AgentSkillsCN

response-recommender

针对安全检测结果,生成优先级分明的响应建议,包括遏制、调查与修复等行动方案——绝不自动执行。

SKILL.md
--- frontmatter
name: response-recommender
description: Generate prioritized response recommendations for security findings, including containment, investigation, and remediation actions - never auto-executes
version: 1.0.0
author: DeepTempo
tags:
  - soc
  - response
  - remediation
  - playbook
requires:
  - mcp/deeptempo-findings-server
  - mcp/case-store-server

Response Recommender

Generate response recommendations for security findings. Never auto-executes actions.

When to Use

Use this skill when:

  • A finding requires response actions
  • Building an incident response plan
  • Prioritizing remediation efforts
  • Documenting recommended actions for approval

Prerequisites

  • Access to the DeepTempo Findings Server MCP
  • Completed triage of the finding(s)
  • Understanding of available response capabilities

Critical Safety Note

This skill generates RECOMMENDATIONS only. All actions require human review and approval. Never auto-execute response actions.

Instructions

Step 1: Review the Finding

Gather context about what needs response:

code
get_finding(finding_id="<finding_id>")

Understand:

  • Severity and confidence levels
  • Entities involved
  • MITRE techniques detected
  • Current status

Step 2: Assess the Threat

Determine the threat characteristics:

FactorAssessment
SeverityCritical/High/Medium/Low
ConfidenceHigh/Medium/Low
ScopeSingle host/Multiple/Network-wide
StageEarly/Mid/Late attack chain
ActiveOngoing/Historical

Step 3: Identify Response Options

Based on threat assessment, consider:

Containment Options:

  • Network isolation
  • Account suspension
  • Process termination
  • Traffic blocking

Investigation Options:

  • Evidence collection
  • Scope expansion
  • Timeline analysis
  • Threat intelligence lookup

Remediation Options:

  • Malware removal
  • Credential reset
  • System rebuild
  • Configuration hardening

Step 4: Prioritize Actions

Order recommendations by:

  1. Immediate: Stop active threats
  2. Short-term: Contain and investigate
  3. Long-term: Remediate and prevent

Step 5: Generate Recommendations

Produce structured recommendations following the output format.

Output Format

markdown
# Response Recommendations

**Finding**: [Finding ID]
**Generated**: [Timestamp]
**Status**: REQUIRES HUMAN APPROVAL

## ⚠️ Important Notice

These are RECOMMENDATIONS only. All actions must be:
1. Reviewed by qualified personnel
2. Approved through proper channels
3. Executed with appropriate change control
4. Documented for audit purposes

## Threat Summary

| Attribute | Value |
|-----------|-------|
| Finding ID | [ID] |
| Severity | [level] |
| Confidence | [level] |
| Primary Technique | [technique] |
| Affected Entity | [entity] |
| Threat Status | [Active/Contained/Historical] |

## Response Priority

**Overall Priority**: [CRITICAL/HIGH/MEDIUM/LOW]

**Reasoning**: [Why this priority level]

## Recommended Actions

### 🔴 Immediate Actions (0-1 hour)

Actions to stop active threats:

#### Action 1: [Action Name]
- **Type**: [Containment/Investigation/Remediation]
- **Target**: [Specific target]
- **Description**: [Detailed description]
- **Prerequisites**: [What's needed first]
- **Risks**: [Potential negative impacts]
- **Rollback**: [How to undo if needed]

#### Action 2: [Action Name]
[Same structure]

### 🟠 Short-term Actions (1-24 hours)

Actions for containment and investigation:

#### Action 3: [Action Name]
[Same structure]

### 🟡 Long-term Actions (24+ hours)

Actions for remediation and prevention:

#### Action 4: [Action Name]
[Same structure]

## Investigation Steps

Recommended investigation to understand scope:

1. **[Step Name]**
   - Purpose: [Why this step]
   - Method: [How to do it]
   - Expected Output: [What you'll learn]

2. **[Step Name]**
   [Same structure]

## Evidence Preservation

Before taking action, preserve:

- [ ] [Evidence item 1]
- [ ] [Evidence item 2]
- [ ] [Evidence item 3]

## Escalation Criteria

Escalate to [team/role] if:
- [Condition 1]
- [Condition 2]
- [Condition 3]

## Communication Plan

| Stakeholder | When to Notify | Information to Share |
|-------------|----------------|---------------------|
| [Role] | [Timing] | [What to tell them] |

## Success Criteria

Response is successful when:
- [ ] [Criterion 1]
- [ ] [Criterion 2]
- [ ] [Criterion 3]

## Post-Incident Actions

After immediate response:
1. [Action]
2. [Action]
3. [Action]

---
*These recommendations were generated by Claude using the Response Recommender skill.*
*ALL ACTIONS REQUIRE HUMAN APPROVAL BEFORE EXECUTION.*

Response Playbooks by Technique

T1071 - Application Layer Protocol (C2)

Immediate:

  • Block destination IP/domain at firewall
  • Isolate affected host from network

Short-term:

  • Analyze beacon traffic patterns
  • Check for data exfiltration
  • Hunt for other affected hosts

Long-term:

  • Update detection rules
  • Review egress filtering
  • Conduct user awareness training

T1048 - Exfiltration Over Alternative Protocol

Immediate:

  • Block exfiltration destination
  • Isolate source host
  • Preserve network captures

Short-term:

  • Quantify data loss
  • Identify data accessed
  • Determine exfil method

Long-term:

  • Implement DLP controls
  • Review data classification
  • Enhance monitoring

T1059 - Command and Scripting Interpreter

Immediate:

  • Terminate malicious process
  • Isolate host if active
  • Capture process memory

Short-term:

  • Analyze script/command
  • Check for persistence
  • Review execution chain

Long-term:

  • Harden script execution policies
  • Implement application whitelisting
  • Enhance endpoint detection

T1021 - Remote Services (Lateral Movement)

Immediate:

  • Disable compromised credentials
  • Block lateral movement paths
  • Isolate source and target hosts

Short-term:

  • Map full movement path
  • Identify all accessed systems
  • Check for persistence on each

Long-term:

  • Implement network segmentation
  • Deploy privileged access management
  • Enable enhanced authentication logging

Risk Assessment

For each recommended action, assess:

Risk FactorQuestions
Business ImpactWill this disrupt operations?
False PositiveCould this be legitimate activity?
ReversibilityCan we undo this action?
DependenciesWhat else depends on this?
TimingIs now the right time?

Guidelines

  1. Safety first - Recommendations must never auto-execute
  2. Be specific - Vague recommendations aren't actionable
  3. Consider impact - Note business disruption risks
  4. Provide rollback - Every action should be reversible
  5. Prioritize clearly - Help responders know what's urgent
  6. Document everything - Enable audit and learning

Constraints

  • NEVER auto-execute any response action
  • ALWAYS include the human approval requirement
  • ALWAYS assess business impact of recommendations
  • ALWAYS provide rollback procedures
  • NEVER recommend actions beyond the finding's scope
  • ALWAYS preserve evidence before destructive actions