Repository inventory

tsale/awesome-dfir-skills

Skills indexed from this repository, with install-style signals scoped to the repo.
6 skills1.5K GitHub stars0 weekly installsPythonGitHubOwner profile

Overview

This skill turns raw first-contact notes into a concise first-hour incident scope and an actionable evidence plan. It produces an incident statement, a working hypothesis with confidence, a critical time window, knowns/unknowns, containment suggestions, prioritized evidence requests, and a 60-minute checklist. Use it to move from uncertainty to focused IR actions quickly.

How this skill works

Provide the intake notes and any environment summary; the skill normalizes the input and extracts triggers, affected assets/identities, recent changes, and actions already taken. It generates a short incident summary, a prioritized evidence list with reasons, and a practical next-60-minutes plan that balances containment and evidence preservation. If data is missing, it asks targeted follow-up questions and flags logging gaps and timezone assumptions.

When to use it

  • During new case creation or first response
  • When handing off from SOC to IR
  • To decide contain vs observe vs collect more evidence
  • When you need a prioritized evidence request list fast
  • When critical time window is unclear and must be identified

Best practices

  • Keep intake notes focused: trigger, impact, suspected assets, and recent changes
  • Redact PII and secrets; provide headers or redacted snippets for email-related incidents
  • Confirm which logging sources exist before requesting logs
  • State the reporter’s timezone or call it out if unknown
  • Prioritize actions that are low-regret and preserve evidence (avoid reimaging unless necessary)

Example use cases

  • An alert of suspicious sign-in on a privileged account—produce hypothesis, request sign-in and MFA logs, and list containment steps
  • A user-reported phishing email—create incident statement, request message trace and mailbox audit, and plan URL and attachment analysis
  • EDR detection of unusual process spawning—scope hosts, request process trees/timelines and network connections, and advise on isolation approach
  • Unusual data transfer from cloud storage—define timeframe, request CloudTrail/object access logs, and identify affected resources

FAQ

I will ask targeted questions (trigger, assets, recent changes, actions taken) and flag any logging sources to confirm before requesting evidence.

Should I contain or observe first?

The skill recommends low-regret containment by default (isolate suspicious hosts, disable compromised sessions) and provides criteria and evidence requirements to escalate to full containment.

6 skills

More from this maintainer
Other repositories and skills published under the same GitHub owner.
Skills library
Jump back to the full directory or explore grouped topics.
Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational