initial-incident-intake_skill

This skill converts messy intake notes into a clear incident scope and evidence plan, speeding first-hour decision making.
  • Python

250

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill tsale/awesome-dfir-skills --skill initial-incident-intake

  • skill.md3.2 KB

Overview

This skill turns raw first-contact notes into a concise first-hour incident scope and an actionable evidence plan. It produces an incident statement, a working hypothesis with confidence, a critical time window, knowns/unknowns, containment suggestions, prioritized evidence requests, and a 60-minute checklist. Use it to move from uncertainty to focused IR actions quickly.

How this skill works

Provide the intake notes and any environment summary; the skill normalizes the input and extracts triggers, affected assets/identities, recent changes, and actions already taken. It generates a short incident summary, a prioritized evidence list with reasons, and a practical next-60-minutes plan that balances containment and evidence preservation. If data is missing, it asks targeted follow-up questions and flags logging gaps and timezone assumptions.

When to use it

  • During new case creation or first response
  • When handing off from SOC to IR
  • To decide contain vs observe vs collect more evidence
  • When you need a prioritized evidence request list fast
  • When critical time window is unclear and must be identified

Best practices

  • Keep intake notes focused: trigger, impact, suspected assets, and recent changes
  • Redact PII and secrets; provide headers or redacted snippets for email-related incidents
  • Confirm which logging sources exist before requesting logs
  • State the reporter’s timezone or call it out if unknown
  • Prioritize actions that are low-regret and preserve evidence (avoid reimaging unless necessary)

Example use cases

  • An alert of suspicious sign-in on a privileged account—produce hypothesis, request sign-in and MFA logs, and list containment steps
  • A user-reported phishing email—create incident statement, request message trace and mailbox audit, and plan URL and attachment analysis
  • EDR detection of unusual process spawning—scope hosts, request process trees/timelines and network connections, and advise on isolation approach
  • Unusual data transfer from cloud storage—define timeframe, request CloudTrail/object access logs, and identify affected resources

FAQ

I will ask targeted questions (trigger, assets, recent changes, actions taken) and flag any logging sources to confirm before requesting evidence.

Should I contain or observe first?

The skill recommends low-regret containment by default (isolate suspicious hosts, disable compromised sessions) and provides criteria and evidence requirements to escalate to full containment.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational