incident-response
Installation
SKILL.md
Purpose
This skill enables OpenClaw to manage the full incident response lifecycle in DevOps environments, including detection, analysis, containment, and recovery of security incidents, using automated tools and integrations.
When to Use
Use this skill when monitoring detects anomalies in DevOps pipelines (e.g., unusual traffic in Kubernetes clusters), during active breaches (e.g., unauthorized access), or for scheduled drills. Apply it in SRE workflows to minimize downtime, such as integrating with CI/CD tools for real-time alerts.
Key Capabilities
- Detection: Scans logs and metrics via API endpoint
/api/incident/detectwith JSON payload like{"source": "k8s-logs", "threshold": 0.8}to identify threats based on predefined rules. - Analysis: Parses incident data using CLI flag
--analyze-depth 2to correlate events, e.g., linking IP addresses to user sessions. - Containment: Isolates affected resources, such as pausing pods in Kubernetes with command
openclaw incident contain --resource pod-123 --action pause. - Recovery: Automates rollbacks or restores from backups, e.g., via API call to
/api/incident/recoverwith payload{"backup_id": "snapshot-456"}. - Supports integration with tools like Prometheus for monitoring and integrates SRE best practices for incident tracking.
Usage Patterns
To use this skill, first set the environment variable for authentication: export OPENCLAW_API_KEY=your_api_key. Then, follow this pattern: