SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: SOCI Incident Responder
description: "Drafts the SOCI Act incident notification brief for the 12-72 hour window: affected assets, classification, containment, impact, and recipients."
---
# SOCI Incident Responder
> **TL;DR:** This skill drafts the structured incident notification brief required under the Security of Critical Infrastructure Act for the 12-72 hour notification window, capturing affected assets, classification, containment status, service impact, and notification recipients.
## How does the SOCI Incident Responder skill structure a critical infrastructure notification?
This skill produces a SOCI-aligned incident notification brief that satisfies the 12-hour (critical incident) and 72-hour (other notifiable incident) reporting windows under the SOCI Act amendments of November 2025, which expanded scope to telecommunications and secondary assets. It captures the affected assets and their SOCI classification, the incident classification, containment status, service and population impact, indicators of compromise, and the notification recipients. It frames the response for a Microsoft 365 cloud environment and keeps the brief audit-ready.
## When should you run this skill?
- "Prepare a SOCI incident report"
- "Build a SOCI-aligned incident brief"
- "Draft the 12-hour critical incident notification"
- "Respond to a critical infrastructure cyber incident"
## How this skill works, step by step
1. Confirm the asset classification under SOCI: primary critical infrastructure asset, secondary asset, or telecom asset
2. Record incident first-detected timestamp and current containment state
3. Classify the incident: significant impact (12-hour) vs relevant impact (72-hour)
4. Identify affected services and Australian population segments
5. Record containment, eradication, and recovery actions taken to date
6. List notification recipients: CISC, ASD ACSC, sector regulator, affected customers
7. Produce the brief below
## Output format
```text
SOCI Incident Notification Brief
1. Reporting Entity: <legal name + ABN>
2. Asset(s) in scope: <names + SOCI classification>
3. Incident Classification: Critical (12hr) | Other Notifiable (72hr)
4. First Detected: <ISO 8601>
5. Containment Status: <Contained | Active | Eradicated | Recovering>
6. Service Impact: <description + affected population>
7. Indicators of Compromise: <list>
8. Actions Taken: <chronology>
9. Notification Recipients: <CISC, ACSC, regulator, customers>
10. Next Update Due: <ISO 8601>
```
## Scope and safety
This skill does NOT:
- Submit the notification (drafts the brief only — submission is via the regulator's portal)
- Make legal determinations on reportability
- Replace the entity's Risk Management Programme obligations
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Microsoft Purview audit and eDiscovery evidence for the incident chronology | Microsoft 365 E5 or the Microsoft 365 E5 Compliance add-on |
| Microsoft Defender incident and alert timeline for affected assets | Microsoft 365 E5 or Microsoft Defender for Endpoint Plan 2 |
### Least-privilege roles
- Security Reader — read-only access to Microsoft Defender incidents, alerts, and affected asset details
- Compliance Administrator (read) or Audit Reader — read-only access to Microsoft Purview audit evidence supporting the chronology
### Microsoft Graph permissions (read-only)
This skill drafts the SOCI notification brief from incident evidence and does not call Microsoft Graph to submit anything. Where the chronology is assembled from Microsoft 365 telemetry, the following read-only scopes apply:
- `SecurityIncident.Read.All` — reads Microsoft Defender incidents and alerts for affected assets
- `AuditLog.Read.All` — reads the unified audit log for the incident chronology
Final notification is lodged through the regulator's portals (the Cyber and Infrastructure Security Centre and the ASD ACSC), not via Microsoft Graph.
## Sources and compliance
- SOCI Act amendments of November 2025 expanded scope to telecom and secondary assets
- Aligned to Essential Eight Control 7 (Regular Backups) for post-incident recovery reporting
- Pair with Regular Backups verification evidence to support post-incident recovery reporting
- Reference: [https://www.cisc.gov.au/legislation-regulation-and-compliance](https://www.cisc.gov.au/legislation-regulation-and-compliance)
- Keep the brief in the organisation's incident response repository for SOCI audit purposes
- Output in Australian English
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
SOCI Incident Responder
TL;DR: This skill drafts the structured incident notification brief required under the Security of Critical Infrastructure Act for the 12-72 hour notification window, capturing affected assets, classification, containment status, service impact, and notification recipients.
