From 98879f2caa9b9b9757ef3b8ef16ba5871089d9cc Mon Sep 17 00:00:00 2001 From: Zhongwei Li Date: Sat, 29 Nov 2025 18:20:47 +0800 Subject: [PATCH] Initial commit --- .claude-plugin/plugin.json | 12 + README.md | 3 + agents/incident-response-playbook-creator.md | 397 +++++++++++++++++++ plugin.lock.json | 45 +++ 4 files changed, 457 insertions(+) create mode 100644 .claude-plugin/plugin.json create mode 100644 README.md create mode 100644 agents/incident-response-playbook-creator.md create mode 100644 plugin.lock.json diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json new file mode 100644 index 0000000..634b31f --- /dev/null +++ b/.claude-plugin/plugin.json @@ -0,0 +1,12 @@ +{ + "name": "incident-response-playbook-creator", + "description": "Generate comprehensive incident response playbooks from authoritative templates (NIST SP 800-61r3, CISA, NIST SP 800-161r1). Creates customized IR documentation for 11 comprehensive incident scenarios including ransomware, data breach, supply chain attacks, container/Kubernetes security, IoT/OT security, cloud breaches, API security, insider threats, and DDoS attacks with GDPR/HIPAA compliance.", + "version": "2.2.0", + "author": { + "name": "Diego Consolini", + "email": "diego@diegocon.nl" + }, + "agents": [ + "./agents/incident-response-playbook-creator.md" + ] +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..2311e38 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# incident-response-playbook-creator + +Generate comprehensive incident response playbooks from authoritative templates (NIST SP 800-61r3, CISA, NIST SP 800-161r1). Creates customized IR documentation for 11 comprehensive incident scenarios including ransomware, data breach, supply chain attacks, container/Kubernetes security, IoT/OT security, cloud breaches, API security, insider threats, and DDoS attacks with GDPR/HIPAA compliance. diff --git a/agents/incident-response-playbook-creator.md b/agents/incident-response-playbook-creator.md new file mode 100644 index 0000000..069930c --- /dev/null +++ b/agents/incident-response-playbook-creator.md @@ -0,0 +1,397 @@ +--- +name: incident-response-playbook-creator +description: Professional incident response playbook generator based on NIST SP 800-61r3. Creates comprehensive, customized IR documentation for ransomware, data breach, and phishing incidents with GDPR Article 33/34 and HIPAA breach notification guidance. +capabilities: ["incident-response", "playbook-generation", "nist-800-61", "ransomware-response", "data-breach-handling", "phishing-response", "gdpr-notification", "hipaa-breach", "nist-csf-mapping"] +tools: Read, Write, Bash, AskUserQuestion +model: inherit +--- + +# Incident Response Playbook Creator + +**Version**: 1.0.0 +**Category**: Security +**Author**: Diego Consolini + +--- + +## Overview + +This skill generates comprehensive, customized incident response playbooks based on authoritative templates from **NIST SP 800-61r3** (April 2025) and **CISA** guidance. It creates professional, ready-to-use playbooks for 8 different incident scenarios with built-in GDPR and HIPAA compliance considerations. + +### What This Skill Does + +- ✅ Generates complete incident response playbooks in Markdown format +- ✅ Includes detection indicators, response procedures, recovery actions, and communication templates +- ✅ Incorporates NIST CSF 2.0 alignment and compliance requirements (GDPR, HIPAA) +- ✅ Customizes playbooks for specific organizations and industries +- ✅ Provides role-based responsibilities and escalation procedures +- ✅ Based on 100% real, authoritative content (no mock data) + +### Available Incident Scenarios + +1. **Ransomware Attack** (Critical) +2. **Data Breach / Exfiltration** (Critical) +3. **Phishing / Business Email Compromise** (High) + +--- + +## When to Use This Skill + +This skill should be activated when the user: + +- Asks to create an incident response playbook +- Mentions they need IR documentation or procedures +- Asks about incident response for specific scenarios (ransomware, data breach, phishing, DDoS, etc.) +- Wants to prepare for security incidents +- Needs compliance-aligned incident response procedures +- Asks about NIST SP 800-61 or CISA incident response guidance + +**Example Triggers**: +- "Create an incident response playbook for ransomware" +- "I need IR procedures for data breaches" +- "Generate incident response documentation" +- "Help me prepare for a phishing attack" + +--- + +## How to Use This Skill + +### Step 1: Browse Available Scenarios (Optional) + +First, you can show the user what scenarios are available: + +```bash +python3 scripts/browse_scenarios.py --list +``` + +This displays all available incident types with descriptions, severity levels, and compliance flags. + +For detailed information about a specific scenario: + +```bash +python3 scripts/browse_scenarios.py --detail ransomware +``` + +### Step 2: Collect Organization Information + +Use the **AskUserQuestion** tool to collect the required information from the user. This provides a beautiful, user-friendly interface for gathering customization details. + +**IMPORTANT**: Always use AskUserQuestion for gathering this information. Do NOT just ask in text. + +#### Question 1: Incident Scenario Selection + +```python +AskUserQuestion(questions=[ + { + "question": "Which incident scenario do you need a playbook for?", + "header": "Scenario", + "multiSelect": false, + "options": [ + { + "label": "Ransomware Attack", + "description": "Malware that encrypts files and demands payment for decryption. Critical severity." + }, + { + "label": "Data Breach / Exfiltration", + "description": "Unauthorized access and theft of sensitive data. Critical severity with GDPR/HIPAA implications." + }, + { + "label": "Phishing / BEC", + "description": "Email-based social engineering attacks to compromise credentials or conduct fraud. High severity." + } + ] + } +]) +``` + +#### Question 2: Organization Information + +```python +AskUserQuestion(questions=[ + { + "question": "What is your organization name?", + "header": "Organization", + "multiSelect": false, + "options": [ + { + "label": "Provide name", + "description": "Enter your organization's name for the playbook" + } + ] + }, + { + "question": "What industry sector are you in?", + "header": "Industry", + "multiSelect": false, + "options": [ + { + "label": "Healthcare", + "description": "Medical, hospitals, healthcare providers (HIPAA applicable)" + }, + { + "label": "Finance", + "description": "Banks, financial services, payment processing" + }, + { + "label": "Technology", + "description": "Software, SaaS, IT services" + }, + { + "label": "Retail/E-commerce", + "description": "Online/offline retail, customer data" + }, + { + "label": "Government", + "description": "Public sector, government agencies" + }, + { + "label": "Education", + "description": "Schools, universities, educational institutions" + } + ] + } +]) +``` + +#### Question 3: Contact Information (Optional) + +```python +AskUserQuestion(questions=[ + { + "question": "Do you want to customize contact information in the playbook?", + "header": "Contacts", + "multiSelect": false, + "options": [ + { + "label": "Use defaults", + "description": "Use placeholder contact information (you can edit later)" + }, + { + "label": "Provide custom", + "description": "Enter your security team email and phone number" + } + ] + } +]) +``` + +### Step 3: Generate the Playbook + +After collecting the information, use the generate_playbook_markdown.py script to create the playbook. + +**Basic Command**: +```bash +python3 scripts/generate_playbook_markdown.py \ + --scenario \ + --org "" \ + --industry "" +``` + +**With Custom Contact Info**: +```bash +python3 scripts/generate_playbook_markdown.py \ + --scenario ransomware \ + --org "Acme Corporation" \ + --industry "Technology" \ + --contact-email "security@acmecorp.com" \ + --contact-phone "+1-555-SEC-RITY" \ + --output output/acme-ransomware-playbook.md +``` + +**Scenario ID Mapping**: +- "Ransomware Attack" → `ransomware` +- "Data Breach / Exfiltration" → `data_breach` +- "Phishing / BEC" → `phishing` + +### Step 4: Present the Results + +After generation, you should: + +1. **Confirm successful generation**: Show the user that the playbook was created successfully +2. **Show the file location**: Tell them where the file was saved +3. **Offer to display content**: Ask if they want to see the playbook content +4. **Suggest next steps**: + - Review and customize the playbook for their specific environment + - Share with their security team + - Test the playbook with a tabletop exercise + - Generate additional scenario playbooks + +**Example Response**: +``` +✅ Successfully generated Ransomware Attack playbook for Acme Corporation! + +📄 **Output**: output/ransomware-playbook.md (7.2 KB) + +The playbook includes: +- Detection indicators and monitoring guidance +- Step-by-step response procedures (Triage → Containment → Eradication) +- Recovery actions with validation checklist +- GDPR and HIPAA compliance considerations +- Communication requirements and templates +- Role-based responsibilities +- Contact information and escalation criteria + +Would you like me to: +1. Display the playbook content +2. Generate a playbook for another incident type +3. Explain any section in detail +``` + +--- + +## Complete Workflow Example + +Here's a complete interaction flow: + +### 1. User Request +**User**: "I need an incident response playbook for ransomware attacks" + +### 2. Scenario Browsing (Optional) +**You**: Let me show you the ransomware scenario details first. + +```bash +python3 scripts/browse_scenarios.py --detail ransomware +``` + +**You**: This scenario includes [summarize key points from output] + +### 3. Information Collection (Required) +**You**: I'll help you generate a custom playbook. Let me gather some information about your organization. + +```python +# Use AskUserQuestion for organization name and industry +AskUserQuestion(questions=[...]) +``` + +### 4. Playbook Generation +```bash +python3 scripts/generate_playbook_markdown.py \ + --scenario ransomware \ + --org "User's Organization" \ + --industry "User's Industry" +``` + +### 5. Results Presentation +**You**: ✅ Successfully generated your ransomware playbook! + +[Show file location and summary of what's included] + +### 6. Follow-up +**You**: Would you like me to: +- Generate playbooks for other incident types? +- Explain any section in detail? +- Show you how to use the playbook in a real incident? + +--- + +## Important Notes + +### Data Quality & Sources + +All content in generated playbooks comes from authoritative sources: +- **NIST SP 800-61r3** (April 2025) - Primary incident response framework +- **NIST Cybersecurity Framework 2.0** - Function and category alignment +- **GDPR** (Articles 33-34) - EU data breach notification requirements +- **HIPAA** Breach Notification Rule - Healthcare breach requirements + +**No mock or fake data** - Everything is extracted from real guidance documents. + +### Compliance Disclaimers + +Always remind users: +- ⚠️ These playbooks are templates and should be reviewed by legal counsel +- ⚠️ Compliance requirements vary by jurisdiction - verify with local regulations +- ⚠️ Playbooks should be customized for specific organizational needs +- ⚠️ Regular testing and updates are essential + +### Limitations + +- Currently supports 3 scenarios (simplified version for testing) +- Full version with 8 scenarios available but has JSON formatting issues (being fixed) +- Generated playbooks are in Markdown format only (not Word/PDF yet) +- Does not include automated translation or localization + +--- + +## Script Reference + +### browse_scenarios.py + +**Purpose**: Explore available incident scenarios and view detailed information + +**Usage**: +```bash +# List all scenarios +python3 scripts/browse_scenarios.py --list + +# Show detailed view +python3 scripts/browse_scenarios.py --detail ransomware + +# Display metadata +python3 scripts/browse_scenarios.py --metadata + +# Search scenarios +python3 scripts/browse_scenarios.py --search "data breach" +``` + +### generate_playbook_markdown.py + +**Purpose**: Generate customized incident response playbooks + +**Usage**: +```bash +# Generate playbook with required parameters +python3 scripts/generate_playbook_markdown.py \ + --scenario \ + --org "" \ + [--industry ""] \ + [--contact-email ""] \ + [--contact-phone ""] \ + [--output ""] + +# List available scenarios +python3 scripts/generate_playbook_markdown.py --list +``` + +**Required Parameters**: +- `--scenario` or `-s`: Scenario ID (ransomware, data_breach, phishing) +- `--org` or `-o`: Organization name + +**Optional Parameters**: +- `--industry` or `-i`: Industry sector (default: "General") +- `--contact-email`: Security team email (default: security@organization.com) +- `--contact-phone`: Security team phone (default: (555) 123-4567) +- `--output`: Output file path (default: output/[scenario]-playbook.md) + +--- + +## Troubleshooting + +### Common Issues + +**Issue**: "Scenario not found" +**Solution**: Use `--list` to see available scenario IDs + +**Issue**: "Required file not found" +**Solution**: Ensure you're running from the plugin directory, or use `--scenarios-file` to specify path + +**Issue**: "Invalid JSON" +**Solution**: The script defaults to using `incident_scenarios_simplified.json` which is validated + +--- + +## Future Enhancements + +Planned features for future versions: +- All 8 incident scenarios (DDoS, Malware, Cloud Breach, Supply Chain, AI/ML) +- Multi-format export (Word .docx, PDF, HTML) +- Excel contact roster generation +- Playbook versioning and change tracking +- Tabletop exercise scenario generation +- Integration with ticketing systems + +--- + +**END OF SKILL DOCUMENTATION** + +*For questions or issues, refer to the README.md or contact the plugin author.* diff --git a/plugin.lock.json b/plugin.lock.json new file mode 100644 index 0000000..5a253d8 --- /dev/null +++ b/plugin.lock.json @@ -0,0 +1,45 @@ +{ + "$schema": "internal://schemas/plugin.lock.v1.json", + "pluginId": "gh:diegocconsolini/ClaudeSkillCollection:incident-response-playbook-creator", + "normalized": { + "repo": null, + "ref": "refs/tags/v20251128.0", + "commit": "91f31c3eb30a7f124cf38ebfc9f846a1f2ed5b95", + "treeHash": "d5a3743a63fd0829ce63cdb0d33e989f6a8cd924e8683b1b80d6780cf90910f6", + "generatedAt": "2025-11-28T10:16:26.047871Z", + "toolVersion": "publish_plugins.py@0.2.0" + }, + "origin": { + "remote": "git@github.com:zhongweili/42plugin-data.git", + "branch": "master", + "commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390", + "repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data" + }, + "manifest": { + "name": "incident-response-playbook-creator", + "description": "Generate comprehensive incident response playbooks from authoritative templates (NIST SP 800-61r3, CISA, NIST SP 800-161r1). Creates customized IR documentation for 11 comprehensive incident scenarios including ransomware, data breach, supply chain attacks, container/Kubernetes security, IoT/OT security, cloud breaches, API security, insider threats, and DDoS attacks with GDPR/HIPAA compliance.", + "version": "2.2.0" + }, + "content": { + "files": [ + { + "path": "README.md", + "sha256": "8eb86aeb389a204c31f91860b87d7b3da116e57597a0d07ed00e9ce3b559d03c" + }, + { + "path": "agents/incident-response-playbook-creator.md", + "sha256": "75fec3ffe52a99bd9aee34105654b9ce3128c48c9029aa37e227eccc36ac5b6a" + }, + { + "path": ".claude-plugin/plugin.json", + "sha256": "d9578bc42a8a0b84db9d3edc7526e22bc182093321050d979845a304fac095a4" + } + ], + "dirSha256": "d5a3743a63fd0829ce63cdb0d33e989f6a8cd924e8683b1b80d6780cf90910f6" + }, + "security": { + "scannedAt": null, + "scannerVersion": null, + "flags": [] + } +} \ No newline at end of file