containment
SKILL.md
Containment Playbooks Skill
Comprehensive containment procedures for isolating security threats during active incidents. Provides structured playbooks for network, endpoint, identity, cloud, and application containment.
Capabilities
- Network Containment: Host isolation, firewall blocks, DNS sinkholing, network segmentation
- Endpoint Containment: EDR isolation, process termination, service disabling, memory preservation
- Identity Containment: Account disable, session termination, credential reset, MFA reset
- Cloud Containment: IAM revocation, resource isolation, API key rotation, security group lockdown
- Application Containment: WAF rules, rate limiting, service shutdown, database lockdown
- Email Containment: Message quarantine, sender blocking, rule removal
- Playbook Execution: Track and document containment actions
Quick Start
from containment_utils import (
NetworkContainment, EndpointContainment, IdentityContainment,
CloudContainment, ApplicationContainment, EmailContainment,
ContainmentPlaybook, ContainmentAction
)
# Create playbook for incident
playbook = ContainmentPlaybook('INC-2024-001', 'Ransomware Containment')
# Network containment
network = NetworkContainment()
action = network.isolate_host('192.168.1.50', 'WORKSTATION-15', 'Ransomware infection')
playbook.add_action(action)
# Endpoint containment
endpoint = EndpointContainment()
action = endpoint.quarantine_endpoint('WORKSTATION-15', 'edr_api_key')
playbook.add_action(action)
# Identity containment
identity = IdentityContainment()
action = identity.disable_account('jdoe', 'Compromised credentials')
playbook.add_action(action)
# Generate containment report
print(playbook.generate_report())
Usage
Network Containment: Host Isolation
Isolate a compromised host from the network.
Example:
from containment_utils import NetworkContainment, ContainmentPlaybook
playbook = ContainmentPlaybook('INC-2024-001', 'Host Isolation')
network = NetworkContainment()
# Full network isolation
action = network.isolate_host(
ip_address='192.168.1.50',
hostname='WORKSTATION-15',
reason='Active malware infection',
isolation_type='full', # full, partial, or monitor
allow_list=['192.168.1.10'] # Allow IR team access
)
playbook.add_action(action)
print(f"Status: {action.status}")
print(f"Commands: {action.commands}")
Network Containment: Firewall Block
Block malicious IPs, domains, or ports.
Example:
from containment_utils import NetworkContainment
network = NetworkContainment()
# Block malicious IP
action = network.firewall_block(
target='198.51.100.1',
target_type='ip',
direction='both', # inbound, outbound, both
reason='C2 server',
duration_hours=24
)
# Block malicious domain
action = network.firewall_block(
target='evil-domain.com',
target_type='domain',
direction='outbound',
reason='Malware distribution site'
)
# Block port range
action = network.firewall_block(
target='4444-4450',
target_type='port',
direction='both',
reason='Common backdoor ports'
)
print(action.generate_firewall_rules())
Network Containment: DNS Sinkholing
Redirect malicious domains to a sinkhole.
Example:
from containment_utils import NetworkContainment
network = NetworkContainment()
malicious_domains = [
'malware-c2.com',
'data-exfil.net',
'phishing-site.org'
]
action = network.dns_sinkhole(
domains=malicious_domains,
sinkhole_ip='10.0.0.100', # Internal sinkhole server
reason='Active C2 domains',
log_queries=True
)
print(f"Domains sinkholed: {len(action.targets)}")
print(f"DNS config: {action.dns_config}")
Network Containment: Network Segmentation
Implement emergency network segmentation.
Example:
from containment_utils import NetworkContainment
network = NetworkContainment()
action = network.segment_network(
source_vlan=100, # Compromised VLAN
target_vlan=999, # Quarantine VLAN
affected_hosts=['192.168.1.50', '192.168.1.51', '192.168.1.52'],
allow_ir_access=True,
ir_subnet='10.0.100.0/24'
)
print(f"VLAN changes: {action.vlan_config}")
print(f"ACL rules: {action.acl_rules}")
Endpoint Containment: EDR Quarantine
Quarantine endpoint using EDR platform.
Example:
from containment_utils import EndpointContainment
endpoint = EndpointContainment()
action = endpoint.quarantine_endpoint(
hostname='WORKSTATION-15',
edr_platform='crowdstrike', # crowdstrike, sentinelone, defender, carbon_black
isolation_level='full', # full, selective
allow_list=['10.0.100.0/24'], # IR team subnet
preserve_evidence=True
)
print(f"EDR API call: {action.api_payload}")
print(f"Isolation status: {action.status}")
Endpoint Containment: Process Termination
Terminate malicious processes.
Example:
from containment_utils import EndpointContainment
endpoint = EndpointContainment()
action = endpoint.terminate_process(
hostname='WORKSTATION-15',
process_name='malware.exe',
process_id=1234,
kill_children=True, # Also kill child processes
create_memory_dump=True # Preserve for forensics
)
print(f"Commands: {action.commands}")
print(f"Evidence preserved: {action.evidence_path}")
Endpoint Containment: Service Disable
Disable malicious or compromised services.
