Skill

triaging-security-incident

Triages security incidents using NIST SP 800-61r3 and SANS PICERL frameworks to classify type, assess severity based on business impact, and route to response teams. For SIEM/EDR alerts and suspicious activity.

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- A SIEM or EDR alert fires and requires human classification before escalation

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Triaging Security Incidents

When to Use

A SIEM or EDR alert fires and requires human classification before escalation
Multiple concurrent alerts arrive and the SOC must prioritize response order
An end user reports suspicious activity and the incident needs initial categorization
A threat intelligence feed matches an IOC observed in the environment

Do not use for routine vulnerability scanning results or compliance audit findings that do not represent active security incidents.

Prerequisites

Access to SIEM platform (Splunk, Elastic, Microsoft Sentinel) with current alert data
Incident classification taxonomy aligned to NIST SP 800-61r3 categories
Predefined severity matrix mapping asset criticality to threat type
Contact roster for escalation paths (Tier 1 through Tier 3 and CIRT)
Asset inventory with business criticality ratings

Workflow

Step 1: Collect Initial Alert Data

Gather all available context from the triggering alert before making classification decisions:

Alert source: Which detection system generated the alert (EDR, SIEM, IDS/IPS, firewall, user report)
Timestamp: When the event occurred and when it was detected (dwell time gap)
Affected assets: Hostnames, IP addresses, user accounts involved
Alert fidelity: Historical true-positive rate for this detection rule
Raw evidence: Log entries, packet captures, process execution chains

Example SIEM alert context:
Source:       CrowdStrike Falcon
Detection:    Suspicious PowerShell Execution (T1059.001)
Host:         WORKSTATION-FIN-042
User:         jsmith@corp.example.com
Timestamp:    2025-11-15T14:23:17Z
Severity:     High (detection rule confidence: 92%)
Process:      powershell.exe -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoA...
Parent:       outlook.exe (PID 4812)

Step 2: Classify the Incident Type

Map the alert to a standard incident category per NIST SP 800-61r3:

Category	Examples
Unauthorized Access	Compromised credentials, privilege escalation, IDOR
Denial of Service	Volumetric DDoS, application-layer flood, resource exhaustion
Malicious Code	Malware execution, ransomware detonation, cryptominer
Improper Usage	Policy violation, insider data exfiltration, shadow IT
Reconnaissance	Port scanning, directory enumeration, credential spraying
Web Application Attack	SQL injection, XSS, SSRF exploitation

Step 3: Assign Severity Using Impact Matrix

Calculate severity by combining asset criticality with threat severity:

Severity = f(Asset Criticality, Threat Type, Data Sensitivity, Lateral Movement Potential)

Critical (P1): Crown jewel systems compromised, active data exfiltration, ransomware spreading
High (P2):     Production system compromise, confirmed malware execution, privileged account takeover
Medium (P3):   Non-production compromise, unsuccessful exploitation attempt, single endpoint malware
Low (P4):      Reconnaissance activity, policy violation, benign true positive

Response SLA targets:

P1: Acknowledge within 15 minutes, containment within 1 hour
P2: Acknowledge within 30 minutes, containment within 4 hours
P3: Acknowledge within 2 hours, investigation within 24 hours
P4: Acknowledge within 8 hours, investigation within 72 hours

Step 4: Perform Initial Enrichment

Before escalation, enrich the alert with contextual data:

Threat intelligence: Check IOCs (IP, hash, domain) against TI platforms (VirusTotal, OTX, MISP)
Asset context: Query CMDB for asset owner, business function, data classification
User context: Check identity provider for recent authentication anomalies, MFA status
Historical correlation: Search for related alerts on the same host/user in the past 30 days
Network context: Verify if source/destination IPs are internal, known partners, or external threat actors

Step 5: Document and Escalate

Create a structured triage record and route to the appropriate response tier:

