containment

majiayu000

Updated Yesterday

Otherai

About

This skill provides security incident containment playbooks for isolating threats across network, endpoint, identity, cloud, and application layers. Use it during active incident response to execute procedures like host isolation, firewall blocks, account disablement, and IAM revocation. It's a standalone Python tool requiring only the standard library.

Quick Install

Claude Code

Recommended

Plugin CommandRecommended

/plugin add https://github.com/majiayu000/claude-skill-registry

Git CloneAlternative

git clone https://github.com/majiayu000/claude-skill-registry.git ~/.claude/skills/containment

Copy and paste this command in Claude Code to install this skill

Documentation

Containment Playbooks Skill

Comprehensive containment procedures for isolating security threats during active incidents. Provides structured playbooks for network, endpoint, identity, cloud, and application containment.

Capabilities

Network Containment: Host isolation, firewall blocks, DNS sinkholing, network segmentation
Endpoint Containment: EDR isolation, process termination, service disabling, memory preservation
Identity Containment: Account disable, session termination, credential reset, MFA reset
Cloud Containment: IAM revocation, resource isolation, API key rotation, security group lockdown
Application Containment: WAF rules, rate limiting, service shutdown, database lockdown
Email Containment: Message quarantine, sender blocking, rule removal
Playbook Execution: Track and document containment actions

Quick Start

from containment_utils import (
    NetworkContainment, EndpointContainment, IdentityContainment,
    CloudContainment, ApplicationContainment, EmailContainment,
    ContainmentPlaybook, ContainmentAction
)

# Create playbook for incident
playbook = ContainmentPlaybook('INC-2024-001', 'Ransomware Containment')

# Network containment
network = NetworkContainment()
action = network.isolate_host('192.168.1.50', 'WORKSTATION-15', 'Ransomware infection')
playbook.add_action(action)

# Endpoint containment
endpoint = EndpointContainment()
action = endpoint.quarantine_endpoint('WORKSTATION-15', 'edr_api_key')
playbook.add_action(action)

# Identity containment
identity = IdentityContainment()
action = identity.disable_account('jdoe', 'Compromised credentials')
playbook.add_action(action)

# Generate containment report
print(playbook.generate_report())

Usage

Network Containment: Host Isolation

Isolate a compromised host from the network.

Example:

from containment_utils import NetworkContainment, ContainmentPlaybook

playbook = ContainmentPlaybook('INC-2024-001', 'Host Isolation')
network = NetworkContainment()

# Full network isolation
action = network.isolate_host(
    ip_address='192.168.1.50',
    hostname='WORKSTATION-15',
    reason='Active malware infection',
    isolation_type='full',  # full, partial, or monitor
    allow_list=['192.168.1.10']  # Allow IR team access
)

playbook.add_action(action)
print(f"Status: {action.status}")
print(f"Commands: {action.commands}")

Network Containment: Firewall Block

Block malicious IPs, domains, or ports.

Example:

from containment_utils import NetworkContainment

network = NetworkContainment()

# Block malicious IP
action = network.firewall_block(
    target='198.51.100.1',
    target_type='ip',
    direction='both',  # inbound, outbound, both
    reason='C2 server',
    duration_hours=24
)

# Block malicious domain
action = network.firewall_block(
    target='evil-domain.com',
    target_type='domain',
    direction='outbound',
    reason='Malware distribution site'
)

# Block port range
action = network.firewall_block(
    target='4444-4450',
    target_type='port',
    direction='both',
    reason='Common backdoor ports'
)

print(action.generate_firewall_rules())

Network Containment: DNS Sinkholing

Redirect malicious domains to a sinkhole.

Example:

from containment_utils import NetworkContainment

network = NetworkContainment()

malicious_domains = [
    'malware-c2.com',
    'data-exfil.net',
    'phishing-site.org'
]

action = network.dns_sinkhole(
    domains=malicious_domains,
    sinkhole_ip='10.0.0.100',  # Internal sinkhole server
    reason='Active C2 domains',
    log_queries=True
)

print(f"Domains sinkholed: {len(action.targets)}")
print(f"DNS config: {action.dns_config}")

Network Containment: Network Segmentation

Implement emergency network segmentation.

