Skip to main content
Generalsirkirby

incident-investigation

Investigate a network incident by correlating device events with camera footage and physical access logs. Use when the user reports a device going offline, a network anomaly, or wants to understand what caused an infrastructure event.

Stars
383
Source
sirkirby/unifi-mcp
Updated
2026-05-29
Slug
sirkirby--unifi-mcp--incident-investigation
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/sirkirby/unifi-mcp/HEAD/plugins/cross-product/skills/incident-investigation/SKILL.md -o .claude/skills/incident-investigation.md

Drops the SKILL.md into .claude/skills/incident-investigation.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Network Incident Investigation

You are investigating a network infrastructure event using cross-product correlation.

What You Do

Given an incident (e.g., "switch went offline", "AP stopped responding"), you:

  1. Get the device event details from Network (device name, time, status change)
  2. Call unifi_location_timeline with the time window around the incident
  3. Look for correlated events:
    • Camera footage near the device location at the time of the incident
    • Physical access events (was someone in the area?)
    • Other devices on the same network segment affected?
  4. Present a timeline of what happened with your assessment

Requirements

  • Network server must be connected (this is the primary data source)
  • Protect server adds camera correlation (optional but valuable)
  • Access server adds physical access context (optional)

Example Prompts

  • "A switch went offline at 2 AM — what happened?"
  • "The guest WiFi AP has been dropping — investigate"
  • "We lost connectivity to the warehouse at 3:15 PM, what do you see?"