Example:
from containment_utils import EndpointContainment
endpoint = EndpointContainment()
action = endpoint.disable_service(
hostname='SERVER-01',
service_name='MaliciousService',
stop_immediately=True,
disable_autostart=True,
backup_config=True
)
print(f"Service status: {action.status}")
print(f"Rollback info: {action.rollback_commands}")
Endpoint Containment: Memory Preservation
Capture memory for forensic analysis before containment.
Example:
from containment_utils import EndpointContainment
endpoint = EndpointContainment()
action = endpoint.preserve_memory(
hostname='WORKSTATION-15',
output_path='/evidence/INC-2024-001/',
tool='winpmem', # winpmem, dumpit, magnet_ram
compress=True,
hash_output=True
)
print(f"Memory dump: {action.output_file}")
print(f"Hash: {action.file_hash}")
print(f"Chain of custody: {action.custody_record}")
Identity Containment: Account Disable
Disable compromised user accounts.
Example:
from containment_utils import IdentityContainment
identity = IdentityContainment()
action = identity.disable_account(
username='jdoe',
reason='Account compromised in phishing attack',
directory='active_directory', # active_directory, azure_ad, okta, google
preserve_data=True,
notify_manager=True
)
print(f"Account status: {action.status}")
print(f"LDAP command: {action.commands}")
Identity Containment: Session Termination
Terminate all active sessions for a user.
Example:
from containment_utils import IdentityContainment
identity = IdentityContainment()
action = identity.terminate_sessions(
username='jdoe',
session_types=['all'], # all, vpn, rdp, web, cloud
force=True,
invalidate_tokens=True
)
print(f"Sessions terminated: {action.session_count}")
print(f"Tokens invalidated: {action.tokens_invalidated}")
Identity Containment: Password Reset
Force password reset for compromised accounts.
Example:
from containment_utils import IdentityContainment
identity = IdentityContainment()
action = identity.force_password_reset(
username='jdoe',
require_mfa_reenroll=True,
expire_immediately=True,
notify_user=True,
generate_temp_password=True
)
print(f"Temp password: {action.temp_password}") # Securely transmitted
print(f"MFA status: {action.mfa_status}")
Identity Containment: Service Account Rotation
Rotate compromised service account credentials.
Example:
from containment_utils import IdentityContainment
identity = IdentityContainment()
action = identity.rotate_service_account(
account_name='svc_backup',
credential_type='password', # password, api_key, certificate
update_dependent_services=True,
services=['BackupService', 'ScheduledTask1']
)
print(f"New credential generated: {action.credential_rotated}")
print(f"Services updated: {action.services_updated}")
Cloud Containment: IAM Revocation
Revoke cloud IAM permissions.
Example:
from containment_utils import CloudContainment
cloud = CloudContainment()
action = cloud.revoke_iam_permissions(
principal='arn:aws:iam::123456789:user/compromised-user',
cloud_provider='aws', # aws, azure, gcp
revocation_type='all', # all, specific
preserve_audit_logs=True
)
print(f"Policies detached: {action.policies_removed}")
print(f"Access keys disabled: {action.keys_disabled}")
Cloud Containment: Resource Isolation
Isolate compromised cloud resources.
Example:
from containment_utils import CloudContainment
cloud = CloudContainment()
action = cloud.isolate_resource(
resource_id='i-0123456789abcdef0',
resource_type='ec2_instance',
cloud_provider='aws',
isolation_method='security_group', # security_group, nacl, vpc
allow_forensic_access=True,
forensic_ip='10.0.100.50'
)
print(f"Security group: {action.security_group_id}")
print(f"Isolation rules: {action.isolation_rules}")
Cloud Containment: API Key Revocation
Revoke compromised API keys and tokens.
Example:
from containment_utils import CloudContainment
cloud = CloudContainment()
action = cloud.revoke_api_keys(
key_ids=['AKIA1234567890ABCDEF'],
cloud_provider='aws',
create_new_keys=False, # Don't auto-create replacements
notify_owner=True
)
print(f"Keys revoked: {action.keys_revoked}")
print(f"Affected services: {action.affected_services}")
Cloud Containment: Security Group Lockdown
Emergency security group modifications.
Example:
from containment_utils import CloudContainment
cloud = CloudContainment()
action = cloud.lockdown_security_group(
security_group_id='sg-0123456789abcdef0',
cloud_provider='aws',
lockdown_type='deny_all', # deny_all, allow_ir_only, block_egress
ir_cidrs=['10.0.100.0/24'],
preserve_logging=True
)
print(f"Rules removed: {action.rules_removed}")
print(f"New rules: {action.new_rules}")
Application Containment: WAF Rules
Deploy emergency WAF rules.
Example:
from containment_utils import ApplicationContainment
app = ApplicationContainment()
action = app.deploy_waf_rule(
rule_name='Block_SQLi_Attack',
rule_type='block', # block, rate_limit, challenge
conditions=[
{'field': 'uri', 'operator': 'contains', 'value': '/api/search'},
{'field': 'body', 'operator': 'regex', 'value': r'(union|select|insert)'}
],
waf_provider='cloudflare', # cloudflare, aws_waf, akamai
priority=1
)
print(f"Rule ID: {action.rule_id}")
print(f"WAF config: {action.waf_config}")
Application Containment: Rate Limiting
Implement emergency rate limiting.
