Security specialty

Incident Response

Browse every cataloged workflow for incident response, with source context, tags, and security framework mappings intact.

Complete collection

Skills in this domain

26 skills

cybersecuritySkill

Analyzing Linux Audit Logs for Intrusion

Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction, and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch queries, aureport summaries, or host-based intrusion detection on Linux.

Incident Response
auditdaureportausearchforensics+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Network Traffic for Incidents

Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation, PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection.

Incident Response
network-forensicspcap-analysistraffic-analysiswireshark+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Security Logs with Splunk

Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, security event correlation, or log-based incident investigation.

Incident Response
log-analysissecurity-monitoringsiemspl+1
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsD3FEND, 5 mappingsAI RMF, 5 mappings
cybersecuritySkill

Building Incident Response Playbooks

Designs and documents structured incident response playbooks that define step-by-step procedures for specific incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident response procedure documentation, response runbook development, or SOAR playbook design.

Incident Response
ir-playbooknist-800-61response-proceduresrunbook+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Building Incident Timeline with Timesketch

Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source event data for attack chain reconstruction and investigation documentation.

Incident Response
collaborative-forensicsdfirforensic-timelineincident-investigation+3
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Building Malware Incident Communication Template

Build structured communication templates for malware incidents including stakeholder notifications, executive briefings, technical advisories, and regulatory disclosures with severity-based escalation procedures.

Incident Response
crisis-communicationexecutive-briefingincident-communicationmalware-response+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Collecting Indicators of Compromise

Systematically collects, categorizes, and distributes indicators of compromise (IOCs) during and after security incidents to enable detection, blocking, and threat intelligence sharing. Covers network, host, email, and behavioral indicators using STIX/TAXII formats and threat intelligence platforms. Activates for requests involving IOC collection, indicator extraction, threat indicator sharing, compromise indicators, STIX export, or IOC enrichment.

Incident Response
ioc-collectionmispstix-taxiithreat-indicators+1
ATT&CK, 6 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Collecting Volatile Evidence from Compromised Hosts

Collect volatile forensic evidence from a compromised system following order of volatility, preserving memory, network connections, processes, and system state before they are lost.

Incident Response
chain-of-custodydfirforensicsincident-response+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Conducting Cloud Incident Response

Responds to security incidents in cloud environments (AWS, Azure, GCP) by performing identity-based containment, cloud-native log analysis, resource isolation, and forensic evidence acquisition adapted for ephemeral cloud infrastructure. Activates for requests involving cloud incident response, AWS security incident, Azure compromise, GCP breach, cloud forensics, or cloud identity compromise.

Incident Response
aws-forensicsazure-incident-responsecloud-irgcp-security+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Conducting Malware Incident Response

Responds to malware infections across enterprise endpoints by identifying the malware family, determining infection vectors, assessing spread, and executing eradication procedures. Covers the full lifecycle from detection through containment, analysis, removal, and recovery. Activates for requests involving malware response, malware eradication, trojan removal, worm containment, malware triage, or infected endpoint remediation.

Incident Response
endpoint-remediationeradicationmalware-analysismalware-response+1
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Conducting Memory Forensics with Volatility

Performs memory forensics analysis using Volatility 3 to extract evidence of malware execution, process injection, network connections, and credential theft from RAM dumps captured during incident response. Covers memory acquisition, process analysis, DLL inspection, and malware detection. Activates for requests involving memory forensics, RAM analysis, Volatility framework, memory dump investigation, volatile evidence analysis, or live memory acquisition.

Incident Response
dfirmemory-forensicsprocess-injectionram-analysis+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Conducting Phishing Incident Response

Responds to phishing incidents by analyzing reported emails, extracting indicators, assessing credential compromise, quarantining malicious messages across the organization, and remediating affected accounts. Covers email header analysis, URL/attachment sandboxing, and mailbox-wide purge operations. Activates for requests involving phishing response, email incident, credential phishing, spear phishing investigation, or phishing remediation.

Incident Response
credential-compromiseemail-header-analysisemail-securitymailbox-remediation+1
ATT&CK, 6 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Conducting Post-Incident Lessons Learned

Facilitate structured post-incident reviews to identify root causes, document what worked and failed, and produce actionable recommendations to improve future incident response.

