The SANS Incident Response process for handling a cyber security incident contains the following steps:
- Lessons Learned
This SANS content pack contains several playbooks to help streamline your incident response according to SANS guidelines as outlined in the SANS Incident Handler’s Handbook.
What does this pack do?
The playbooks in this pack contain the phases for handling an incident as they are described in the SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral.
Disclaimer: This playbooks don’t ensure compliance to SANS regulations.
The “SANS - Incident Handler's Handbook Template” playbook provides a template that helps analysts follow these stages.
The “SANS - Incident Handlers Checklist” playbook follows the “Incident Handler’s Checklist” described in the SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral, and provides the analyst an easy solution for following the correct stages and tasks while handling an incident.
The “SANS - Lessons Learned” helps SOC teams process an incident after it occurs and facilitates the lessons learned, organized by SANS stages.
The “Brute Force Investigation - Generic - SANS” playbook handles a Brute Force incident based on the stages described above.
The playbooks included in this pack helps you save time and automate repetitive tasks associated with Access incidents:
- Handle the incident based on the stages in SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral.
- Set the “SANS Stage” field to the different stages most relevant to the ongoing investigation.
- Gather and enrich user and IP information.
- Interact with the suspected user about the activity.
- Calculate the incident’s severity
- Remediate the incident by blocking malicious indicators and disabling the account.
- Generate an investigation summary report.
- Run the “SANS - Lessons learned” sub-playbook to process the incident after the investigation and remediation is over.
For more information, visit our Cortex XSOAR Developer Docs