Responding To Security Incidents
Overview
This skill provides automated assistance for the described functionality.
Prerequisites
Before using this skill, ensure:
- •Access to system and application logs in {baseDir}/logs/
- •Network traffic captures or SIEM data available
- •Incident response team contact information
- •Backup systems operational and accessible
- •Write permissions for incident documentation in {baseDir}/incidents/
- •Communication channels established for stakeholder updates
Instructions
- •Triage the incident and scope affected systems/data.
- •Preserve evidence (logs, snapshots, network captures) before making changes.
- •Contain the blast radius and eradicate root cause.
- •Recover safely and document follow-ups (AAR + backlog).
See {baseDir}/references/implementation.md for detailed implementation guide.
Output
The skill produces:
Primary Output: Incident response playbook saved to {baseDir}/incidents/incident-YYYYMMDD-HHMM.md
Playbook Structure:
code
# Security Incident Response - [Incident Type]
## Error Handling
See `{baseDir}/references/errors.md` for comprehensive error handling.
## Examples
See `{baseDir}/references/examples.md` for detailed examples.
## Resources
- NIST Computer Security Incident Handling Guide: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
- SANS Incident Handler's Handbook: https://www.sans.org/white-papers/33901/
- CISA Incident Response Guide: https://www.cisa.gov/incident-response
- Memory analysis: Volatility Framework
- Disk forensics: Autopsy, FTK Imager