Incident Response
after-action-reviewincident-responselessons-learnedpost-incident+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Containing Active Breaches

Executes containment strategies to stop active adversary operations and prevent lateral movement during a confirmed security breach. Implements short-term and long-term containment using network segmentation, endpoint isolation, credential revocation, and access control modifications. Activates for requests involving breach containment, lateral movement prevention, network isolation, active threat containment, or live incident response.

Incident Response
breach-containmentcredential-revocationlateral-movementlive-response+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Email Account Compromise

Detect compromised O365 and Google Workspace email accounts by analyzing inbox rule creation, suspicious sign-in locations, mail forwarding rules, and unusual API access patterns via Microsoft Graph and audit logs.

Incident Response
account-takeoverbecemail-compromiseinbox-rules+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Eradicating Malware from Infected Systems

Systematically remove malware, backdoors, and attacker persistence mechanisms from infected systems while ensuring complete eradication and preventing re-infection.

Incident Response
dfireradicationincident-responsemalware-removal+1
ATT&CK, 23 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Velociraptor for IR Collection

Deploy and configure Velociraptor for scalable endpoint forensic artifact collection during incident response using VQL queries, hunts, and pre-built artifact packs across Windows, Linux, and macOS environments.

Incident Response
dfirendpoint-collectionforensic-artifactsincident-response+4
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Performing Active Directory Compromise Investigation

Investigate Active Directory compromise by analyzing authentication logs, replication metadata, Group Policy changes, and Kerberos ticket anomalies to identify attacker persistence and lateral movement paths.

Incident Response
active-directorycompromise-investigationdfirgolden-ticket+4
ATT&CK, 12 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Performing Cloud Incident Containment Procedures

Execute cloud-native incident containment across AWS, Azure, and GCP by isolating compromised resources, revoking credentials, preserving forensic evidence, and applying security group restrictions to prevent lateral movement.

Incident Response
awsazurecloud-forensicscloud-security+4
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Performing Disk Forensics Investigation

Conducts disk forensics investigations using forensic imaging, file system analysis, artifact recovery, and timeline reconstruction to support incident response cases. Utilizes tools such as FTK Imager, Autopsy, and The Sleuth Kit for evidence acquisition, deleted file recovery, and artifact examination. Activates for requests involving disk forensics, hard drive analysis, forensic imaging, file recovery, evidence acquisition, or digital forensic investigation.

Incident Response
chain-of-custodydisk-forensicsevidence-acquisitionfile-recovery+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Insider Threat Investigation

Investigates insider threat incidents involving employees, contractors, or trusted partners who misuse authorized access to steal data, sabotage systems, or violate security policies. Combines digital forensics, user behavior analytics, and HR/legal coordination to build an evidence-based case. Activates for requests involving insider threat investigation, employee data theft, privilege misuse, user behavior anomaly, or internal threat detection.

Incident Response
data-exfiltrationdfirinsider-threatprivilege-misuse+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Ransomware Response

Executes a structured ransomware incident response from initial detection through containment, forensic analysis, decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment.

Incident Response
backup-restorationcisa-guidanceencryption-recoveryransom-negotiation+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Testing Ransomware Recovery Procedures

Test and validate ransomware recovery procedures including backup restore operations, RTO/RPO target verification, recovery sequencing, and clean restore validation to ensure organizational resilience against destructive ransomware attacks.

Incident Response
backupdisaster-recoveryincident-responseransomware+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Triaging Security Incidents

Performs initial triage of security incidents to determine severity, scope, and required response actions using the NIST SP 800-61r3 and SANS PICERL frameworks. Classifies incidents by type, assigns priority based on business impact, and routes to appropriate response teams. Activates for requests involving incident triage, security alert classification, severity assessment, incident prioritization, or initial incident analysis.

Incident Response
incident-triagenist-800-61sans-picerlseverity-classification+1
ATT&CK, 8 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Triaging Security Incidents with IR Playbooks

Classify and prioritize security incidents using structured IR playbooks to determine severity, assign response teams, and initiate appropriate response procedures.

Incident Response
incident-responseplaybookseverity-classificationsoc+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Validating Backup Integrity for Recovery

Validate backup integrity through cryptographic hash verification, automated restore testing, corruption detection, and recoverability checks to ensure backups are reliable for disaster recovery and ransomware response scenarios.

Incident Response
backupdisaster-recoveryhash-verificationincident-response+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings