Incident Response Playbook Creator

Version: 2.2.0 Category: Security Author: Diego Consolini

Overview

This skill generates comprehensive, customized incident response playbooks based on authoritative templates from NIST SP 800-61r3 (April 2025), CISA guidance, and specialized NIST publications (SP 800-161r1, SP 800-190, SP 800-82r3, SP 800-218). It creates professional, ready-to-use playbooks for 11 different incident scenarios with built-in GDPR and HIPAA compliance considerations.

What This Skill Does

• ✅ Generates complete incident response playbooks in Markdown format
• ✅ Includes detection indicators, response procedures, recovery actions, and communication templates
• ✅ Incorporates NIST CSF 2.0 alignment and compliance requirements (GDPR, HIPAA)
• ✅ Customizes playbooks for specific organizations and industries
• ✅ Provides role-based responsibilities and escalation procedures
• ✅ Based on 100% real, authoritative content (no mock data)

Available Incident Scenarios (11 Total)

Traditional Attacks:

1. Ransomware Attack (Critical)
2. Data Breach / Exfiltration (Critical)
3. Phishing / Business Email Compromise (High)

Modern Attack Vectors: 4. AI/ML Security Incident (High) 5. Supply Chain Attack (Critical) 6. Container/Kubernetes Security Incident (High)

Critical Infrastructure & Cloud: 7. IoT/OT Security Incident (Critical) 8. Cloud Security Breach (Critical) 9. API Security Incident (High)

Insider & Availability Threats: 10. Insider Threat (Critical) 11. DDoS Attack (High)

When to Use This Skill

This skill should be activated when the user:

• Asks to create an incident response playbook
• Mentions they need IR documentation or procedures
• Asks about incident response for specific scenarios (ransomware, data breach, phishing, DDoS, etc.)
• Wants to prepare for security incidents
• Needs compliance-aligned incident response procedures
• Asks about NIST SP 800-61 or CISA incident response guidance

Example Triggers:

Traditional Attacks:

• "Create an incident response playbook for ransomware"
• "I need IR procedures for data breaches"
• "Generate incident response documentation"
• "Help me prepare for a phishing attack"

Modern Attack Vectors:

• "Create playbook for AI/ML security incidents"
• "I need response procedures for supply chain attacks"
• "Generate IR playbook for software supply chain compromise"
• "Help with container security incident response"
• "Kubernetes security breach procedures"
• "Docker security incident playbook"

Critical Infrastructure & Cloud:

• "IoT security incident response"
• "OT security breach procedures"
• "Industrial control system incident playbook"
• "SCADA security incident response"
• "Cloud security breach playbook"
• "S3 bucket breach incident response"
• "IAM compromise procedures"
• "API security incident playbook"
• "API vulnerability response procedures"

Insider & Availability Threats:

• "Insider threat response playbook"
• "Malicious insider incident procedures"
• "Employee data theft response"
• "DDoS attack incident response"
• "Denial of service attack playbook"

How to Use This Skill

Step 1: Browse Available Scenarios (Optional)

First, you can show the user what scenarios are available:

python3 scripts/browse_scenarios.py --list

This displays all available incident types with descriptions, severity levels, and compliance flags.

For detailed information about a specific scenario:

python3 scripts/browse_scenarios.py --detail ransomware

Step 2: Collect Organization Information

Use the AskUserQuestion tool to collect the required information from the user. This provides a beautiful, user-friendly interface for gathering customization details.

IMPORTANT: Always use AskUserQuestion for gathering this information. Do NOT just ask in text.

Question 1: Incident Scenario Selection

Present scenarios in groups for better organization. You can use multiple questions or present options by category.

Option A: Single Question with All Scenarios (11 options - use if user hasn't specified)

AskUserQuestion(questions=[
    {
        "question": "Which incident scenario do you need a playbook for?",
        "header": "Scenario",
        "multiSelect": false,
        "options": [
            {
                "label": "Ransomware Attack",
                "description": "Malware that encrypts files and demands payment. Critical severity, GDPR/HIPAA applicable."
            },
            {
                "label": "Data Breach",
                "description": "Unauthorized access and data theft. Critical severity, comprehensive compliance guidance."
            },
            {
                "label": "Phishing / BEC",
                "description": "Email-based social engineering and fraud. High severity."
            },
            {
                "label": "AI/ML Security",
                "description": "Adversarial attacks on machine learning models. High severity."
            },
            {
                "label": "Supply Chain Attack",
                "description": "Compromise through third-party software/services. Critical severity."
            },
            {
                "label": "Container/Kubernetes",
                "description": "Container escape or cluster compromise. High severity."
            },
            {
                "label": "IoT/OT Security",
                "description": "Industrial control systems and SCADA security. Critical severity."
            },
            {
                "label": "Cloud Breach",
                "description": "S3 exposure, IAM compromise, cloud misconfigurations. Critical severity."
            },
            {
                "label": "API Security",
                "description": "API vulnerabilities and data exposure. High severity."
            },
            {
                "label": "Insider Threat",
                "description": "Malicious or negligent insider actions. Critical severity."
            },
            {
                "label": "DDoS Attack",
                "description": "Distributed denial of service attacks. High severity."
            }
        ]
    }
])

