incident-response
1
总安装量
1
周安装量
#48259
全站排名
安装命令
npx skills add https://github.com/sherifeldeeb/agentskills --skill incident-response
Agent 安装分布
opencode
1
codex
1
claude-code
1
Skill 文档
Incident Response Skill
Support the complete incident response lifecycle with documentation, timeline analysis, and comprehensive reporting capabilities.
Capabilities
- Timeline Analysis: Build and analyze incident timelines with event correlation
- Incident Documentation: Create structured incident records with full audit trail
- Evidence Tracking: Maintain chain of custody documentation
- IR Reporting: Generate reports for technical, executive, and regulatory audiences
- Playbook Support: Follow and document playbook execution
- Lessons Learned: Facilitate post-incident reviews
Quick Start
from ir_utils import Incident, IncidentTimeline, EvidenceTracker
# Create an incident
incident = Incident('INC-2024-001', 'Ransomware Infection', 'Critical')
incident.add_affected_system('WORKSTATION-15', 'Encrypted files detected')
incident.set_phase('containment')
incident.add_action('Isolated host from network', 'analyst1')
# Build timeline
timeline = IncidentTimeline('INC-2024-001')
timeline.add_event('2024-01-15 10:30', 'Initial alert from EDR', 'detection')
timeline.add_event('2024-01-15 10:35', 'Host isolated', 'containment')
print(timeline.generate_timeline())
# Track evidence
evidence = EvidenceTracker('INC-2024-001')
evidence.add_item('Memory dump', '/evidence/memdump.raw', 'analyst1')
Usage
Incident Management
Create and manage incident records throughout the lifecycle.
Example:
from ir_utils import Incident
# Create incident
incident = Incident(
incident_id='INC-2024-001',
title='Ransomware Infection on Finance Workstation',
severity='Critical'
)
# Add affected systems
incident.add_affected_system('WORKSTATION-15', 'Primary infected host')
incident.add_affected_system('FILESERVER-02', 'Encrypted shares detected')
# Progress through phases
incident.set_phase('identification')
incident.add_action('Confirmed ransomware variant: LockBit 3.0', 'analyst1')
incident.set_phase('containment')
incident.add_action('Isolated WORKSTATION-15 from network', 'analyst1')
incident.add_action('Blocked C2 domains at firewall', 'analyst2')
incident.set_phase('eradication')
incident.add_action('Reimaged affected workstation', 'admin1')
incident.add_action('Reset compromised credentials', 'admin1')
incident.set_phase('recovery')
incident.add_action('Restored files from backup', 'admin1')
incident.add_action('Verified system integrity', 'analyst1')
incident.set_phase('lessons_learned')
incident.add_action('Conducted post-incident review', 'manager1')
# Generate report
print(incident.generate_report())
print(incident.generate_executive_summary())
Timeline Analysis
Build detailed incident timelines for analysis.
Example:
from ir_utils import IncidentTimeline
timeline = IncidentTimeline('INC-2024-001')
# Add events with categories
timeline.add_event(
timestamp='2024-01-15 10:00:00',
description='Phishing email received by user',
category='initial_access',
source='Email logs'
)
timeline.add_event(
timestamp='2024-01-15 10:15:00',
description='User clicked malicious link',
category='execution',
source='Proxy logs'
)
timeline.add_event(
timestamp='2024-01-15 10:20:00',
description='Malware downloaded and executed',
category='execution',
source='EDR'
)
timeline.add_event(
timestamp='2024-01-15 10:25:00',
description='C2 beacon established',
category='command_and_control',
source='Network logs'
)
timeline.add_event(
timestamp='2024-01-15 10:30:00',
description='EDR alert triggered',
category='detection',
source='CrowdStrike'
)
# Generate outputs
print(timeline.generate_timeline()) # Markdown timeline
print(timeline.to_json()) # JSON export
timeline.export_csv('incident_timeline.csv')
Evidence Tracking
Maintain chain of custody for digital evidence.
Example:
from ir_utils import EvidenceTracker
evidence = EvidenceTracker('INC-2024-001')
# Add evidence items
evidence.add_item(
name='Memory Dump - WORKSTATION-15',
location='/evidence/INC-2024-001/memdump_ws15.raw',
collected_by='analyst1',
description='Full memory dump of infected workstation',
hash_value='sha256:abc123...'
)
evidence.add_item(
name='Malware Sample',
location='/evidence/INC-2024-001/malware.exe',
collected_by='analyst1',
description='Ransomware executable',
hash_value='sha256:def456...'
)
evidence.add_item(
name='Network Capture',
location='/evidence/INC-2024-001/traffic.pcap',
collected_by='analyst2',
description='Network traffic during incident',
hash_value='sha256:ghi789...'
)
# Transfer custody
evidence.transfer_custody('Memory Dump - WORKSTATION-15', 'analyst1', 'forensics_team')
# Generate chain of custody report
print(evidence.generate_chain_of_custody())
# List all evidence
print(evidence.list_evidence())
IR Playbooks
Document playbook execution during incidents.
Example:
from ir_utils import PlaybookExecution
playbook = PlaybookExecution(
playbook_name='Ransomware Response',
incident_id='INC-2024-001',
analyst='analyst1'
)
# Execute and document steps
playbook.start_step('Isolate affected systems')
playbook.complete_step('Isolated WORKSTATION-15 via EDR', success=True)
playbook.start_step('Preserve evidence')
playbook.complete_step('Memory dump and disk image collected', success=True)
playbook.start_step('Identify ransomware variant')
playbook.complete_step('Identified as LockBit 3.0', success=True)
playbook.start_step('Check for decryption tools')
playbook.complete_step('No free decryptor available', success=False,
notes='Proceeding with restoration from backup')
# Generate execution log
print(playbook.generate_log())
Lessons Learned
Document post-incident reviews.
Example:
from ir_utils import LessonsLearned
review = LessonsLearned('INC-2024-001', 'Ransomware Infection')
# Document what happened
review.set_summary('''
A phishing email bypassed email security and led to ransomware infection
on a finance department workstation. The infection spread to shared drives
before being contained. Recovery was achieved through backup restoration.
''')
# Add findings
review.add_finding(
category='detection',
finding='EDR alert triggered within 10 minutes of execution',
assessment='positive'
)
review.add_finding(
category='prevention',
finding='Email security did not detect malicious attachment',
assessment='negative'
)
review.add_finding(
category='response',
finding='Containment took 5 minutes after alert',
assessment='positive'
)
# Add recommendations
review.add_recommendation(
'Implement email sandboxing for attachments',
priority='High',
owner='Security Engineering'
)
review.add_recommendation(
'Conduct phishing awareness training for finance team',
priority='Medium',
owner='Security Awareness'
)
# Generate report
print(review.generate_report())
Configuration
Environment Variables
| Variable | Description | Required | Default |
|---|---|---|---|
IR_EVIDENCE_PATH |
Base path for evidence storage | No | ./evidence |
IR_REPORT_PATH |
Path for generated reports | No | ./reports |
Incident Phases
The standard incident response phases:
- identification – Detect and validate the incident
- containment – Limit the scope and impact
- eradication – Remove the threat
- recovery – Restore normal operations
- lessons_learned – Post-incident review
Limitations
- No Orchestration: Does not automate response actions
- Local Storage: Evidence metadata stored locally
- No Integrations: Manual data entry from tools
Troubleshooting
Invalid Phase Error
Use only valid incident phases:
incident.set_phase('containment') # OK
incident.set_phase('contain') # Error!
Timeline Ordering
Events are automatically sorted by timestamp:
# Events can be added in any order
timeline.add_event('2024-01-15 10:30', 'Event B', 'detection')
timeline.add_event('2024-01-15 10:00', 'Event A', 'initial_access')
# Timeline will display A before B
Related Skills
- soc-operations: Initial detection and triage
- threat-intelligence: Attribution and IOCs
- docx: Report generation