Implements an integrated incident ticketing system connecting SIEM alerts to ServiceNow, Jira, or TheHive for structured incident tracking, SLA management, escalation workflows, and compliance documentation. Use when SOC teams need formalized incident lifecycle management with automated ticket creation, assignment routing, and resolution tracking.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionimplementing-ticketing-system-for-incidentsExecute the skills CLI command in your project's root directory to begin installation:
Fetches implementing-ticketing-system-for-incidents from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate implementing-ticketing-system-for-incidents. Access via /implementing-ticketing-system-for-incidents in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | implementing-ticketing-system-for-incidents |
| description | 'Implements an integrated incident ticketing system connecting SIEM alerts to ServiceNow, Jira, or TheHive for structured incident tracking, SLA management, escalation workflows, and compliance documentation. Use when SOC teams need formalized incident lifecycle management with automated ticket creation, assignment routing, and resolution tracking. ' |
| domain | cybersecurity |
| subdomain | soc-operations |
| tags | - soc - ticketing - servicenow - jira - thehive - incident-management - sla - workflow |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - DE.CM-01 - DE.AE-02 - RS.MA-01 - DE.AE-06 |
Use this skill when:
Do not use for individual alert triage — ticketing is for confirmed incidents requiring multi-step investigation and remediation, not every SIEM alert.
Establish standardized incident categories and severity:
incident_taxonomy:
categories:
- malware_infection
- phishing_campaign
- unauthorized_access
- data_exfiltration
- denial_of_service
- ransomware
- insider_threat
- vulnerability_exploitation
- account_compromise
- policy_violation
severity_levels:
critical:
definition: "Active data breach, ransomware, or business-critical system compromise"
response_sla: 15 minutes
resolution_sla: 4 hours
escalation: immediate to Tier 3 + CISO notification
examples: ["Active ransomware", "Domain admin compromise", "Customer data breach"]
high:
definition: "Confirmed compromise of business systems or multiple user accounts"
response_sla: 30 minutes
resolution_sla: 8 hours
escalation: Tier 2 immediate, Tier 3 if unresolved in 2 hours
examples: ["Malware with C2", "Lateral movement detected", "Phishing with credential theft"]
medium:
definition: "Confirmed security event requiring investigation and remediation"
response_sla: 2 hours
resolution_sla: 24 hours
escalation: Tier 2 within 4 hours
examples: ["Single phishing click", "Unauthorized software", "Policy violation"]
low:
definition: "Minor security event with limited impact"
response_sla: 8 hours
resolution_sla: 72 hours
escalation: Tier 1 standard queue
examples: ["Scan attempt", "Failed brute force (no compromise)", "Info disclosure"]
ServiceNow Integration via REST API:
import requests
import json
from datetime import datetime
class IncidentTicketManager:
def __init__(self, snow_url, snow_user, snow_password):
self.snow_url = snow_url
self.auth = (snow_user, snow_password)
self.headers = {
"Content-Type": "application/json",
"Accept": "application/json"
}
def create_incident(self, alert_data):
"""Create ServiceNow incident from SIEM alert"""
severity_map = {
"critical": "1",
"high": "2",
"medium": "3",
"low": "4"
}
payload = {
"short_description": f"[SEC] {alert_data['rule_name']} — {alert_data['src']}",
"description": self._build_description(alert_data),
"category": "Security",
"subcategory": alert_data.get("category", "Investigation"),
"urgency": severity_map.get(alert_data["severity"], "3"),
"impact": severity_map.get(alert_data["severity"], "3"),
"assignment_group": self._get_assignment_group(alert_data["severity"]),
"caller_id": "soc_automation",
"u_siem_event_id": alert_data.get("notable_id", ""),
"u_mitre_technique": alert_data.get("mitre_technique", ""),
"u_affected_hosts": ", ".join(alert_data.get("affected_hosts", [])),
"u_iocs": json.dumps(alert_data.get("iocs", {}))
}
response = requests.post(
f"{self.snow_url}/api/now/table/incident",
auth=self.auth,
headers=self.headers,
json=payload
)
result = response.json()["result"]
return {
"ticket_number": result["number"],
"sys_id": result["sys_id"],
"state": result["state"]
}
def _build_description(self, alert_data):
return f"""
SECURITY INCIDENT — Auto-generated from SIEM
================================================
Alert Rule: {alert_data['rule_name']}
SIEM Event ID: {alert_data.get('notable_id', 'N/A')}
Detection Time: {alert_data['detection_time']}
Severity: {alert_data['severity'].upper()}
MITRE ATT&CK: {alert_data.get('mitre_technique', 'N/A')}
Source: {alert_data.get('src', 'N/A')}
Destination: {alert_data.get('dest', 'N/A')}
User: {alert_data.get('user', 'N/A')}
Initial Context:
{alert_data.get('description', 'See SIEM for details.')}
IOCs:
{json.dumps(alert_data.get('iocs', {}), indent=2)}
"""
def _get_assignment_group(self, severity):
