containment

Containment Playbooks Skill

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "containment" with this command: npx skills add sherifeldeeb/agentskills/sherifeldeeb-agentskills-containment

Containment Playbooks Skill

Comprehensive containment procedures for isolating security threats during active incidents. Provides structured playbooks for network, endpoint, identity, cloud, and application containment.

Capabilities

  • Network Containment: Host isolation, firewall blocks, DNS sinkholing, network segmentation

  • Endpoint Containment: EDR isolation, process termination, service disabling, memory preservation

  • Identity Containment: Account disable, session termination, credential reset, MFA reset

  • Cloud Containment: IAM revocation, resource isolation, API key rotation, security group lockdown

  • Application Containment: WAF rules, rate limiting, service shutdown, database lockdown

  • Email Containment: Message quarantine, sender blocking, rule removal

  • Playbook Execution: Track and document containment actions

Quick Start

from containment_utils import ( NetworkContainment, EndpointContainment, IdentityContainment, CloudContainment, ApplicationContainment, EmailContainment, ContainmentPlaybook, ContainmentAction )

Create playbook for incident

playbook = ContainmentPlaybook('INC-2024-001', 'Ransomware Containment')

Network containment

network = NetworkContainment() action = network.isolate_host('192.168.1.50', 'WORKSTATION-15', 'Ransomware infection') playbook.add_action(action)

Endpoint containment

endpoint = EndpointContainment() action = endpoint.quarantine_endpoint('WORKSTATION-15', 'edr_api_key') playbook.add_action(action)

Identity containment

identity = IdentityContainment() action = identity.disable_account('jdoe', 'Compromised credentials') playbook.add_action(action)

Generate containment report

print(playbook.generate_report())

Usage

Network Containment: Host Isolation

Isolate a compromised host from the network.

Example:

from containment_utils import NetworkContainment, ContainmentPlaybook

playbook = ContainmentPlaybook('INC-2024-001', 'Host Isolation') network = NetworkContainment()

Full network isolation

action = network.isolate_host( ip_address='192.168.1.50', hostname='WORKSTATION-15', reason='Active malware infection', isolation_type='full', # full, partial, or monitor allow_list=['192.168.1.10'] # Allow IR team access )

playbook.add_action(action) print(f"Status: {action.status}") print(f"Commands: {action.commands}")

Network Containment: Firewall Block

Block malicious IPs, domains, or ports.

Example:

from containment_utils import NetworkContainment

network = NetworkContainment()

Block malicious IP

action = network.firewall_block( target='198.51.100.1', target_type='ip', direction='both', # inbound, outbound, both reason='C2 server', duration_hours=24 )

Block malicious domain

action = network.firewall_block( target='evil-domain.com', target_type='domain', direction='outbound', reason='Malware distribution site' )

Block port range

action = network.firewall_block( target='4444-4450', target_type='port', direction='both', reason='Common backdoor ports' )

print(action.generate_firewall_rules())

Network Containment: DNS Sinkholing

Redirect malicious domains to a sinkhole.

Example:

from containment_utils import NetworkContainment

network = NetworkContainment()

malicious_domains = [ 'malware-c2.com', 'data-exfil.net', 'phishing-site.org' ]

action = network.dns_sinkhole( domains=malicious_domains, sinkhole_ip='10.0.0.100', # Internal sinkhole server reason='Active C2 domains', log_queries=True )

print(f"Domains sinkholed: {len(action.targets)}") print(f"DNS config: {action.dns_config}")

Network Containment: Network Segmentation

Implement emergency network segmentation.

Example:

from containment_utils import NetworkContainment

network = NetworkContainment()

action = network.segment_network( source_vlan=100, # Compromised VLAN target_vlan=999, # Quarantine VLAN affected_hosts=['192.168.1.50', '192.168.1.51', '192.168.1.52'], allow_ir_access=True, ir_subnet='10.0.100.0/24' )

print(f"VLAN changes: {action.vlan_config}") print(f"ACL rules: {action.acl_rules}")

Endpoint Containment: EDR Quarantine

Quarantine endpoint using EDR platform.

Example:

from containment_utils import EndpointContainment

endpoint = EndpointContainment()

action = endpoint.quarantine_endpoint( hostname='WORKSTATION-15', edr_platform='crowdstrike', # crowdstrike, sentinelone, defender, carbon_black isolation_level='full', # full, selective allow_list=['10.0.100.0/24'], # IR team subnet preserve_evidence=True )

print(f"EDR API call: {action.api_payload}") print(f"Isolation status: {action.status}")

Endpoint Containment: Process Termination

Terminate malicious processes.

Example:

from containment_utils import EndpointContainment

endpoint = EndpointContainment()

action = endpoint.terminate_process( hostname='WORKSTATION-15', process_name='malware.exe', process_id=1234, kill_children=True, # Also kill child processes create_memory_dump=True # Preserve for forensics )

print(f"Commands: {action.commands}") print(f"Evidence preserved: {action.evidence_path}")

Endpoint Containment: Service Disable

Disable malicious or compromised services.

