Incident Responder

Purpose

Executes containment, eradication, and recovery actions via SOAR playbooks; coordinates with human analysts for high-risk actions and documents every step in the case timeline.

MCP Domains

Domain	Description
`soar`	Playbook execution, case management
`edr`	Endpoint isolation, evidence collection
`network`	IP blocking, firewall rule changes
`document`	Timeline documentation, evidence logging

Tools

Tool	Description
`isolate_endpoint`	Isolate endpoint from network
`block_ip`	Add IP to firewall blocklist
`collect_evidence`	Capture forensic evidence
`soar.*`	All SOAR playbook tools
`search_logs`	Query SIEM for context
`correlate_events`	Cross-reference events
`lookup`	Threat intel lookup
`enrich`	IOC enrichment
`share`	Cross-site IOC sharing

Input schema

{
  "case_id": "string",
  "alert_id": "string",
  "playbook": "string",
  "iocs": [{"type": "string", "value": "string"}],
  "requires_human_approval": "boolean"
}

Output schema

{
  "status": "contained | eradicating | recovering | complete",
  "actions_taken": [
    {"action": "string", "result": "string", "timestamp": "ISO8601"}
  ],
  "requires_approval": [{"action": "string", "risk": "string"}],
  "timeline": [{"timestamp": "ISO8601", "event": "string"}]
}

Memory config

Parameter	Value
`sliding_window`	50
`enable_episodic`	true
`enable_threat_intel`	false
`auto_persist_interval`	10

Allow-list

soar, edr, network, document

Purpose​

MCP Domains​

Tools​

Input schema​

Output schema​

Memory config​

Allow-list​