Ejecuta cualquier Skill en Manus
con un clic

Ejecuta cualquier Skill en Manus con un clic

$pwd:

incident-triage

Name: Incident Triage
Author: briiirussell

// Guide rapid triage and initial response to security incidents following NIST SP 800-61 methodology. Use when the user mentions 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' or needs help handling a security event.

Ejecutar en Manus

$ git log --oneline --stat

stars:216

forks:13

updated:27 de mayo de 2026, 06:32

SKILL.md

readonly

name	incident-triage
description	Guide rapid triage and initial response to security incidents following NIST SP 800-61 methodology. Use when the user mentions 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' or needs help handling a security event.
allowed-tools	Bash, Read, Write, Grep, Glob, WebSearch

Incident Triage — Security Incident Response

Guide rapid triage and initial response to security incidents. Follow NIST SP 800-61 methodology.

Cross-references: siem-detection for the rules that produced the alert this triage is responding to, disk-forensics for deeper disk and memory analysis once a host is contained, breach-patterns for the post-incident pattern extraction that hardens against recurrence, soc-operations for the operational layer above this skill (runbooks, escalation, handoff), security-comms for the stakeholder / customer notifications the response generates, privacy-engineering / hipaa-audit / pci-audit for the regulatory-clock determination when personal data, PHI, or cardholder data is involved, ai-risk-management for AI-specific incident classes (model failure, fairness drift, jailbreak exploitation in production).

Priorities (in order)

Preserve human safety
Contain the incident to prevent further damage
Preserve evidence for investigation
Identify root cause and scope
Document everything

Step 1: Classification

Determine incident type:

Malware: ransomware, trojan, worm, cryptominer
Unauthorized access: compromised credentials, exploitation
Data exfiltration: data theft, insider threat
Denial of service
Web compromise: defacement, skimming, backdoor
Phishing / social engineering

Determine severity:

Critical: active data exfiltration, ransomware spreading, critical system compromise
High: confirmed compromise, malware detected, unauthorized access
Medium: suspicious activity, potential indicators, failed attacks
Low: policy violation, reconnaissance detected, likely false positive

Step 2: Initial Containment

Based on type and severity:

Network: block suspicious IPs/domains at firewall
Host: isolate affected system (network disconnect, NOT power off — volatile memory is evidence)
Account: disable compromised accounts, force password resets
Application: disable affected service if safe to do so

Critical: Do NOT power off systems. Volatile memory contains evidence.

Step 3: Evidence Preservation

Capture in order of volatility (most volatile first):

# 1. Running processes
ps auxf                         # Linux
tasklist /v                     # Windows

# 2. Network connections
ss -tupn                        # Linux
netstat -anob                   # Windows

# 3. Logged-in users
who -a                          # Linux
query user                      # Windows

# 4. Open files
lsof -nP                        # Linux

# 5. System logs
journalctl --since "1 hour ago" # Linux/systemd

If memory forensics tools are available (LiME, WinPmem), capture a memory dump before anything else.

Step 4: Initial Analysis

For each suspicious indicator, document:

What: describe the artifact
When: timestamps in UTC
Where: affected system(s)
How: how it was detected

Common analysis:

Process tree: look for unusual process names, paths, or parent-child relationships
Network indicators: unusual outbound connections, DNS queries to suspicious domains, beaconing patterns (regular intervals)
File indicators: recently modified files in unusual locations, hidden files, new executables
Log analysis: authentication failures, privilege escalation, service changes, cleared logs
Persistence: crontab, systemd units, registry Run keys, scheduled tasks, startup items

Step 5: IOC Extraction

Extract and document all indicators of compromise:

Type	Examples
IP addresses	Source and destination IPs
Domains	C2 domains, phishing domains
File hashes	MD5 and SHA256 of suspicious files
File paths	Malware locations, dropped files
Email addresses	Phishing sender addresses
URLs	Malicious URLs, C2 endpoints
User agents	Unusual or known-malicious user agents

Output Format

# Incident Triage Report
## Incident ID: [ID]
## Date/Time: [UTC]
## Severity: [Critical/High/Medium/Low]
## Classification: [incident type]
## Status: [Triage/Contained/Analyzing/Resolved]

### Summary
[2-3 sentence overview]

### Affected Systems
| Hostname | IP | Role | Status |
|----------|-----|------|--------|

### Timeline
| Time (UTC) | Event | Source | Notes |
|------------|-------|--------|-------|

### Indicators of Compromise
| Type | Value | Context | Confidence |
|------|-------|---------|------------|

### Containment Actions Taken
- [ ] [Action and result]

### Evidence Preserved
| Type | Location | Hash | Notes |
|------|----------|------|-------|

### Recommended Next Steps
1. [Immediate priority]
2. [Short-term action]
3. [Follow-up investigation]

### Escalation Checklist
- [ ] Management notified
- [ ] Legal notified (if data breach)
- [ ] Law enforcement (if applicable)
- [ ] Affected parties notified (if data breach)