Example:

from containment_utils import EndpointContainment

endpoint = EndpointContainment()

action = endpoint.disable_service( hostname='SERVER-01', service_name='MaliciousService', stop_immediately=True, disable_autostart=True, backup_config=True )

print(f"Service status: {action.status}") print(f"Rollback info: {action.rollback_commands}")

Endpoint Containment: Memory Preservation

Capture memory for forensic analysis before containment.

Example:

from containment_utils import EndpointContainment

endpoint = EndpointContainment()

action = endpoint.preserve_memory( hostname='WORKSTATION-15', output_path='/evidence/INC-2024-001/', tool='winpmem', # winpmem, dumpit, magnet_ram compress=True, hash_output=True )

print(f"Memory dump: {action.output_file}") print(f"Hash: {action.file_hash}") print(f"Chain of custody: {action.custody_record}")

Identity Containment: Account Disable

Disable compromised user accounts.

Example:

from containment_utils import IdentityContainment

identity = IdentityContainment()

action = identity.disable_account( username='jdoe', reason='Account compromised in phishing attack', directory='active_directory', # active_directory, azure_ad, okta, google preserve_data=True, notify_manager=True )

print(f"Account status: {action.status}") print(f"LDAP command: {action.commands}")

Identity Containment: Session Termination

Terminate all active sessions for a user.

Example:

from containment_utils import IdentityContainment

identity = IdentityContainment()

action = identity.terminate_sessions( username='jdoe', session_types=['all'], # all, vpn, rdp, web, cloud force=True, invalidate_tokens=True )

print(f"Sessions terminated: {action.session_count}") print(f"Tokens invalidated: {action.tokens_invalidated}")

Identity Containment: Password Reset

Force password reset for compromised accounts.

Example:

from containment_utils import IdentityContainment

identity = IdentityContainment()

action = identity.force_password_reset( username='jdoe', require_mfa_reenroll=True, expire_immediately=True, notify_user=True, generate_temp_password=True )

print(f"Temp password: {action.temp_password}") # Securely transmitted print(f"MFA status: {action.mfa_status}")

Identity Containment: Service Account Rotation

Rotate compromised service account credentials.

Example:

from containment_utils import IdentityContainment

identity = IdentityContainment()

action = identity.rotate_service_account( account_name='svc_backup', credential_type='password', # password, api_key, certificate update_dependent_services=True, services=['BackupService', 'ScheduledTask1'] )

print(f"New credential generated: {action.credential_rotated}") print(f"Services updated: {action.services_updated}")

Cloud Containment: IAM Revocation

Revoke cloud IAM permissions.

Example:

from containment_utils import CloudContainment

cloud = CloudContainment()

action = cloud.revoke_iam_permissions( principal='arn:aws:iam::123456789:user/compromised-user', cloud_provider='aws', # aws, azure, gcp revocation_type='all', # all, specific preserve_audit_logs=True )

print(f"Policies detached: {action.policies_removed}") print(f"Access keys disabled: {action.keys_disabled}")

Cloud Containment: Resource Isolation

Isolate compromised cloud resources.

Example:

from containment_utils import CloudContainment

cloud = CloudContainment()

action = cloud.isolate_resource( resource_id='i-0123456789abcdef0', resource_type='ec2_instance', cloud_provider='aws', isolation_method='security_group', # security_group, nacl, vpc allow_forensic_access=True, forensic_ip='10.0.100.50' )

print(f"Security group: {action.security_group_id}") print(f"Isolation rules: {action.isolation_rules}")

Cloud Containment: API Key Revocation

Revoke compromised API keys and tokens.

Example:

from containment_utils import CloudContainment

cloud = CloudContainment()

action = cloud.revoke_api_keys( key_ids=['AKIA1234567890ABCDEF'], cloud_provider='aws', create_new_keys=False, # Don't auto-create replacements notify_owner=True )

print(f"Keys revoked: {action.keys_revoked}") print(f"Affected services: {action.affected_services}")

Cloud Containment: Security Group Lockdown

Emergency security group modifications.

Example:

from containment_utils import CloudContainment

cloud = CloudContainment()

action = cloud.lockdown_security_group( security_group_id='sg-0123456789abcdef0', cloud_provider='aws', lockdown_type='deny_all', # deny_all, allow_ir_only, block_egress ir_cidrs=['10.0.100.0/24'], preserve_logging=True )

print(f"Rules removed: {action.rules_removed}") print(f"New rules: {action.new_rules}")

Application Containment: WAF Rules

Deploy emergency WAF rules.

Example:

from containment_utils import ApplicationContainment

app = ApplicationContainment()

action = app.deploy_waf_rule( rule_name='Block_SQLi_Attack', rule_type='block', # block, rate_limit, challenge conditions=[ {'field': 'uri', 'operator': 'contains', 'value': '/api/search'}, {'field': 'body', 'operator': 'regex', 'value': r'(union|select|insert)'} ], waf_provider='cloudflare', # cloudflare, aws_waf, akamai priority=1 )

print(f"Rule ID: {action.rule_id}") print(f"WAF config: {action.waf_config}")

Application Containment: Rate Limiting

Implement emergency rate limiting.

