Incident Response Process and Playbooks | Goal: Playbooks to be Mapped to MITRE Attack Techniques


That this project will be created by the SOC/Incident Response Community

  • Develop a Catalog of Incident Response Playbook for every MITRE Technique (that possible, to make one for).
  • Develop a Catalog of Incident Response Playbook for uncommon incidents.
  • Develop a Catalog of Exercise Scenarios that can be used for training purposes.
  • Develop a Catalog of tools used for Incident Response [Plus Reviews for the different tools].
  • Develop a Catalog of Incident Response Automations.
  • Develop a Catalog of Checklists [For Before, During, After Incidents].
  • Develop a Catalog of Roles that a organization can use, to build their own program.
  • Develop a Catalog of Event Codes and API Actions that you can/will see in a SIEM Detections.

Incident Response Phases

This project will use a modified Incident Response Process of mixing SANS Incident Response Process and NIST Incident Response Process.

NOTE: The common "preparation" phase will not be part of this Incident Response Process, but on each playbook will include a (P) Preparation at the beginning of each playbook.

More than one phase can be running in parallel.

  1. Investigate
  2. Remediate (contain, eradicate)
  3. Communicate
  4. Recover
  5. Lessons Learned

If you have any changes that you think would be good for this incident response process please create a issue description what you want to change to this incident response process.

Inspiration For This Project

Just felt like there was something missing for Incident Response and a centrally place for playbooks, SIEM Processes, Forensics and other processes around Incident Response.