incident-investigation

Name: incident-investigation
Author: sirkirby/unifi-mcp

$npx mdskill add sirkirby/unifi-mcp/incident-investigation

Correlate device events with camera and access logs to diagnose network outages.

Reconstructs incident timelines from device status changes and physical access records.
Depends on Network, Unifi Location, and Access server data sources.
Cross-references timestamps to identify patterns across multiple infrastructure components.
Outputs a chronological timeline with an assessment of the root cause.

SKILL.md

.github/skills/incident-investigationView on GitHub ↗

---
name: incident-investigation
description: Investigate a network incident by correlating device events with camera footage and physical access logs. Use when the user reports a device going offline, a network anomaly, or wants to understand what caused an infrastructure event.
---

# Network Incident Investigation

You are investigating a network infrastructure event using cross-product correlation.

## What You Do

Given an incident (e.g., "switch went offline", "AP stopped responding"), you:

1. Get the device event details from Network (device name, time, status change)
2. Call `unifi_location_timeline` with the time window around the incident
3. Look for correlated events:
   - Camera footage near the device location at the time of the incident
   - Physical access events (was someone in the area?)
   - Other devices on the same network segment affected?
4. Present a timeline of what happened with your assessment

## Requirements

- Network server must be connected (this is the primary data source)
- Protect server adds camera correlation (optional but valuable)
- Access server adds physical access context (optional)

## Example Prompts

- "A switch went offline at 2 AM — what happened?"
- "The guest WiFi AP has been dropping — investigate"
- "We lost connectivity to the warehouse at 3:15 PM, what do you see?"