if severity in ("critical", "high"):
return "SOC Tier 2"
return "SOC Tier 1"
def update_incident(self, ticket_number, updates):
"""Update an existing incident"""
# First get sys_id from ticket number
response = requests.get(
f"{self.snow_url}/api/now/table/incident",
auth=self.auth,
headers=self.headers,
params={"sysparm_query": f"number={ticket_number}", "sysparm_limit": 1}
)
sys_id = response.json()["result"][0]["sys_id"]
# Update
response = requests.patch(
f"{self.snow_url}/api/now/table/incident/{sys_id}",
auth=self.auth,
headers=self.headers,
json=updates
)
return response.json()["result"]
def add_work_note(self, ticket_number, note):
"""Add investigation note to incident"""
self.update_incident(ticket_number, {"work_notes": note})
def escalate_incident(self, ticket_number, reason):
"""Escalate to next tier"""
self.update_incident(ticket_number, {
"assignment_group": "SOC Tier 3",
"urgency": "1",
"work_notes": f"ESCALATED: {reason}"
})
def resolve_incident(self, ticket_number, resolution):
"""Resolve and close incident"""
self.update_incident(ticket_number, {
"state": "6", # Resolved
"close_code": "Resolved",
"close_notes": resolution,
"u_incident_disposition": resolution.split(":")[0] if ":" in resolution else "Resolved"
})
TheHive Case Creation (alternative to ServiceNow):
import requests
class TheHiveCaseManager:
def __init__(self, thehive_url, api_key):
self.url = thehive_url
self.headers = {
"Authorization": f"Bearer {api_key}",
"Content-Type": "application/json"
}
def create_case(self, alert_data):
"""Create case in TheHive from SIEM alert"""
case = {
"title": f"[{alert_data['severity'].upper()}] {alert_data['rule_name']}",
"description": self._build_markdown_description(alert_data),
"severity": {"critical": 4, "high": 3, "medium": 2, "low": 1}.get(
alert_data["severity"], 2
),
"tlp": 2, # TLP:AMBER
"pap": 2, # PAP:AMBER
"tags": [
alert_data.get("mitre_technique", ""),
alert_data.get("category", ""),
f"source:{alert_data.get('src', 'unknown')}"
],
"tasks": self._generate_tasks(alert_data["severity"]),
"customFields": {
"siem-event-id": {"string": alert_data.get("notable_id", "")},
"mitre-technique": {"string": alert_data.get("mitre_technique", "")},
"detection-source": {"string": "Splunk ES"}
}
}
response = requests.post(
f"{self.url}/api/case",
headers=self.headers,
json=case
)
return response.json()
def _generate_tasks(self, severity):
"""Generate investigation tasks based on severity"""
tasks = [
{"title": "Initial Triage", "group": "Phase 1", "description": "Review SIEM alert and validate findings"},
{"title": "IOC Enrichment", "group": "Phase 1", "description": "Enrich all IOCs with VT, AbuseIPDB"},
{"title": "Scope Assessment", "group": "Phase 2", "description": "Determine affected systems and users"},
]
if severity in ("critical", "high"):
tasks.extend([
{"title": "Containment Actions", "group": "Phase 2", "description": "Isolate affected systems"},
{"title": "Evidence Collection", "group": "Phase 3", "description": "Preserve forensic artifacts"},
{"title": "Eradication", "group": "Phase 3", "description": "Remove threat from environment"},
{"title": "Recovery", "group": "Phase 4", "description": "Restore systems to normal operations"},
{"title": "Post-Incident Review", "group": "Phase 4", "description": "Document lessons learned"},
])
else:
tasks.append(
{"title": "Resolution and Documentation", "group": "Phase 2", "description": "Document findings and close"}
)
return tasks
def add_observable(self, case_id, ioc_type, ioc_value, description=""):
"""Add IOC observable to case"""
observable = {
"dataType": ioc_type,
"data": ioc_value,
"message": description,
"tlp": 2,
"ioc": True,
"tags": ["auto-extracted"]
}
response = requests.post(
f"{self.url}/api/case/{case_id}/artifact",
headers=self.headers,
json=observable
)
return response.json()
Splunk SLA Monitoring Dashboard:
--- Active incidents approaching SLA breach
index=servicenow sourcetype="snow:incident" category="Security" state IN ("New", "In Progress")
| eval sla_minutes = case(
urgency="1", 15,
urgency="2", 30,
urgency="3", 120,
urgency="4", 480
)
| eval age_minutes = round((now() - strptime(opened_at, "%Y-%m-%d %H:%M:%S")) / 60, 0)
| eval sla_remaining = sla_minutes - age_minutes
| eval sla_status = case(
sla_remaining < 0, "BREACHED",
sla_remaining < sla_minutes * 0.25, "AT RISK",
1=1, "ON TRACK"
)
| where sla_status IN ("BREACHED", "AT RISK")
| sort sla_remaining
| table number, short_description, urgency, assignment_group, assigned_to,
age_minutes, sla_minutes, sla_remaining, sla_status
Auto-Escalation Logic:
def check_sla_breaches(ticket_manager):
"""Check for SLA breaches and auto-escalate"""
open_incidents = ticket_manager.get_open_incidents()
for incident in open_incidents:
age_minutes = (datetime.utcnow() - incident["opened_at"]).total_seconds() / 60
sla_minutes = {"1": 15, "2": 30, "3": 120, "4": 480}[incident["urgency"]]
if age_minutes > sla_minutes and incident["state"] == "New":
ticket_manager.escalate_incident(
incident["number"],
f"SLA BREACH: {int(age_minutes)}min elapsed, {sla_minutes}min SLA. Auto-escalating."
