---
id: skill:ir-playbook
type: skill
title: 'Sample skill: Building Incident Response Playbooks'
status: active
confidence: 0.9
sources:
  - 2026-05-09-cybersec-skill-ir-playbook.md
created: 2026-05-09
updated: 2026-05-09
updated_log:
  - 2026-05-09: created
tiers: semantic
half_life_days: 180
tags: [skill-sample, incident-response, playbook, soar]
---

# Sample skill — Building Incident Response Playbooks

## Summary

A worked example skill from the incident-response domain. Use it when establishing or maturing an IR program, documenting procedures for a new attack type, automating workflows in a SOAR platform (Cortex XSOAR / Splunk SOAR), preparing for compliance audits (SOC 2, PCI-DSS, HIPAA), or running a gap analysis against specific threat scenarios. The skill produces structured playbooks aligned to NIST SP 800-61r3 and SANS PICERL — with RACI matrices, decision trees, escalation criteria, tool-specific procedures (e.g. CrowdStrike Falcon containment, BIND DNS sinkhole), SOAR integration boundaries, and tabletop-driven validation.

## Claims

- Skill name: `building-incident-response-playbook`. Domain: cybersecurity, subdomain: incident-response. Version 1.0.0, Apache-2.0. `[src: raw/2026-05-09-cybersec-skill-ir-playbook.md] {conf: 0.95}`
- Frontmatter declares **both** `mitre_attack: [T1190, T1566, T1078]` (Initial-Access techniques the playbooks address) and `nist_csf: [RS.MA-01, RS.MA-02, RS.AN-03, RC.RP-01]` (4 NIST CSF subcategories spanning Respond and Recover). No atlas/d3fend/ai_rmf fields. `[src: raw/2026-05-09-cybersec-skill-ir-playbook.md] {conf: 0.95}`
- The skill aligns playbooks to two industry standards: **NIST SP 800-61r3** (the U.S. federal IR guideline) and **SANS PICERL** (Preparation, Identification, Containment, Eradication, Recovery, Lessons-learned). `[src: raw/2026-05-09-cybersec-skill-ir-playbook.md] {conf: 0.9}`
- Top-10 priority playbooks (build first): ransomware, phishing/credential compromise, BEC, malware infection, data breach/exfiltration, DDoS, insider threat, account takeover, web app compromise, cloud infra compromise. `[src: raw/2026-05-09-cybersec-skill-ir-playbook.md] {conf: 0.9}`
- Tools called out: Cortex XSOAR (700+ integrations, War Room), Splunk SOAR (2,800+ automated actions), TheHive (open-source IR platform), Confluence/GitLab Wiki, Tines (no-code automation), CrowdStrike Falcon (Contain Host), BIND DNS sinkhole. `[src: raw/2026-05-09-cybersec-skill-ir-playbook.md] {conf: 0.85}`
- Output format includes RACI matrix columns (SOC L1/L2, IR Lead, Legal, Comms), procedure steps, decision tree, escalation matrix, and target metrics: MTTA 15 min, MTTC 1 hour, MTTR 4 hours. `[src: raw/2026-05-09-cybersec-skill-ir-playbook.md] {conf: 0.9}`
- Anti-patterns explicitly flagged: writing overly generic procedures without tool-specific commands, missing user-communication plans, no criteria for promoting a phishing report to full incident, no version control or review cadence. `[src: raw/2026-05-09-cybersec-skill-ir-playbook.md] {conf: 0.85}`

## Relationships

- categorized-as → [[domain:incident-response]] `{conf: 0.9}`
- uses → [[tool:cortex-xsoar]] `{conf: 0.85}`
- uses → [[tool:splunk-soar]] `{conf: 0.85}`
- uses → [[tool:thehive]] `{conf: 0.85}`
- maps-to → [[framework:mitre-attack]] `{conf: 0.9}` <!-- T1190, T1566, T1078 -->
- maps-to → [[framework:nist-csf-20]] `{conf: 0.95}`
- composes → [[concept:cybersec-skill-library]] `{conf: 0.8}`

## Open questions

- [ ] T1190 (Exploit Public-Facing App), T1566 (Phishing), T1078 (Valid Accounts) cover Initial Access only — does the playbook implicitly address Impact/Recovery techniques (T1486 ransomware) without mapping?

## Changelog

- 2026-05-09 — created