Skip to main content

SANS

This SANS Content Pack helps you streamline incident response according to SANS guidelines as outlined in the SANS Incident Handler’s Handbook.

The SANS Incident Response process for handling a cyber security incident contains the following steps:

  • Preparation.
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned

This SANS content pack contains several playbooks to help streamline your incident response according to SANS guidelines as outlined in the SANS Incident Handler’s Handbook.

What does this pack do?

The playbooks in this pack contain the phases for handling an incident as they are described in the SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral.
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
Disclaimer: This playbooks don’t ensure compliance to SANS regulations.
The “SANS - Incident Handler's Handbook Template” playbook provides a template that helps analysts follow these stages.
The “SANS - Incident Handlers Checklist” playbook follows the “Incident Handler’s Checklist” described in the SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral, and provides the analyst an easy solution for following the correct stages and tasks while handling an incident.
The “SANS - Lessons Learned” helps SOC teams process an incident after it occurs and facilitates the lessons learned, organized by SANS stages.
The “Brute Force Investigation - Generic - SANS” playbook handles a Brute Force incident based on the stages described above.
The playbooks included in this pack helps you save time and automate repetitive tasks associated with Access incidents:

  • Handle the incident based on the stages in SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral.
  • Set the “SANS Stage” field to the different stages most relevant to the ongoing investigation.
  • Gather and enrich user and IP information.
  • Interact with the suspected user about the activity.
  • Calculate the incident’s severity
  • Remediate the incident by blocking malicious indicators and disabling the account.
  • Generate an investigation summary report.
  • Run the “SANS - Lessons learned” sub-playbook to process the incident after the investigation and remediation is over.

For more information, visit our Cortex XSOAR Developer Docs

SANS_-_Incident_Handler's_Handbook_Template

PUBLISHER

Cortex XSOAR

INFO

CertificationRead more
Supported ByCortex XSOAR
CreatedNovember 9, 2020
Last ReleaseDecember 14, 2020
SANS
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.