)
--- Monthly incident metrics
index=servicenow sourcetype="snow:incident" category="Security"
opened_at > "2024-03-01" opened_at < "2024-04-01"
| stats count AS total,
avg(eval((resolved_at - opened_at) / 3600)) AS avg_resolution_hours,
sum(eval(if(urgency="1", 1, 0))) AS critical,
sum(eval(if(urgency="2", 1, 0))) AS high,
sum(eval(if(urgency="3", 1, 0))) AS medium,
sum(eval(if(urgency="4", 1, 0))) AS low
| eval avg_resolution = round(avg_resolution_hours, 1)
--- SLA compliance rate
index=servicenow sourcetype="snow:incident" category="Security" state="Resolved"
| eval sla_target = case(urgency="1", 4, urgency="2", 8, urgency="3", 24, urgency="4", 72)
| eval resolution_hours = (resolved_at - opened_at) / 3600
| eval sla_met = if(resolution_hours <= sla_target, 1, 0)
| stats sum(sla_met) AS met, count AS total
| eval compliance_pct = round(met / total * 100, 1)
| Term | Definition |
|---|---|
| Incident Ticket | Formal tracking record for a confirmed security incident with lifecycle management |
| SLA | Service Level Agreement defining maximum response and resolution times by severity |
| Escalation Path | Defined routing from Tier 1 to Tier 2/3 based on severity, time elapsed, or analyst request |
| Disposition | Final classification of a closed incident (true positive, false positive, duplicate, policy violation) |
| MTTR | Mean Time to Resolve — average time from ticket creation to resolution across all incidents |
| Case Management | Structured approach to managing complex incidents with tasks, observables, and audit trails |
INCIDENT TICKET — INC0012567
━━━━━━━━━━━━━━━━━━━━━━━━━━━
Title: [SEC] Cobalt Strike C2 Beacon Detected — WORKSTATION-042
Category: Security > Malware Infection
Severity: Critical (P1)
SLA: Response: 15 min | Resolution: 4 hours
Timeline:
14:23 Ticket created (auto from Splunk ES NE-2024-08921)
14:25 Assigned to analyst_jdoe (Tier 2)
14:28 Work note: "VT confirms Cobalt Strike beacon, hash a1b2c3..."
14:35 Work note: "Host isolated via CrowdStrike, C2 domain blocked"
15:00 Work note: "Enterprise IOC scan — 2 additional hosts found"
15:30 Escalated to Tier 3 for forensic analysis
16:00 Work note: "All affected hosts contained and cleaned"
18:00 Resolved: "Malware eradicated, systems restored, monitoring for 72h"
Metrics:
Time to Acknowledge: 2 minutes
Time to Contain: 12 minutes
Time to Resolve: 3 hours 37 minutes
SLA Status: MET (within 4-hour resolution target)
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Useful defaults in implementing-ticketing-system-for-incidents — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
implementing-ticketing-system-for-incidents has been reliable in day-to-day use. Documentation quality is above average for community skills.
I recommend implementing-ticketing-system-for-incidents for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Solid pick for teams standardizing on skills: implementing-ticketing-system-for-incidents is focused, and the summary matches what you get after install.
Keeps context tight: implementing-ticketing-system-for-incidents is the kind of skill you can hand to a new teammate without a long onboarding doc.
Useful defaults in implementing-ticketing-system-for-incidents — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
We added implementing-ticketing-system-for-incidents from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
implementing-ticketing-system-for-incidents reduced setup friction for our internal harness; good balance of opinion and flexibility.
implementing-ticketing-system-for-incidents is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
I recommend implementing-ticketing-system-for-incidents for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
showing 1-10 of 43