist

  1. Confirm indicators and affected systems
  2. Disable compromised credentials
  3. Collect logs and snapshots
  4. Patch or roll back to safe state
  5. Notify stakeholders and document timeline

Best Practices

  1. Practice with tabletop exercises
  2. Keep a clear incident timeline
  3. Preserve evidence before remediation
  4. Communicate status regularly
  5. Close with a blameless postmortem

Stop Conditions

STOP and escalate if:

  • Severity cannot be determined
  • Evidence collection is blocked
  • Containment risks data loss

Skill Version: 1.0.0