Example:

from containment_utils import ApplicationContainment

app = ApplicationContainment()

action = app.rate_limit( endpoint='/api/login', limit=10, # Requests per window window_seconds=60, action='block', # block, throttle, challenge scope='ip', # ip, user, global whitelist=['10.0.0.0/8'] )

print(f"Rate limit config: {action.config}")

Application Containment: Service Shutdown

Emergency application service shutdown.

Example:

from containment_utils import ApplicationContainment

app = ApplicationContainment()

action = app.shutdown_service( service_name='payment-api', shutdown_type='graceful', # graceful, immediate drain_connections=True, display_maintenance_page=True, notify_stakeholders=['security@company.com', 'oncall@company.com'] )

print(f"Service status: {action.status}") print(f"Connections drained: {action.connections_drained}")

Application Containment: Database Lockdown

Lock down database access.

Example:

from containment_utils import ApplicationContainment

app = ApplicationContainment()

action = app.lockdown_database( database='production_db', db_type='postgresql', # postgresql, mysql, mssql, mongodb lockdown_level='read_only', # read_only, admin_only, full_lockdown revoke_users=['app_user', 'report_user'], preserve_admin=['dba_admin'] )

print(f"Users revoked: {action.users_revoked}") print(f"Rollback script: {action.rollback_script}")

Email Containment: Message Quarantine

Quarantine malicious emails.

Example:

from containment_utils import EmailContainment

email = EmailContainment()

action = email.quarantine_messages( search_criteria={ 'sender': 'attacker@malicious.com', 'subject_contains': 'Invoice', 'date_range': ('2024-01-15', '2024-01-16') }, email_platform='office365', # office365, google, exchange delete_from_mailboxes=True, preserve_for_analysis=True )

print(f"Messages quarantined: {action.message_count}") print(f"Affected users: {action.affected_users}")

Email Containment: Sender Block

Block malicious senders.

Example:

from containment_utils import EmailContainment

email = EmailContainment()

action = email.block_sender( sender='attacker@malicious.com', block_type='domain', # email, domain email_platform='office365', add_to_threat_list=True )

print(f"Block rule: {action.block_rule}")

Email Containment: Inbox Rule Removal

Remove malicious inbox rules.

Example:

from containment_utils import EmailContainment

email = EmailContainment()

action = email.remove_inbox_rules( username='jdoe', rule_criteria={ 'forwards_externally': True, 'deletes_messages': True }, email_platform='office365' )

print(f"Rules removed: {action.rules_removed}") print(f"Rule details: {action.rule_details}")

Playbook Management

Track and document containment actions.

Example:

from containment_utils import ContainmentPlaybook, ContainmentAction

Create playbook

playbook = ContainmentPlaybook( incident_id='INC-2024-001', name='Ransomware Containment', analyst='analyst1' )

Execute containment actions

... (use containment utilities as shown above)

Mark action complete

playbook.complete_action(action.id, 'Successfully isolated host')

Mark action failed with rollback

playbook.fail_action(action.id, 'Isolation failed', rollback=True)

Generate reports

print(playbook.generate_report()) print(playbook.generate_executive_summary())

Export to JSON for SOAR integration

print(playbook.to_json())

Configuration

Environment Variables

Variable Description Required Default

CONTAINMENT_LOG_PATH

Log file path No ./containment.log

EDR_API_KEY

EDR platform API key For EDR actions

CLOUD_CREDENTIALS

Cloud provider credentials For cloud actions

Rollback Configuration

All containment actions support rollback:

Get rollback commands

rollback = action.get_rollback() print(rollback.commands)

Execute rollback

rollback.execute()

Limitations

  • No Direct Execution: Generates commands/configs, does not execute directly

  • API Integration: Requires API credentials for platform-specific actions

  • Network Dependencies: Some actions require network connectivity to targets

  • Permission Requirements: Actions require appropriate administrative permissions

Troubleshooting

Action Failed to Execute

Problem: Containment action reports failure

Solution: Check permissions and connectivity:

Verify connectivity

action = network.verify_connectivity(target_ip) print(action.reachable)

Check required permissions

print(action.required_permissions)

Rollback Not Available

Problem: Cannot rollback a containment action

Solution: Some destructive actions cannot be rolled back:

if action.rollback_available: action.rollback() else: print(f"Manual intervention required: {action.rollback_instructions}")

Related Skills

  • detection: Detect threats to contain

  • incident-response: Full IR workflow

  • remediation: Post-containment cleanup

  • soc-operations: Alert triage

References

  • Detailed API Reference

  • NIST SP 800-61 Rev. 2

  • SANS Incident Handler's Handbook

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Automation

email-forensics

No summary provided by upstream source.

Repository SourceNeeds Review
11-sherifeldeeb
Automation

disk-forensics

No summary provided by upstream source.

Repository SourceNeeds Review
10-sherifeldeeb
Automation

forensic-reporting

No summary provided by upstream source.

Repository SourceNeeds Review
9-sherifeldeeb
Automation

log-forensics

No summary provided by upstream source.

Repository SourceNeeds Review
8-sherifeldeeb