[REVIEW] containment: add SOAR rollback and legal-hold evidence gates

[stmr]

Skill Being Reviewed

Skill name: containment
Skill path: skills/incident-response/containment/

False Positive Analysis

Benign code/configuration that can be misclassified:

soar_action:
  name: disable_user
  target: user@example.com
  mode: dry_run
  approval_required: true
  rollback:
    enabled: true
    restore_groups_from_snapshot: true
  legal_hold:
    preserve_mailbox: true
    preserve_endpoint_image: true

Why this is a false positive:
The current containment guidance can read any identity disablement as an aggressive credential-revocation action. In SOAR-driven workflows, a dry-run or approval-gated action with rollback and legal-hold preservation is materially different from immediate destructive containment. The skill should ask for execution mode, approval state, rollback plan, and evidence-preservation status before treating the action as disruptive.

Coverage Gaps

Missed variant 1: automated SOAR action without rollback evidence

playbook:
  trigger: high_confidence_account_takeover
  actions:
    - disable_user: ${user}
    - revoke_sessions: ${user}
    - remove_from_all_groups: ${user}

Why it should be caught:
This can break production access and destroy group-membership evidence. The skill should require pre-action snapshots, rollback criteria, human approval thresholds, and an emergency restore path for high-impact containment automation.

Missed variant 2: containment conflicts with legal hold or regulated preservation

Action: isolate endpoint and wipe temp directories before imaging.
Incident: insider exfiltration involving regulated customer data.

Why it should be caught:
The skill already warns that containment can destroy volatile evidence, but it does not explicitly require legal-hold and regulated-data preservation gates before cleanup or endpoint changes.

Edge Cases

• Identity containment for shared service accounts can stop critical jobs while leaving attacker sessions active through cached tokens.
• Host isolation through EDR may block forensic acquisition tools unless exceptions are pre-approved.
• Cloud quarantine security groups can cut off log shipping, preventing validation that containment worked.
• DNS sinkholing can hide infected hosts if downstream telemetry only records sinkhole IPs and not original queried domains.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: Add explicit evidence gates for SOAR dry-run/approval state, pre-action snapshots, rollback owner, legal-hold status, and post-action validation telemetry. Remediation should recommend staged containment only when threat speed permits; confirmed destructive malware should still favor immediate isolation.

Comparison to Other Tools

Tool	Catches this?	Notes
Semgrep	No	Static rules cannot reason about incident-response approval and rollback context.
CodeQL	No	No application code vulnerability pattern.
Other: Microsoft Sentinel/Defender playbooks	Partial	Can model approvals and automation state, but the review skill needs to ask for those artifacts.

Overall Assessment

Strengths:
Clear NIST SP 800-61-style containment decision matrix, useful ATT&CK mapping, and good distinction between ransomware and wiper response.

Needs improvement:
SOAR automation and legal-hold requirements are not first-class gates, so reviews can recommend disruptive actions without proving reversibility or preservation.

Priority recommendations:

1. Add a SOAR automation evidence section covering dry-run, approval, rollback, and action logs.
2. Add a legal-hold/preservation gate before cleanup, wipe, session destruction, or mailbox changes.
3. Require validation telemetry to keep flowing after host, DNS, cloud, or identity containment.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal samik4184@gmail.com