[{"name":"case_context","description":"Environment + scope: host roles, time window, timezone, suspected technique, what telemetry/artifacts exist (event logs, EDR, SIEM, triage notes).","required":true},{"name":"artifacts","description":"Relevant investigation artifacts (bounded): event entries (text/JSON/CSV), EDR process tree, alerts, command lines, file hashes/paths, network indicators, or short summaries with examples.","required":true}]
outputs
[{"name":"timeline","description":"Chronological list of notable events with interpretations and confidence."},{"name":"followup_queries","description":"Concrete event filters/queries to run next (by EventID and fields)."}]
Windows intrusion timeline (targeted)
What this skill does
Reconstructs an intrusion timeline from whatever Windows-relevant artifacts are available.
Pivoting guide: trace a suspicious execution chain
Use this procedure whenever the incident involves a suspicious process/script/service/task.
Select a seed “suspicious event”
Pick one event in the provided data that looks most suspicious (e.g., unusual parent process, encoded PowerShell, LOLBIN usage, new service, scheduled task).
If the provided snippets do not include a clearly suspicious event, request it:
ask for one representative process execution or persistence event (including timestamp, host, user, image, command line, parent, and any IDs/guids/pids).
Extract pivot keys from the seed (use whatever is available)
time window: $T_{seed} \pm$ 5–30 minutes (expand as needed)
host, user, log/channel
process identifiers: PID, ProcessGuid, LogonId, TargetUser, service name, task name
image path + command line substrings
Trace backwards (how did it start?)
Look for the parent process and the events immediately preceding execution.
Identify the initial launcher (Office → script, browser → dropper, service → binary, WMI → process, etc.).
Look for authentication context changes (new logon, special privileges, remote logon types).
Trace forwards (what did it do next?)
Enumerate child processes spawned by the suspicious process and their command lines.