responding-to-security-incidents

# Responding To Security Incidents ## Overview This skill provides automated assistance for the described functionality. ## Prerequisites Before using this skill, ensure: - Access to system and application logs in {baseDir}/logs/ - Network traffic captures or SIEM data available - Incident response team contact information - Backup systems operational and accessible - Write permissions for incident documentation in {baseDir}/incidents/ - Communication channels established for stakeholder updates ## Instructions 1. Triage the incident and scope affected systems/data. 2. Preserve evidence (logs, snapshots, network captures) before making changes. 3. Contain the blast radius and eradicate root cause. 4. Recover safely and document follow-ups (AAR + backlog). See `{baseDir}/references/implementation.md` for detailed implementation guide. ## Output The skill produces: **Primary Output**: Incident response playbook saved to {baseDir}/incidents/incident-YYYYMMDD-HHMM.md **Playbook Structure**: ``` # Security Incident Response - [Incident Type] ## Error Handling See `{baseDir}/references/errors.md` for comprehensive error handling. ## Examples See `{baseDir}/references/examples.md` for detailed examples. ## Resources - NIST Computer Security Incident Handling Guide: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf - SANS Incident Handler's Handbook: https://www.sans.org/white-papers/33901/ - CISA Incident Response Guide: https://www.cisa.gov/incident-response - Memory analysis: Volatility Framework - Disk forensics: Autopsy, FTK Imager