tsale/awesome-dfir-skills
Overview
This skill turns raw first-contact notes into a concise first-hour incident scope and an actionable evidence plan. It produces an incident statement, a working hypothesis with confidence, a critical time window, knowns/unknowns, containment suggestions, prioritized evidence requests, and a 60-minute checklist. Use it to move from uncertainty to focused IR actions quickly.
How this skill works
Provide the intake notes and any environment summary; the skill normalizes the input and extracts triggers, affected assets/identities, recent changes, and actions already taken. It generates a short incident summary, a prioritized evidence list with reasons, and a practical next-60-minutes plan that balances containment and evidence preservation. If data is missing, it asks targeted follow-up questions and flags logging gaps and timezone assumptions.
When to use it
- During new case creation or first response
- When handing off from SOC to IR
- To decide contain vs observe vs collect more evidence
- When you need a prioritized evidence request list fast
- When critical time window is unclear and must be identified
Best practices
- Keep intake notes focused: trigger, impact, suspected assets, and recent changes
- Redact PII and secrets; provide headers or redacted snippets for email-related incidents
- Confirm which logging sources exist before requesting logs
- State the reporter’s timezone or call it out if unknown
- Prioritize actions that are low-regret and preserve evidence (avoid reimaging unless necessary)
Example use cases
- An alert of suspicious sign-in on a privileged account—produce hypothesis, request sign-in and MFA logs, and list containment steps
- A user-reported phishing email—create incident statement, request message trace and mailbox audit, and plan URL and attachment analysis
- EDR detection of unusual process spawning—scope hosts, request process trees/timelines and network connections, and advise on isolation approach
- Unusual data transfer from cloud storage—define timeframe, request CloudTrail/object access logs, and identify affected resources
FAQ
I will ask targeted questions (trigger, assets, recent changes, actions taken) and flag any logging sources to confirm before requesting evidence.
Should I contain or observe first?
The skill recommends low-regret containment by default (isolate suspicious hosts, disable compromised sessions) and provides criteria and evidence requirements to escalate to full containment.
6 skills
This skill converts messy intake notes into a clear incident scope and evidence plan, speeding first-hour decision making.
This skill helps analysts map Mitre ATT&CK tactics and techniques to detections and threat models, enabling precise risk insights.
This skill helps you write, validate, and troubleshoot osquery queries against platform schemas to improve accuracy and performance.
This skill helps you assemble a targeted Windows intrusion timeline from artifacts, highlighting gaps, and generating follow-up queries to validate hypotheses.
This skill helps threat hunters generate a cross-platform PowerShell abuse hunt plan with queries, telemetries, and pivots for rapid investigation.
This skill performs analyst-grade static analysis, TI triage, and behavioral reasoning on suspicious PE files to produce actionable malware reports.