Example:
from containment_utils import ApplicationContainment
app = ApplicationContainment()
action = app.rate_limit(
endpoint='/api/login',
limit=10, # Requests per window
window_seconds=60,
action='block', # block, throttle, challenge
scope='ip', # ip, user, global
whitelist=['10.0.0.0/8']
)
print(f"Rate limit config: {action.config}")
Application Containment: Service Shutdown
Emergency application service shutdown.
Example:
from containment_utils import ApplicationContainment
app = ApplicationContainment()
action = app.shutdown_service(
service_name='payment-api',
shutdown_type='graceful', # graceful, immediate
drain_connections=True,
display_maintenance_page=True,
notify_stakeholders=['security@company.com', 'oncall@company.com']
)
print(f"Service status: {action.status}")
print(f"Connections drained: {action.connections_drained}")
Application Containment: Database Lockdown
Lock down database access.
Example:
from containment_utils import ApplicationContainment
app = ApplicationContainment()
action = app.lockdown_database(
database='production_db',
db_type='postgresql', # postgresql, mysql, mssql, mongodb
lockdown_level='read_only', # read_only, admin_only, full_lockdown
revoke_users=['app_user', 'report_user'],
preserve_admin=['dba_admin']
)
print(f"Users revoked: {action.users_revoked}")
print(f"Rollback script: {action.rollback_script}")
Email Containment: Message Quarantine
Quarantine malicious emails.
Example:
from containment_utils import EmailContainment
email = EmailContainment()
action = email.quarantine_messages(
search_criteria={
'sender': 'attacker@malicious.com',
'subject_contains': 'Invoice',
'date_range': ('2024-01-15', '2024-01-16')
},
email_platform='office365', # office365, google, exchange
delete_from_mailboxes=True,
preserve_for_analysis=True
)
print(f"Messages quarantined: {action.message_count}")
print(f"Affected users: {action.affected_users}")
Email Containment: Sender Block
Block malicious senders.
Example:
from containment_utils import EmailContainment
email = EmailContainment()
action = email.block_sender(
sender='attacker@malicious.com',
block_type='domain', # email, domain
email_platform='office365',
add_to_threat_list=True
)
print(f"Block rule: {action.block_rule}")
Email Containment: Inbox Rule Removal
Remove malicious inbox rules.
Example:
from containment_utils import EmailContainment
email = EmailContainment()
action = email.remove_inbox_rules(
username='jdoe',
rule_criteria={
'forwards_externally': True,
'deletes_messages': True
},
email_platform='office365'
)
print(f"Rules removed: {action.rules_removed}")
print(f"Rule details: {action.rule_details}")
Playbook Management
Track and document containment actions.
Example:
from containment_utils import ContainmentPlaybook, ContainmentAction
# Create playbook
playbook = ContainmentPlaybook(
incident_id='INC-2024-001',
name='Ransomware Containment',
analyst='analyst1'
)
# Execute containment actions
# ... (use containment utilities as shown above)
# Mark action complete
playbook.complete_action(action.id, 'Successfully isolated host')
# Mark action failed with rollback
playbook.fail_action(action.id, 'Isolation failed', rollback=True)
# Generate reports
print(playbook.generate_report())
print(playbook.generate_executive_summary())
# Export to JSON for SOAR integration
print(playbook.to_json())
Configuration
Environment Variables
| Variable | Description | Required | Default |
|---|---|---|---|
CONTAINMENT_LOG_PATH |
Log file path | No | ./containment.log |
EDR_API_KEY |
EDR platform API key | For EDR actions | - |
CLOUD_CREDENTIALS |
Cloud provider credentials | For cloud actions | - |
Rollback Configuration
All containment actions support rollback:
# Get rollback commands
rollback = action.get_rollback()
print(rollback.commands)
# Execute rollback
rollback.execute()
Limitations
- No Direct Execution: Generates commands/configs, does not execute directly
- API Integration: Requires API credentials for platform-specific actions
- Network Dependencies: Some actions require network connectivity to targets
- Permission Requirements: Actions require appropriate administrative permissions
Troubleshooting
Action Failed to Execute
Problem: Containment action reports failure
Solution: Check permissions and connectivity:
# Verify connectivity
action = network.verify_connectivity(target_ip)
print(action.reachable)
# Check required permissions
print(action.required_permissions)
Rollback Not Available
Problem: Cannot rollback a containment action
Solution: Some destructive actions cannot be rolled back:
if action.rollback_available:
action.rollback()
else:
print(f"Manual intervention required: {action.rollback_instructions}")
Related Skills
- detection: Detect threats to contain
- incident-response: Full IR workflow
- remediation: Post-containment cleanup
- soc-operations: Alert triage
References
Weekly Installs
3
Repository
sherifeldeeb/agentskillsGitHub Stars
1
First Seen
Feb 10, 2026
Security Audits
Installed on
opencode3
codex3
gemini-cli2
cursor2
codebuddy2
github-copilot2