Example:

from containment_utils import NetworkContainment

network = NetworkContainment()

action = network.segment_network(
    source_vlan=100,  # Compromised VLAN
    target_vlan=999,  # Quarantine VLAN
    affected_hosts=['192.168.1.50', '192.168.1.51', '192.168.1.52'],
    allow_ir_access=True,
    ir_subnet='10.0.100.0/24'
)

print(f"VLAN changes: {action.vlan_config}")
print(f"ACL rules: {action.acl_rules}")

Endpoint Containment: EDR Quarantine

Quarantine endpoint using EDR platform.

Example:

from containment_utils import EndpointContainment

endpoint = EndpointContainment()

action = endpoint.quarantine_endpoint(
    hostname='WORKSTATION-15',
    edr_platform='crowdstrike',  # crowdstrike, sentinelone, defender, carbon_black
    isolation_level='full',  # full, selective
    allow_list=['10.0.100.0/24'],  # IR team subnet
    preserve_evidence=True
)

print(f"EDR API call: {action.api_payload}")
print(f"Isolation status: {action.status}")

Endpoint Containment: Process Termination

Terminate malicious processes.

Example:

from containment_utils import EndpointContainment

endpoint = EndpointContainment()

action = endpoint.terminate_process(
    hostname='WORKSTATION-15',
    process_name='malware.exe',
    process_id=1234,
    kill_children=True,  # Also kill child processes
    create_memory_dump=True  # Preserve for forensics
)

print(f"Commands: {action.commands}")
print(f"Evidence preserved: {action.evidence_path}")

Endpoint Containment: Service Disable

Disable malicious or compromised services.

Example:

from containment_utils import EndpointContainment

endpoint = EndpointContainment()

action = endpoint.disable_service(
    hostname='SERVER-01',
    service_name='MaliciousService',
    stop_immediately=True,
    disable_autostart=True,
    backup_config=True
)

print(f"Service status: {action.status}")
print(f"Rollback info: {action.rollback_commands}")

Endpoint Containment: Memory Preservation

Capture memory for forensic analysis before containment.

Example:

from containment_utils import EndpointContainment

endpoint = EndpointContainment()

action = endpoint.preserve_memory(
    hostname='WORKSTATION-15',
    output_path='/evidence/INC-2024-001/',
    tool='winpmem',  # winpmem, dumpit, magnet_ram
    compress=True,
    hash_output=True
)

print(f"Memory dump: {action.output_file}")
print(f"Hash: {action.file_hash}")
print(f"Chain of custody: {action.custody_record}")

Identity Containment: Account Disable

Disable compromised user accounts.

Example:

from containment_utils import IdentityContainment

identity = IdentityContainment()

action = identity.disable_account(
    username='jdoe',
    reason='Account compromised in phishing attack',
    directory='active_directory',  # active_directory, azure_ad, okta, google
    preserve_data=True,
    notify_manager=True
)

print(f"Account status: {action.status}")
print(f"LDAP command: {action.commands}")

Identity Containment: Session Termination

Terminate all active sessions for a user.

Example:

from containment_utils import IdentityContainment

identity = IdentityContainment()

action = identity.terminate_sessions(
    username='jdoe',
    session_types=['all'],  # all, vpn, rdp, web, cloud
    force=True,
    invalidate_tokens=True
)

print(f"Sessions terminated: {action.session_count}")
print(f"Tokens invalidated: {action.tokens_invalidated}")

Identity Containment: Password Reset

Force password reset for compromised accounts.

Example:

from containment_utils import IdentityContainment

identity = IdentityContainment()

action = identity.force_password_reset(
    username='jdoe',
    require_mfa_reenroll=True,
    expire_immediately=True,
    notify_user=True,
    generate_temp_password=True
)

print(f"Temp password: {action.temp_password}")  # Securely transmitted
print(f"MFA status: {action.mfa_status}")

Identity Containment: Service Account Rotation

Rotate compromised service account credentials.

Example:

from containment_utils import IdentityContainment

identity = IdentityContainment()

action = identity.rotate_service_account(
    account_name='svc_backup',
    credential_type='password',  # password, api_key, certificate
    update_dependent_services=True,
    services=['BackupService', 'ScheduledTask1']
)

print(f"New credential generated: {action.credential_rotated}")
print(f"Services updated: {action.services_updated}")

Cloud Containment: IAM Revocation

Revoke cloud IAM permissions.

