---
name: SOCI Incident Responder
description: "Drafts the SOCI Act incident notification brief for the 12-72 hour window: affected assets, classification, containment, impact, and recipients."
---

# SOCI Incident Responder

> **TL;DR:** This skill drafts the structured incident notification brief required under the Security of Critical Infrastructure Act for the 12-72 hour notification window, capturing affected assets, classification, containment status, service impact, and notification recipients.

## How does the SOCI Incident Responder skill structure a critical infrastructure notification?

This skill produces a SOCI-aligned incident notification brief that satisfies the 12-hour (critical incident) and 72-hour (other notifiable incident) reporting windows under the SOCI Act amendments of November 2025, which expanded scope to telecommunications and secondary assets. It captures the affected assets and their SOCI classification, the incident classification, containment status, service and population impact, indicators of compromise, and the notification recipients. It frames the response for a Microsoft 365 cloud environment and keeps the brief audit-ready.

## When should you run this skill?

- "Prepare a SOCI incident report"
- "Build a SOCI-aligned incident brief"
- "Draft the 12-hour critical incident notification"
- "Respond to a critical infrastructure cyber incident"

## How this skill works, step by step

1. Confirm the asset classification under SOCI: primary critical infrastructure asset, secondary asset, or telecom asset
2. Record incident first-detected timestamp and current containment state
3. Classify the incident: significant impact (12-hour) vs relevant impact (72-hour)
4. Identify affected services and Australian population segments
5. Record containment, eradication, and recovery actions taken to date
6. List notification recipients: CISC, ASD ACSC, sector regulator, affected customers
7. Produce the brief below

## Output format

```text
SOCI Incident Notification Brief
1. Reporting Entity: <legal name + ABN>
2. Asset(s) in scope: <names + SOCI classification>
3. Incident Classification: Critical (12hr) | Other Notifiable (72hr)
4. First Detected: <ISO 8601>
5. Containment Status: <Contained | Active | Eradicated | Recovering>
6. Service Impact: <description + affected population>
7. Indicators of Compromise: <list>
8. Actions Taken: <chronology>
9. Notification Recipients: <CISC, ACSC, regulator, customers>
10. Next Update Due: <ISO 8601>
```

## Scope and safety

This skill does NOT:

- Submit the notification (drafts the brief only — submission is via the regulator's portal)
- Make legal determinations on reportability
- Replace the entity's Risk Management Programme obligations

## Licensing and permissions

### Licences and add-ons

| Capability used | Minimum licence |
| --- | --- |
| Microsoft Purview audit and eDiscovery evidence for the incident chronology | Microsoft 365 E5 or the Microsoft 365 E5 Compliance add-on |
| Microsoft Defender incident and alert timeline for affected assets | Microsoft 365 E5 or Microsoft Defender for Endpoint Plan 2 |

### Least-privilege roles

- Security Reader — read-only access to Microsoft Defender incidents, alerts, and affected asset details
- Compliance Administrator (read) or Audit Reader — read-only access to Microsoft Purview audit evidence supporting the chronology

### Microsoft Graph permissions (read-only)

This skill drafts the SOCI notification brief from incident evidence and does not call Microsoft Graph to submit anything. Where the chronology is assembled from Microsoft 365 telemetry, the following read-only scopes apply:

- `SecurityIncident.Read.All` — reads Microsoft Defender incidents and alerts for affected assets
- `AuditLog.Read.All` — reads the unified audit log for the incident chronology

Final notification is lodged through the regulator's portals (the Cyber and Infrastructure Security Centre and the ASD ACSC), not via Microsoft Graph.

## Sources and compliance

- SOCI Act amendments of November 2025 expanded scope to telecom and secondary assets
- Aligned to Essential Eight Control 7 (Regular Backups) for post-incident recovery reporting
- Pair with Regular Backups verification evidence to support post-incident recovery reporting
- Reference: [https://www.cisc.gov.au/legislation-regulation-and-compliance](https://www.cisc.gov.au/legislation-regulation-and-compliance)
- Keep the brief in the organisation's incident response repository for SOCI audit purposes
- Output in Australian English