cyber-ir-playbook_skill

This skill converts incident events into a structured response timeline and phase-based report for clear executive summaries.
  • Python

2.6k

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

3 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill openclaw/skills --skill cyber-ir-playbook

  • _meta.json292 B
  • SKILL.md932 B

Overview

This skill converts raw incident events into a standardized incident response timeline and phase-based report pack. It produces stakeholder-ready summaries for technical teams and executives, tracking progress from detection through post-incident review. Use it to create consistent, reproducible artifacts that support reporting, handoffs, and lessons learned. The tool focuses on defensive handling and learning, not offensive techniques.

How this skill works

Ingest a stream or file of timestamped events and metadata. The skill classifies each event into phases—detection, containment, eradication, recovery, or post-incident—then orders events into a clear timeline. It summarizes phase completion, highlights gaps, and generates report artifacts tailored for internal responders and executive audiences. A deterministic report generator ensures repeatable outputs for audits and after-action reviews.

When to use it

  • After a security detection to document actions and decisions from discovery to recovery.
  • When preparing an incident report for leadership, auditors, or regulators.
  • During tabletop or post-incident review to reconstruct timelines and identify process gaps.
  • To track phase completion and responsibilities across response teams.
  • When consolidating logs from multiple sources into a single, auditable narrative.

Best practices

  • Provide complete, timestamped event data from all relevant sources (IDS, EDR, SIEM, logs).
  • Normalize timestamps to a single timezone before ingestion to avoid ordering errors.
  • Map events to the defined phase guide consistently; review phase mappings during post-incident review.
  • Annotate events with owner and justification to support auditability and follow-up tasks.
  • Use the deterministic report output as the canonical artifact for lessons learned and compliance.

Example use cases

  • Generate an executive incident summary that highlights customer impact and remediation status.
  • Produce a technical timeline for the SOC to identify missed detection opportunities.
  • Create a phase-completion dashboard to show which recovery activities remain open.
  • Consolidate multi-source logs into a single report for external investigators or regulators.
  • Run automated timeline reports after every incident to feed the knowledge base and playbook updates.

FAQ

Provide event logs as structured JSON, CSV, or common SIEM export formats; normalize fields before ingestion for best results.

Can I customize phase mappings and report templates?

Yes. Edit the phase mapping guidance and report templates to match your organization’s response taxonomy and stakeholder needs.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
cyber-ir-playbook skill by openclaw/skills | VeilStrat