incident-response

Purpose

This skill enables OpenClaw to manage the full incident response lifecycle in DevOps environments, including detection, analysis, containment, and recovery of security incidents, using automated tools and integrations.

When to Use

Use this skill when monitoring detects anomalies in DevOps pipelines (e.g., unusual traffic in Kubernetes clusters), during active breaches (e.g., unauthorized access), or for scheduled drills. Apply it in SRE workflows to minimize downtime, such as integrating with CI/CD tools for real-time alerts.

Key Capabilities

• Detection: Scans logs and metrics via API endpoint /api/incident/detect with JSON payload like {"source": "k8s-logs", "threshold": 0.8} to identify threats based on predefined rules.
• Analysis: Parses incident data using CLI flag --analyze-depth 2 to correlate events, e.g., linking IP addresses to user sessions.
• Containment: Isolates affected resources, such as pausing pods in Kubernetes with command openclaw incident contain --resource pod-123 --action pause.
• Recovery: Automates rollbacks or restores from backups, e.g., via API call to /api/incident/recover with payload {"backup_id": "snapshot-456"}.
• Supports integration with tools like Prometheus for monitoring and integrates SRE best practices for incident tracking.

Usage Patterns

To use this skill, first set the environment variable for authentication: export OPENCLAW_API_KEY=your_api_key. Then, follow this pattern: