- Home
- Skills
- Tsale
- Awesome Dfir Skills
- Initial Incident Intake
initial-incident-intake_skill
- Python
250
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill tsale/awesome-dfir-skills --skill initial-incident-intake- skill.md3.2 KB
Overview
This skill turns raw first-contact notes into a concise first-hour incident scope and an actionable evidence plan. It produces an incident statement, a working hypothesis with confidence, a critical time window, knowns/unknowns, containment suggestions, prioritized evidence requests, and a 60-minute checklist. Use it to move from uncertainty to focused IR actions quickly.
How this skill works
Provide the intake notes and any environment summary; the skill normalizes the input and extracts triggers, affected assets/identities, recent changes, and actions already taken. It generates a short incident summary, a prioritized evidence list with reasons, and a practical next-60-minutes plan that balances containment and evidence preservation. If data is missing, it asks targeted follow-up questions and flags logging gaps and timezone assumptions.
When to use it
- During new case creation or first response
- When handing off from SOC to IR
- To decide contain vs observe vs collect more evidence
- When you need a prioritized evidence request list fast
- When critical time window is unclear and must be identified
Best practices
- Keep intake notes focused: trigger, impact, suspected assets, and recent changes
- Redact PII and secrets; provide headers or redacted snippets for email-related incidents
- Confirm which logging sources exist before requesting logs
- State the reporter’s timezone or call it out if unknown
- Prioritize actions that are low-regret and preserve evidence (avoid reimaging unless necessary)
Example use cases
- An alert of suspicious sign-in on a privileged account—produce hypothesis, request sign-in and MFA logs, and list containment steps
- A user-reported phishing email—create incident statement, request message trace and mailbox audit, and plan URL and attachment analysis
- EDR detection of unusual process spawning—scope hosts, request process trees/timelines and network connections, and advise on isolation approach
- Unusual data transfer from cloud storage—define timeframe, request CloudTrail/object access logs, and identify affected resources
FAQ
I will ask targeted questions (trigger, assets, recent changes, actions taken) and flag any logging sources to confirm before requesting evidence.
Should I contain or observe first?
The skill recommends low-regret containment by default (isolate suspicious hosts, disable compromised sessions) and provides criteria and evidence requirements to escalate to full containment.