Option B: Category-Based Question (if user mentioned a category)

# If user mentioned "cloud" or "container" etc., show relevant options
AskUserQuestion(questions=[
    {
        "question": "Which modern attack scenario are you concerned about?",
        "header": "Scenario",
        "multiSelect": false,
        "options": [
            {
                "label": "AI/ML Security Incident",
                "description": "Model poisoning, adversarial attacks, inference manipulation"
            },
            {
                "label": "Supply Chain Attack",
                "description": "SolarWinds-style attacks, dependency vulnerabilities"
            },
            {
                "label": "Container/Kubernetes Security",
                "description": "Container escape, cluster compromise, orchestration attacks"
            }
        ]
    }
])

Question 2: Organization Information

AskUserQuestion(questions=[
    {
        "question": "What is your organization name?",
        "header": "Organization",
        "multiSelect": false,
        "options": [
            {
                "label": "Provide name",
                "description": "Enter your organization's name for the playbook"
            }
        ]
    },
    {
        "question": "What industry sector are you in?",
        "header": "Industry",
        "multiSelect": false,
        "options": [
            {
                "label": "Healthcare",
                "description": "Medical, hospitals, healthcare providers (HIPAA applicable)"
            },
            {
                "label": "Finance",
                "description": "Banks, financial services, payment processing"
            },
            {
                "label": "Technology",
                "description": "Software, SaaS, IT services"
            },
            {
                "label": "Retail/E-commerce",
                "description": "Online/offline retail, customer data"
            },
            {
                "label": "Government",
                "description": "Public sector, government agencies"
            },
            {
                "label": "Education",
                "description": "Schools, universities, educational institutions"
            }
        ]
    }
])

Question 3: Contact Information (Optional)

AskUserQuestion(questions=[
    {
        "question": "Do you want to customize contact information in the playbook?",
        "header": "Contacts",
        "multiSelect": false,
        "options": [
            {
                "label": "Use defaults",
                "description": "Use placeholder contact information (you can edit later)"
            },
            {
                "label": "Provide custom",
                "description": "Enter your security team email and phone number"
            }
        ]
    }
])

Step 3: Generate the Playbook

After collecting the information, use the generate_playbook_markdown.py script to create the playbook.

Basic Command:

python3 scripts/generate_playbook_markdown.py \
  --scenario <scenario_id> \
  --org "<Organization Name>" \
  --industry "<Industry>"

With Custom Contact Info:

python3 scripts/generate_playbook_markdown.py \
  --scenario ransomware \
  --org "Acme Corporation" \
  --industry "Technology" \
  --contact-email "security@acmecorp.com" \
  --contact-phone "+1-555-SEC-RITY" \
  --output output/acme-ransomware-playbook.md

Scenario ID Mapping:

• "Ransomware Attack" → ransomware
• "Data Breach" / "Data Breach / Exfiltration" → data_breach
• "Phishing / BEC" → phishing
• "AI/ML Security" / "AI/ML Security Incident" → ai_ml_attack
• "Supply Chain Attack" → supply_chain_attack
• "Container/Kubernetes" / "Container/Kubernetes Security" → container_kubernetes_security
• "IoT/OT Security" / "IoT/OT Security Incident" → iot_ot_security
• "Cloud Breach" / "Cloud Security Breach" → cloud_security_breach
• "API Security" / "API Security Incident" → api_security_incident
• "Insider Threat" → insider_threat
• "DDoS Attack" → ddos_attack

Step 4: Present the Results

After generation, you should:

1. Confirm successful generation: Show the user that the playbook was created successfully
2. Show the file location: Tell them where the file was saved
3. Offer to display content: Ask if they want to see the playbook content
4. Suggest next steps:
   • Review and customize the playbook for their specific environment
   • Share with their security team
   • Test the playbook with a tabletop exercise
   • Generate additional scenario playbooks

Example Response:

✅ Successfully generated Ransomware Attack playbook for Acme Corporation!