Incident Triage Record
━━━━━━━━━━━━━━━━━━━━━
Ticket ID:       INC-2025-1547
Triage Analyst:  [analyst name]
Triage Time:     2025-11-15T14:35:00Z (12 min from alert)
Classification:  Malicious Code - Macro-based initial access
Severity:        P2 - High
Affected Assets: WORKSTATION-FIN-042 (Finance dept, handles PII)
Affected Users:  jsmith@corp.example.com
IOCs Identified: powershell.exe spawned by outlook.exe, encoded command
TI Matches:      Base64 payload matches known Qakbot loader pattern
Escalation:      Tier 2 - Malware IR team
Recommended:     Isolate endpoint, preserve memory dump, block sender domain

Step 6: Initiate Containment Hold

If severity is P1 or P2, initiate immediate containment actions while awaiting full investigation:

Network-isolate the affected endpoint via EDR (CrowdStrike contain, Defender isolate)
Disable compromised user accounts in Active Directory or identity provider
Block identified malicious IPs/domains at firewall and DNS sinkhole
Preserve volatile evidence (memory dump) before any remediation

Key Concepts

Term	Definition
Triage	Rapid assessment process to classify and prioritize security incidents based on severity and business impact
PICERL	SANS incident response framework: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
Dwell Time	Duration between initial compromise and detection; average is 10 days per Mandiant M-Trends 2025
True Positive Rate	Percentage of alerts from a detection rule that represent genuine security incidents
Crown Jewel Assets	Systems and data critical to business operations whose compromise would cause severe organizational impact
Alert Fatigue	Degraded analyst performance caused by high volumes of low-fidelity or false-positive alerts
Mean Time to Acknowledge (MTTA)	Average time from alert generation to analyst acknowledgment; key SOC performance metric

Tools & Systems

Splunk Enterprise Security: SIEM platform for alert aggregation, correlation, and triage workflow management
CrowdStrike Falcon: EDR platform providing endpoint telemetry, detection, and one-click host containment
TheHive: Open-source incident response platform for case management, task tracking, and team collaboration
MISP: Threat intelligence sharing platform for IOC enrichment during triage
Cortex XSOAR: SOAR platform for automating enrichment playbooks and triage decision trees

Common Scenarios

Scenario: Encoded PowerShell from Email Client

Context: SOC analyst receives a P2 alert showing powershell.exe with a Base64-encoded command spawned as a child process of outlook.exe on a finance department workstation.

Approach:

Decode the Base64 payload to determine the command intent
Check the parent process chain for anomalies (Outlook spawning PowerShell is abnormal)
Query VirusTotal for the decoded payload hash
Correlate with email gateway logs to identify the triggering email and sender
Check if other recipients in the organization received the same email
Isolate the endpoint and escalate to Tier 2 with full triage context

Pitfalls:

Dismissing encoded PowerShell as a false positive without decoding the payload
Failing to check for lateral spread to other recipients of the same phishing email
Remediating the endpoint before capturing volatile memory evidence

Output Format

INCIDENT TRIAGE REPORT
======================
Ticket:          INC-[YYYY]-[NNNN]
Date/Time:       [ISO 8601 timestamp]
Triage Analyst:  [Name]
Time to Triage:  [minutes from alert to classification]

CLASSIFICATION
Type:            [NIST category]
Severity:        [P1-P4] - [Critical/High/Medium/Low]
Confidence:      [High/Medium/Low]
MITRE ATT&CK:   [Technique ID and name]

AFFECTED SCOPE
Assets:          [hostname(s), IP(s)]
Users:           [account(s)]
Data at Risk:    [classification level]
Business Unit:   [department]

EVIDENCE SUMMARY
[Bullet list of key observations]

ENRICHMENT RESULTS
TI Matches:      [Yes/No - details]
Historical:      [Related prior incidents]
Asset Criticality: [rating]

RECOMMENDED ACTIONS
1. [Immediate action]
2. [Investigation step]
3. [Escalation target]

ESCALATION
Routed To:       [Team/Individual]
SLA Target:      [Containment deadline]