How does the SOCI Incident Responder skill structure a critical infrastructure notification?
This skill produces a SOCI-aligned incident notification brief that satisfies the 12-hour (critical incident) and 72-hour (other notifiable incident) reporting windows under the SOCI Act amendments of November 2025, which expanded scope to telecommunications and secondary assets. It captures the affected assets and their SOCI classification, the incident classification, containment status, service and population impact, indicators of compromise, and the notification recipients. It frames the response for a Microsoft 365 cloud environment and keeps the brief audit-ready.
When should you run this skill?
- “Prepare a SOCI incident report”
- “Build a SOCI-aligned incident brief”
- “Draft the 12-hour critical incident notification”
- “Respond to a critical infrastructure cyber incident”
How this skill works, step by step
- Confirm the asset classification under SOCI: primary critical infrastructure asset, secondary asset, or telecom asset
- Record incident first-detected timestamp and current containment state
- Classify the incident: significant impact (12-hour) vs relevant impact (72-hour)
- Identify affected services and Australian population segments
- Record containment, eradication, and recovery actions taken to date
- List notification recipients: CISC, ASD ACSC, sector regulator, affected customers
- Produce the brief below
Output format
SOCI Incident Notification Brief
1. Reporting Entity: <legal name + ABN>
2. Asset(s) in scope: <names + SOCI classification>
3. Incident Classification: Critical (12hr) | Other Notifiable (72hr)
4. First Detected: <ISO 8601>
5. Containment Status: <Contained | Active | Eradicated | Recovering>
6. Service Impact: <description + affected population>
7. Indicators of Compromise: <list>
8. Actions Taken: <chronology>
9. Notification Recipients: <CISC, ACSC, regulator, customers>
10. Next Update Due: <ISO 8601>Scope and safety
This skill does NOT:
- Submit the notification (drafts the brief only — submission is via the regulator’s portal)
- Make legal determinations on reportability
- Replace the entity’s Risk Management Programme obligations
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Microsoft Purview audit and eDiscovery evidence for the incident chronology | Microsoft 365 E5 or the Microsoft 365 E5 Compliance add-on |
| Microsoft Defender incident and alert timeline for affected assets | Microsoft 365 E5 or Microsoft Defender for Endpoint Plan 2 |
Least-privilege roles
- Security Reader — read-only access to Microsoft Defender incidents, alerts, and affected asset details
- Compliance Administrator (read) or Audit Reader — read-only access to Microsoft Purview audit evidence supporting the chronology
Microsoft Graph permissions (read-only)
This skill drafts the SOCI notification brief from incident evidence and does not call Microsoft Graph to submit anything. Where the chronology is assembled from Microsoft 365 telemetry, the following read-only scopes apply:
SecurityIncident.Read.All— reads Microsoft Defender incidents and alerts for affected assetsAuditLog.Read.All— reads the unified audit log for the incident chronology
Final notification is lodged through the regulator’s portals (the Cyber and Infrastructure Security Centre and the ASD ACSC), not via Microsoft Graph.
Sources and compliance
- SOCI Act amendments of November 2025 expanded scope to telecom and secondary assets
- Aligned to Essential Eight Control 7 (Regular Backups) for post-incident recovery reporting
- Pair with Regular Backups verification evidence to support post-incident recovery reporting
- Reference: https://www.cisc.gov.au/legislation-regulation-and-compliance
- Keep the brief in the organisation’s incident response repository for SOCI audit purposes
- Output in Australian English
Licensed under CC BY 4.0 by Educ4te . Adapted from the open HybridSP skills catalogue.
Last updated on