📄 **Output**: output/ransomware-playbook.md (7.2 KB)

The playbook includes:
- Detection indicators and monitoring guidance
- Step-by-step response procedures (Triage → Containment → Eradication)
- Recovery actions with validation checklist
- GDPR and HIPAA compliance considerations
- Communication requirements and templates
- Role-based responsibilities
- Contact information and escalation criteria

Would you like me to:
1. Display the playbook content
2. Generate a playbook for another incident type
3. Explain any section in detail

Complete Workflow Example

Here's a complete interaction flow:

1. User Request

User: "I need an incident response playbook for ransomware attacks"

2. Scenario Browsing (Optional)

You: Let me show you the ransomware scenario details first.

python3 scripts/browse_scenarios.py --detail ransomware

You: This scenario includes [summarize key points from output]

3. Information Collection (Required)

You: I'll help you generate a custom playbook. Let me gather some information about your organization.

# Use AskUserQuestion for organization name and industry
AskUserQuestion(questions=[...])

4. Playbook Generation

python3 scripts/generate_playbook_markdown.py \
  --scenario ransomware \
  --org "User's Organization" \
  --industry "User's Industry"

5. Results Presentation

You: ✅ Successfully generated your ransomware playbook!

[Show file location and summary of what's included]

6. Follow-up

You: Would you like me to:

• Generate playbooks for other incident types?
• Explain any section in detail?
• Show you how to use the playbook in a real incident?

Important Notes

Data Quality & Sources

All content in generated playbooks comes from authoritative sources:

• NIST SP 800-61r3 (April 2025) - Primary incident response framework
• NIST Cybersecurity Framework 2.0 - Function and category alignment
• GDPR (Articles 33-34) - EU data breach notification requirements
• HIPAA Breach Notification Rule - Healthcare breach requirements

No mock or fake data - Everything is extracted from real guidance documents.

Compliance Disclaimers

Always remind users:

• ⚠️ These playbooks are templates and should be reviewed by legal counsel
• ⚠️ Compliance requirements vary by jurisdiction - verify with local regulations
• ⚠️ Playbooks should be customized for specific organizational needs
• ⚠️ Regular testing and updates are essential

Limitations

• Generated playbooks are in Markdown format only (Word/PDF export planned)
• Does not include automated translation or localization
• Contact information uses placeholders by default
• Requires manual customization for organization-specific tools and systems

Script Reference

browse_scenarios.py

Purpose: Explore available incident scenarios and view detailed information

Usage:

# List all scenarios
python3 scripts/browse_scenarios.py --list

# Show detailed view
python3 scripts/browse_scenarios.py --detail ransomware

# Display metadata
python3 scripts/browse_scenarios.py --metadata

# Search scenarios
python3 scripts/browse_scenarios.py --search "data breach"

generate_playbook_markdown.py

Purpose: Generate customized incident response playbooks

Usage:

# Generate playbook with required parameters
python3 scripts/generate_playbook_markdown.py \
  --scenario <scenario_id> \
  --org "<Organization Name>" \
  [--industry "<Industry>"] \
  [--contact-email "<email>"] \
  [--contact-phone "<phone>"] \
  [--output "<path>"]

# List available scenarios
python3 scripts/generate_playbook_markdown.py --list

Required Parameters:

• --scenario or -s: Scenario ID (see 11 scenarios above)
• --org or -o: Organization name

Optional Parameters:

• --industry or -i: Industry sector (default: "General")
• --contact-email: Security team email (default: security@organization.com)
• --contact-phone: Security team phone (default: (555) 123-4567)
• --output: Output file path (default: output/[scenario]-playbook.md)

Troubleshooting

Common Issues

Issue: "Scenario not found" Solution: Use --list to see available scenario IDs

Issue: "Required file not found" Solution: Ensure you're running from the plugin directory, or use --scenarios-file to specify path

Issue: "Invalid JSON" Solution: The script defaults to using incident_scenarios_v2.json (v2.0.0+) which contains 11 validated scenarios

Future Enhancements

Planned features for future versions:

• Multi-format export (Word .docx, PDF, HTML)
• Excel contact roster generation
• Playbook versioning and change tracking
• Tabletop exercise scenario generation
• Integration with ticketing systems (Jira, ServiceNow)
• Automated playbook testing and validation
• Custom scenario creation from templates
• Translation and localization support

END OF SKILL DOCUMENTATION

For questions or issues, refer to the README.md or contact the plugin author.