Example:

from containment_utils import CloudContainment

cloud = CloudContainment()

action = cloud.revoke_iam_permissions(
    principal='arn:aws:iam::123456789:user/compromised-user',
    cloud_provider='aws',  # aws, azure, gcp
    revocation_type='all',  # all, specific
    preserve_audit_logs=True
)

print(f"Policies detached: {action.policies_removed}")
print(f"Access keys disabled: {action.keys_disabled}")

Cloud Containment: Resource Isolation

Isolate compromised cloud resources.

Example:

from containment_utils import CloudContainment

cloud = CloudContainment()

action = cloud.isolate_resource(
    resource_id='i-0123456789abcdef0',
    resource_type='ec2_instance',
    cloud_provider='aws',
    isolation_method='security_group',  # security_group, nacl, vpc
    allow_forensic_access=True,
    forensic_ip='10.0.100.50'
)

print(f"Security group: {action.security_group_id}")
print(f"Isolation rules: {action.isolation_rules}")

Cloud Containment: API Key Revocation

Revoke compromised API keys and tokens.

Example:

from containment_utils import CloudContainment

cloud = CloudContainment()

action = cloud.revoke_api_keys(
    key_ids=['AKIA1234567890ABCDEF'],
    cloud_provider='aws',
    create_new_keys=False,  # Don't auto-create replacements
    notify_owner=True
)

print(f"Keys revoked: {action.keys_revoked}")
print(f"Affected services: {action.affected_services}")

Cloud Containment: Security Group Lockdown

Emergency security group modifications.

Example:

from containment_utils import CloudContainment

cloud = CloudContainment()

action = cloud.lockdown_security_group(
    security_group_id='sg-0123456789abcdef0',
    cloud_provider='aws',
    lockdown_type='deny_all',  # deny_all, allow_ir_only, block_egress
    ir_cidrs=['10.0.100.0/24'],
    preserve_logging=True
)

print(f"Rules removed: {action.rules_removed}")
print(f"New rules: {action.new_rules}")

Application Containment: WAF Rules

Deploy emergency WAF rules.

Example:

from containment_utils import ApplicationContainment

app = ApplicationContainment()

action = app.deploy_waf_rule(
    rule_name='Block_SQLi_Attack',
    rule_type='block',  # block, rate_limit, challenge
    conditions=[
        {'field': 'uri', 'operator': 'contains', 'value': '/api/search'},
        {'field': 'body', 'operator': 'regex', 'value': r'(union|select|insert)'}
    ],
    waf_provider='cloudflare',  # cloudflare, aws_waf, akamai
    priority=1
)

print(f"Rule ID: {action.rule_id}")
print(f"WAF config: {action.waf_config}")

Application Containment: Rate Limiting

Implement emergency rate limiting.

Example:

from containment_utils import ApplicationContainment

app = ApplicationContainment()

action = app.rate_limit(
    endpoint='/api/login',
    limit=10,  # Requests per window
    window_seconds=60,
    action='block',  # block, throttle, challenge
    scope='ip',  # ip, user, global
    whitelist=['10.0.0.0/8']
)

print(f"Rate limit config: {action.config}")

Application Containment: Service Shutdown

Emergency application service shutdown.

Example:

from containment_utils import ApplicationContainment

app = ApplicationContainment()

action = app.shutdown_service(
    service_name='payment-api',
    shutdown_type='graceful',  # graceful, immediate
    drain_connections=True,
    display_maintenance_page=True,
    notify_stakeholders=['security@company.com', 'oncall@company.com']
)

print(f"Service status: {action.status}")
print(f"Connections drained: {action.connections_drained}")

Application Containment: Database Lockdown

Lock down database access.

Example:

from containment_utils import ApplicationContainment

app = ApplicationContainment()

action = app.lockdown_database(
    database='production_db',
    db_type='postgresql',  # postgresql, mysql, mssql, mongodb
    lockdown_level='read_only',  # read_only, admin_only, full_lockdown
    revoke_users=['app_user', 'report_user'],
    preserve_admin=['dba_admin']
)

print(f"Users revoked: {action.users_revoked}")
print(f"Rollback script: {action.rollback_script}")

Email Containment: Message Quarantine

Quarantine malicious emails.

Example:

from containment_utils import EmailContainment

email = EmailContainment()

action = email.quarantine_messages(
    search_criteria={
        'sender': 'attacker@malicious.com',
        'subject_contains': 'Invoice',
        'date_range': ('2024-01-15', '2024-01-16')
    },
    email_platform='office365',  # office365, google, exchange
    delete_from_mailboxes=True,
    preserve_for_analysis=True
)

print(f"Messages quarantined: {action.message_count}")
print(f"Affected users: {action.affected_users}")

Email Containment: Sender Block

Block malicious senders.

Example:

from containment_utils import EmailContainment

email = EmailContainment()

action = email.block_sender(
    sender='attacker@malicious.com',
    block_type='domain',  # email, domain
    email_platform='office365',
    add_to_threat_list=True
)

print(f"Block rule: {action.block_rule}")

Email Containment: Inbox Rule Removal

Remove malicious inbox rules.

Example:

from containment_utils import EmailContainment

email = EmailContainment()

action = email.remove_inbox_rules(
    username='jdoe',
    rule_criteria={
        'forwards_externally': True,
        'deletes_messages': True
    },
    email_platform='office365'
)

print(f"Rules removed: {action.rules_removed}")
print(f"Rule details: {action.rule_details}")

Playbook Management

Track and document containment actions.

Example:

from containment_utils import ContainmentPlaybook, ContainmentAction

# Create playbook
playbook = ContainmentPlaybook(
    incident_id='INC-2024-001',
    name='Ransomware Containment',
    analyst='analyst1'
)

# Execute containment actions
# ... (use containment utilities as shown above)

# Mark action complete
playbook.complete_action(action.id, 'Successfully isolated host')

# Mark action failed with rollback
playbook.fail_action(action.id, 'Isolation failed', rollback=True)

# Generate reports
print(playbook.generate_report())
print(playbook.generate_executive_summary())

# Export to JSON for SOAR integration
print(playbook.to_json())

Configuration

Environment Variables

Variable	Description	Required	Default
`CONTAINMENT_LOG_PATH`	Log file path	No	`./containment.log`
`EDR_API_KEY`	EDR platform API key	For EDR actions	-
`CLOUD_CREDENTIALS`	Cloud provider credentials	For cloud actions	-

Rollback Configuration

All containment actions support rollback:

# Get rollback commands
rollback = action.get_rollback()
print(rollback.commands)

# Execute rollback
rollback.execute()

Limitations

No Direct Execution: Generates commands/configs, does not execute directly
API Integration: Requires API credentials for platform-specific actions
Network Dependencies: Some actions require network connectivity to targets
Permission Requirements: Actions require appropriate administrative permissions

Troubleshooting

Action Failed to Execute

Problem: Containment action reports failure

Solution: Check permissions and connectivity:

# Verify connectivity
action = network.verify_connectivity(target_ip)
print(action.reachable)

# Check required permissions
print(action.required_permissions)

Rollback Not Available

Problem: Cannot rollback a containment action

Solution: Some destructive actions cannot be rolled back:

if action.rollback_available:
    action.rollback()
else:
    print(f"Manual intervention required: {action.rollback_instructions}")

Related Skills

detection: Detect threats to contain
incident-response: Full IR workflow
remediation: Post-containment cleanup
soc-operations: Alert triage

References

GitHub Repository

majiayu000/claude-skill-registry

Path: skills/containment

Related Skills

sglang

evaluating-llms-harness

Testing

This Claude Skill runs the lm-evaluation-harness to benchmark LLMs across 60+ standardized academic tasks like MMLU and GSM8K. It's designed for developers to compare model quality, track training progress, or report academic results. The tool supports various backends including HuggingFace and vLLM models.

View skill

langchain

llamaguard

Other

LlamaGuard is Meta's 7-8B parameter model for moderating LLM inputs and outputs across six safety categories like violence and hate speech. It offers 94-95% accuracy and can be deployed using vLLM, Hugging Face, or Amazon SageMaker. Use this skill to easily integrate content filtering and safety guardrails into your AI applications.

View skill