AI Skill Report Card
Analyzing Security Incidents
YAML--- name: analyzing-security-incidents description: Analyzes potential security incidents including phishing emails, SIEM alerts, and threat indicators using SOC analyst methodologies. Use when investigating suspicious activities, triaging alerts, or conducting incident response. ---
Security Incident Analysis
Quick Start15 / 15
Phishing Email Analysis:
1. Check sender reputation (domain age, SPF/DKIM/DMARC)
2. Analyze URLs (expand shortened links, check against threat intel)
3. Extract file hashes and scan attachments
4. Correlate with recent campaign patterns
5. Document IOCs and update threat feeds
Recommendation▾
Add specific incident response templates or frameworks (e.g., NIST framework steps, MITRE ATT&CK mapping)
Workflow15 / 15
SIEM Alert Triage
Progress:
- Initial Assessment - Review alert severity, affected systems, timeline
- Context Gathering - Check user behavior, network activity, system logs
- Threat Classification - Determine if true positive, false positive, or needs escalation
- Containment - Isolate affected systems if confirmed threat
- Investigation - Deep dive into attack vectors and lateral movement
- Documentation - Record findings, IOCs, and remediation steps
- Lessons Learned - Update detection rules and playbooks
Incident Escalation Criteria
- Confirmed data exfiltration
- Privilege escalation detected
- Critical system compromise
- Advanced persistent threat indicators
- Multi-vector attack patterns
Recommendation▾
Include technical investigation commands or tools (network analysis, log parsing, forensic tools)
Examples20 / 20
Example 1: Phishing Email Input: Suspicious email with "Urgent: Verify Your Account" subject Output:
- Sender domain registered 2 days ago (red flag)
- URL redirects to credential harvesting site
- Similar emails sent to 50+ users
- Classification: High priority phishing campaign
- Action: Block domain, quarantine emails, user awareness alert
Example 2: SIEM Alert Input: "Multiple failed login attempts" alert Output:
- Source IP: Known botnet infrastructure
- Target: 15 privileged accounts
- Pattern: Credential stuffing attack
- Classification: True positive - attempted breach
- Action: Block IP ranges, force password resets, enable MFA
Recommendation▾
Provide more comprehensive coverage of incident types beyond phishing and SIEM alerts (malware analysis, insider threats, data breaches)
Best Practices
- Assume Breach Mentality - Investigate thoroughly even for "low" priority alerts
- Timeline Everything - Maintain precise chronology of events and actions
- Preserve Evidence - Create forensic images before analysis
- Threat Intel Integration - Cross-reference IOCs with current threat feeds
- Communication Protocol - Keep stakeholders informed with clear, factual updates
- Continuous Learning - Study attack techniques and update detection capabilities
Common Pitfalls
- Alert Fatigue - Don't dismiss repeated alerts without investigation
- Tunnel Vision - Look beyond initial indicators for related activity
- Premature Closure - Ensure complete eradication before closing incidents
- Documentation Gaps - Missing details hamper future investigations
- Solo Investigation - Collaborate with team members for complex incidents
- Tool Over-reliance - Combine automated analysis with manual investigation