Skip to main content

SANS - Lessons Learned

This Playbook is part of the SANS Pack.#

Assists in post-processing an incident and facilitates the lessons learned stage, as presented by SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral.

***Disclaimer: This playbook does not ensure compliance to SANS regulations.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


This playbook does not use any scripts.


This playbook does not use any commands.

Playbook Inputs#

DataCollectionUses a data collection task to answer lessons learned questions based on SANS. Specify "True" to automatically send the communication task, and "False" to prevent it.Optional
EmailThe email address to which to send the questions.Optional

Playbook Outputs#

SANS - Lessons Learned.Answers.0The time the problem was first detected and by whom.longText
SANS - Lessons Learned.Answers.1The scope of the incident.longText
SANS - Lessons Learned.Answers.2The way the incident was contained and eradicated.longText
SANS - Lessons Learned.Answers.3The work performed during recovery.longText
SANS - Lessons Learned.Answers.4The areas where the CIRT teams were effective.longText
SANS - Lessons Learned.Answers.5The areas that need improvement.longText
SANS - Lessons Learned.Answers.6Share ideas and information in order to improve team effectiveness in future incidents.longText
SANS - Lessons Learned.Answers.nameThe answered username or email address.unknown

Playbook Image#