Boundaries

Focus on defense and containment, not counter-attack
Preserve evidence — never modify logs or timestamps
Recommend legal/management escalation for confirmed breaches
If unsure about a containment action's impact, advise caution and ask
Never recommend "hacking back" or retaliatory actions
Refuse requests to cover up incidents or tamper with evidence

References

NIST SP 800-61r2: Computer Security Incident Handling Guide
SANS Incident Handler's Handbook
MITRE ATT&CK Framework

related-skills.json

mismo repositorio

breach-patterns.md

from "briiirussell/cybersecurity-skills"

Learn from public breach disclosures — extract the audit question each one implies and check your own stack. Capital One IMDS abuse, LastPass vault exfiltration, Okta Lapsus$, Snowflake credential reuse, MOVEit, SolarWinds, Equifax, Target POS, Codecov, Uber, Twilio — what would you check now if your boss said 'could that happen to us?' Use when the user mentions 'breach analysis,' 'lessons learned,' 'security postmortem,' 'breach patterns,' 'breach lessons,' 'has this happened to us,' 'apply breach lessons,' 'preempt breaches,' 'security retrospective,' 'real-world security incidents,' or wants to harden against known attacker playbooks.

2026-05-27216

finding-triage.md

from "briiirussell/cybersecurity-skills"

Triage a single security finding — from a scanner, audit, advisory, or report — to a defensible disposition with a mitigation plan, false-positive justification, or accepted-risk writeup. Use when the user mentions 'triage this finding,' 'is this a real vulnerability,' 'mitigation plan,' 'false positive,' 'accept this risk,' 'compensating controls,' 'risk justification,' 'security ticket,' 'CVSS this,' 'should we fix this,' 'disposition,' 'sign off on,' or has a single security finding and needs to decide what to do.

2026-05-27216

prompt-injection.md

from "briiirussell/cybersecurity-skills"

Audit applications for AI prompt injection, agent security, and LLM permission boundary vulnerabilities. Use when the user mentions 'prompt injection,' 'LLM security,' 'AI security,' 'jailbreak,' 'indirect prompt injection,' 'prompt leaking,' 'AI red team,' 'LLM vulnerabilities,' 'AI input validation,' 'system prompt extraction,' 'agent security,' 'MCP security,' 'AI permissions,' 'AI privilege escalation,' or needs to secure any application with AI features, AI agents, or LLM integrations.

2026-05-27216

hipaa-audit.md

from "briiirussell/cybersecurity-skills"

Audit applications and infrastructure handling Protected Health Information against HIPAA — Security Rule (administrative, physical, technical safeguards), Privacy Rule, Breach Notification Rule, plus HITECH. Covers ePHI scoping, the 18 HIPAA identifiers, Business Associate Agreement (BAA) chain-of-liability, minimum-necessary standard, and breach notification timing. Use when the user mentions 'HIPAA,' 'HIPAA Security Rule,' 'HIPAA Privacy Rule,' 'PHI,' 'ePHI,' 'protected health information,' 'BAA,' 'business associate agreement,' 'covered entity,' 'business associate,' 'minimum necessary,' 'HIPAA breach,' 'HITECH,' 'healthcare compliance,' 'medical data,' 'patient data,' or audits any system that creates, receives, maintains, or transmits PHI.

2026-05-27216

pci-audit.md

from "briiirussell/cybersecurity-skills"

Audit applications and infrastructure handling payment card data against PCI DSS v4.0. Heavy emphasis on scope determination (the single most-leveraged variable) plus the engineering-relevant requirements — Req 3 (storage of CHD), Req 4 (transmission), Req 6 (secure SDLC), Req 7-8 (access), Req 10 (logging), Req 11 (testing), Req 12 (program). Use when the user mentions 'PCI,' 'PCI DSS,' 'PCI DSS 4.0,' 'payment card,' 'cardholder data,' 'CHD,' 'PAN,' 'PCI scope,' 'PCI compliance,' 'SAQ,' 'AoC,' 'attestation of compliance,' 'tokenization,' 'P2PE,' 'network segmentation for PCI,' or audits any system that stores, processes, or transmits payment card data.

2026-05-27216

red-team-engagement.md

from "briiirussell/cybersecurity-skills"

Plan, scope, and execute an authorized red-team engagement — distinct from a penetration test. Covers engagement methodology, assumed-breach scenarios, ATT&CK emulation plans, rules of engagement, deconfliction with the blue team, post-engagement debriefs, and the program-level work that makes red teams actually improve defenses. Use when the user mentions 'red team,' 'red team engagement,' 'red teaming,' 'adversary emulation,' 'ATT&CK emulation,' 'assumed breach,' 'purple team exercise,' 'tabletop with technical execution,' 'red team scope,' 'rules of engagement,' 'red team RoE,' 'deconfliction,' 'red team debrief,' or wants to design or run a red-team engagement against systems with authorization.

2026-05-27216

package.json

"author": "briiirussell"

"repository": "briiirussell/cybersecurity-skills"

Abrir repositorio de GitHub Ver repositorios del creador

$ install --global

$ download --local

Ejecutar en Manus

$ useful --forSOC

Analistas de seguridad de la informaciónOcupaciones informáticas y matemáticas15-1212L4

name	incident-triage
description	Guide rapid triage and initial response to security incidents following NIST SP 800-61 methodology. Use when the user mentions 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' or needs help handling a security event.
allowed-tools	Bash, Read, Write, Grep, Glob, WebSearch

Incident Triage — Security Incident Response

Guide rapid triage and initial response to security incidents. Follow NIST SP 800-61 methodology.

Priorities (in order)

Preserve human safety
Contain the incident to prevent further damage
Preserve evidence for investigation
Identify root cause and scope
Document everything

Step 1: Classification

Determine incident type:

Malware: ransomware, trojan, worm, cryptominer
Unauthorized access: compromised credentials, exploitation
Data exfiltration: data theft, insider threat
Denial of service
Web compromise: defacement, skimming, backdoor
Phishing / social engineering

Determine severity:

Critical: active data exfiltration, ransomware spreading, critical system compromise
High: confirmed compromise, malware detected, unauthorized access
Medium: suspicious activity, potential indicators, failed attacks
Low: policy violation, reconnaissance detected, likely false positive

Step 2: Initial Containment

Based on type and severity:

Network: block suspicious IPs/domains at firewall
Host: isolate affected system (network disconnect, NOT power off — volatile memory is evidence)
Account: disable compromised accounts, force password resets
Application: disable affected service if safe to do so

Critical: Do NOT power off systems. Volatile memory contains evidence.

Step 3: Evidence Preservation

Capture in order of volatility (most volatile first):

# 1. Running processes
ps auxf                         # Linux
tasklist /v                     # Windows

# 2. Network connections
ss -tupn                        # Linux
netstat -anob                   # Windows

# 3. Logged-in users
who -a                          # Linux
query user                      # Windows

# 4. Open files
lsof -nP                        # Linux

# 5. System logs
journalctl --since "1 hour ago" # Linux/systemd

If memory forensics tools are available (LiME, WinPmem), capture a memory dump before anything else.

Step 4: Initial Analysis

For each suspicious indicator, document:

What: describe the artifact
When: timestamps in UTC
Where: affected system(s)
How: how it was detected

Common analysis:

Process tree: look for unusual process names, paths, or parent-child relationships
Network indicators: unusual outbound connections, DNS queries to suspicious domains, beaconing patterns (regular intervals)
File indicators: recently modified files in unusual locations, hidden files, new executables
Log analysis: authentication failures, privilege escalation, service changes, cleared logs
Persistence: crontab, systemd units, registry Run keys, scheduled tasks, startup items

Step 5: IOC Extraction

Extract and document all indicators of compromise:

Type	Examples
IP addresses	Source and destination IPs
Domains	C2 domains, phishing domains
File hashes	MD5 and SHA256 of suspicious files
File paths	Malware locations, dropped files
Email addresses	Phishing sender addresses
URLs	Malicious URLs, C2 endpoints
User agents	Unusual or known-malicious user agents

Output Format

# Incident Triage Report
## Incident ID: [ID]
## Date/Time: [UTC]
## Severity: [Critical/High/Medium/Low]
## Classification: [incident type]
## Status: [Triage/Contained/Analyzing/Resolved]

### Summary
[2-3 sentence overview]

### Affected Systems
| Hostname | IP | Role | Status |
|----------|-----|------|--------|

### Timeline
| Time (UTC) | Event | Source | Notes |
|------------|-------|--------|-------|

### Indicators of Compromise
| Type | Value | Context | Confidence |
|------|-------|---------|------------|

### Containment Actions Taken
- [ ] [Action and result]

### Evidence Preserved
| Type | Location | Hash | Notes |
|------|----------|------|-------|

### Recommended Next Steps
1. [Immediate priority]
2. [Short-term action]
3. [Follow-up investigation]

### Escalation Checklist
- [ ] Management notified
- [ ] Legal notified (if data breach)
- [ ] Law enforcement (if applicable)
- [ ] Affected parties notified (if data breach)

Boundaries

Focus on defense and containment, not counter-attack
Preserve evidence — never modify logs or timestamps
Recommend legal/management escalation for confirmed breaches
If unsure about a containment action's impact, advise caution and ask
Never recommend "hacking back" or retaliatory actions
Refuse requests to cover up incidents or tamper with evidence

References

NIST SP 800-61r2: Computer Security Incident Handling Guide
SANS Incident Handler's Handbook
MITRE ATT&CK Framework

incident-triage

Incident Triage — Security Incident Response

Priorities (in order)

Step 1: Classification

Step 2: Initial Containment

Step 3: Evidence Preservation

Step 4: Initial Analysis

Step 5: IOC Extraction

Output Format

Boundaries

References

Más de este repositorio

Más de este repositorio

Incident Triage — Security Incident Response

Priorities (in order)

Step 1: Classification

Step 2: Initial Containment

Step 3: Evidence Preservation

Step 4: Initial Analysis

Step 5: IOC Extraction

Output Format

Boundaries

References