generate-report

Name: generate-report
Author: dandye/ai-runbooks

$npx mdskill add dandye/ai-runbooks/generate-report

Save investigation findings to timestamped markdown files.

Creates permanent records for triage, enrichment, and investigation tasks.
Depends on the Write tool to persist content to disk.
Uses report type and suffix inputs to construct standardized filenames.
Delivers the complete file path and write status to the caller.

SKILL.md

.github/skills/generate-reportView on GitHub ↗

---
name: generate-report
description: "Save investigation findings to a markdown report file. Use after completing triage, enrichment, or investigation to create a permanent record. Generates timestamped files in ./reports/ directory."
personas: [all]
---

# Generate Report Skill

Save generated report content to a markdown file with standardized naming convention.

## Inputs

- `REPORT_CONTENT` - The full markdown content of the report
- `REPORT_TYPE` - Short identifier for the report type:
  - `alert_triage` - Alert triage reports
  - `ioc_enrichment` - IOC enrichment reports
  - `case_investigation` - Case investigation reports
  - `hunt_summary` - Threat hunt reports
  - `incident_report` - Incident response reports
- `REPORT_NAME_SUFFIX` - Descriptive suffix (e.g., case ID, IOC value, hunt name)
- *(Optional)* `TARGET_DIRECTORY` - Directory to save in (default: `./reports/`)

## Workflow

### Step 1: Construct Filename

Generate standardized filename:
```
{TARGET_DIRECTORY}/{REPORT_TYPE}_{REPORT_NAME_SUFFIX}_{YYYYMMDD_HHMM}.md
```

Examples:
- `./reports/alert_triage_case_1234_20250115_1430.md`
- `./reports/ioc_enrichment_198.51.100.10_20250115_0900.md`
- `./reports/hunt_summary_APT29_20250115_1200.md`

### Step 2: Write File

Use the Write tool to save `REPORT_CONTENT` to the constructed path.

## Outputs

| Output | Description |
|--------|-------------|
| `REPORT_FILE_PATH` | Full path to the saved report file |
| `WRITE_STATUS` | Success/failure status of the write operation |

## Report Template Structure

```markdown
# [Report Type]: [Subject]

**Generated:** [timestamp]
**Runbook:** [runbook name that generated this]
**Case/Alert ID:** [if applicable]

## Summary
[Brief overview of findings]

## Details
[Detailed findings, enrichment data, etc.]

## Assessment
[Risk assessment, classification]

## Recommendations
[Next steps, actions to take]

## Appendix
[Raw data, tool outputs, diagrams]
```

## Naming Convention

| Report Type | Suffix Example | Full Example |
|-------------|----------------|--------------|
| alert_triage | case_1234 | `alert_triage_case_1234_20250115_1430.md` |
| ioc_enrichment | evil.com | `ioc_enrichment_evil.com_20250115_0900.md` |
| hunt_summary | APT29 | `hunt_summary_APT29_20250115_1200.md` |

More from dandye/ai-runbooks

Skill	Description
analyze-content-gaps	Identify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
audit-content	Comprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
check-duplicates	"Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
close-case-artifact	"Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
cluster-documents	Automated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
confirm-action	"Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response."
correlate-ioc	"Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
deep-dive-ioc	"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
design-metadata-schema	Design comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
document-in-case	"Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."