一键导入
mitigation-decision
Use when choosing a minimal DDoS mitigation strategy between near-destination and near-source scrubbing from destination-node load only.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Use when choosing a minimal DDoS mitigation strategy between near-destination and near-source scrubbing from destination-node load only.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | mitigation-decision |
| description | Use when choosing a minimal DDoS mitigation strategy between near-destination and near-source scrubbing from destination-node load only. |
| allowed-tools | Read, Grep, Glob, Edit, Write |
near-destination-scrubbing and near-source-scrubbing.load_ratio.Provide one JSON object with at least:
thresholddestination_nodenodesJudgment input can be provided in either of these forms:
alert_idtarget_ipjudged_attack_typescale_bandjudgment_eventeventalert-judgment output object:
judgmenteventsOptional judgment-side fields that the decision stage will consume when present:
judgmentconfidenceautomation.auto_handle_scoreimportance.importance_scoreevidence.matched_flow_summaryevidence.artifact_refsevidence.mixed_attack_hintsdestination_node is the near-destination node identifier.
nodes should be a 4-node list in this prototype:
role=destinationrole=sourceEach node should include at least:
node_idroleload_ratioOptional per-node field:
capacity_statusWhen reading input JSON, resolve the path relative to the current working directory first. Do not assume one fixed repository-absolute layout; prefer project-local relative paths and let the helper script fall back to project search when needed.
Prefer the local helper script instead of making the decision manually.
scripts/decide_mitigation.pyUse it to:
alert-judgment output JSONauto_handle_score as the automation gateload_ratio with thresholdExample:
python .claude/skills/mitigation-decision/scripts/decide_mitigation.py \
--input-json mitigation-input.json \
--pretty
python .claude/skills/mitigation-decision/scripts/decide_mitigation.py \
--input-json mitigation-infra.json \
--judgment-json judgment-output.json \
--event-id some-event-id \
--pretty
alert-judgment output.judgment and auto_handle_score to determine whether automatic execution is allowed, blocked, or should be sent to manual review.destination_node.load_ratio.load_ratio < threshold, choose near-destination-scrubbing and select only the destination node.near-source-scrubbing and select all nodes with role=source.Return:
{
"stage": "mitigation-decision",
"status": "completed",
"decision": {
"alert_id": "",
"event_id": "",
"target_ip": "",
"judgment": "credible | suspicious | unsupported",
"confidence": 0.0,
"judged_attack_type": "",
"scale_band": "",
"strategy": "near-destination-scrubbing | near-source-scrubbing",
"reason": "",
"selected_devices": [],
"threshold": 0.7,
"destination_load_ratio": 0.42,
"execution_mode": "auto_execute | manual_review_required | manual_review_recommended",
"judgment_gate": {
"status": "allowed | blocked | unknown",
"reason": "",
"source": "",
"auto_handle_score": 0.0,
"minimum_required_score": 0.6,
"importance_score": 0.0
},
"judgment_evidence": {
"matched_flow_summary": {},
"artifact_refs": {},
"mixed_attack_hints": []
}
}
}
Keep this stage minimal: