incident response

Building Incident Response Playbooks

Designs and documents structured incident response playbooks that define step-by-step procedures for specific incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident response procedure documentation, response runbook development, or SOAR playbook design.

ir-playbooknist-800-61response-proceduresrunbooksoar-integration
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • Establishing or maturing an incident response program from scratch
  • Documenting procedures for a new incident type after a novel attack
  • Automating response workflows in a SOAR platform (Cortex XSOAR, Splunk SOAR)
  • Preparing for compliance audits requiring documented IR procedures (SOC 2, PCI-DSS, HIPAA)
  • Conducting a gap analysis of existing IR capabilities against specific threat scenarios

Do not use for one-time ad hoc investigations; playbooks are reusable procedure documents, not case-specific reports.

Prerequisites

  • Organizational risk assessment identifying top incident scenarios by likelihood and impact
  • NIST SP 800-61r3 or SANS PICERL framework adopted as the organizational IR standard
  • Asset inventory with business criticality ratings and data classification
  • RACI chart defining roles: Incident Commander, SOC analysts, system administrators, legal, communications
  • Existing detection capabilities inventory (SIEM rules, EDR detections, IDS signatures)
  • SOAR platform access if building automated playbooks

Workflow

Step 1: Select and Scope the Incident Type

Define the specific scenario the playbook will address:

  • Identify the top incident types based on organizational risk assessment and historical data
  • Scope each playbook to a single incident type for clarity (do not combine unrelated scenarios)
  • Define trigger conditions that activate the playbook

Common playbook types:

Priority Playbooks (build first):
1. Ransomware incident response
2. Phishing/credential compromise
3. Business email compromise
4. Malware infection
5. Data breach/exfiltration
6. DDoS attack
7. Insider threat
8. Account takeover
9. Web application compromise
10. Cloud infrastructure compromise

Step 2: Define the Playbook Structure

Every playbook should follow a consistent structure:

PLAYBOOK TEMPLATE
━━━━━━━━━━━━━━━━
1. Playbook Metadata
   - Name, version, owner, last review date
   - Trigger conditions
   - Severity criteria
 
2. RACI Matrix
   - Who is Responsible, Accountable, Consulted, Informed for each step
 
3. Detection & Triage
   - How the incident is detected
   - Initial triage checklist
   - Severity classification criteria
 
4. Containment
   - Short-term containment actions
   - Long-term containment actions
   - Evidence preservation requirements
 
5. Eradication
   - Root cause identification
   - Malware/threat removal steps
   - Verification procedures
 
6. Recovery
   - System restoration steps
   - Validation criteria
   - Monitoring requirements post-recovery
 
7. Post-Incident
   - Lessons learned meeting trigger
   - Report template
   - Detection improvement actions
 
8. Communication
   - Internal notification matrix
   - External notification requirements (regulators, customers, law enforcement)
   - Status update cadence
 
9. Appendices
   - Tool-specific procedures
   - Contact lists
   - Evidence collection checklists

Step 3: Write Decision Trees and Escalation Criteria

Define clear decision points with binary outcomes:

Detection Alert Received
├── Is the alert a true positive?
│   ├── YES → Classify severity
│   │   ├── P1 (Critical) → Page incident commander, begin containment immediately
│   │   ├── P2 (High) → Notify IR lead, begin investigation within 30 min
│   │   ├── P3 (Medium) → Queue for investigation within 4 hours
│   │   └── P4 (Low) → Document and investigate within 24 hours
│   └── NO → Document as false positive, tune detection rule
└── Cannot determine → Escalate to Tier 2 for deeper analysis

Escalation triggers:

  • Any P1 incident: Immediate escalation to IR lead and CISO
  • Data exfiltration confirmed: Legal counsel and privacy officer notified
  • Customer data involved: Customer notification process activated
  • Third-party involvement: Vendor security contact engaged
  • Law enforcement needed: General counsel authorizes before contact

Step 4: Define Specific Technical Procedures

Write tool-specific instructions for each step (not generic guidance):

CONTAINMENT - Endpoint Isolation via CrowdStrike:
1. Open Falcon Console > Hosts > Search for affected hostname
2. Click on the host > Host Details
3. Click "Contain Host" button in upper right
4. Confirm isolation (host will only communicate with CrowdStrike cloud)
5. Document containment action in incident ticket with timestamp
6. Verify containment: Host should show "Contained" status badge
 
CONTAINMENT - Block C2 Domain at DNS:
1. SSH to DNS server: ssh admin@dns-primary.corp.local
2. Add to block zone: echo "zone evil.com { type master; file /etc/bind/db.sinkhole; };" >> /etc/bind/named.conf.local
3. Reload DNS: rndc reload
4. Verify: dig @dns-primary evil.com (should resolve to sinkhole IP 10.0.0.99)
5. Document blocked domain in incident ticket

Step 5: Integrate with SOAR Platform

Convert manual playbook steps into automated workflows:

  • Map each playbook step to a SOAR action (API call, script, human decision point)
  • Define automation boundaries (what runs automatically vs. what requires analyst approval)
  • Build enrichment automations for the triage phase
  • Create containment automations with approval gates for high-impact actions
  • Configure notification automations for stakeholder communication

Step 6: Test and Maintain the Playbook

Validate the playbook through exercises and maintain currency:

  • Conduct tabletop exercises with the IR team walking through the playbook
  • Perform live-fire exercises simulating the incident type in a test environment
  • Review and update after every real incident that uses the playbook
  • Schedule quarterly reviews for accuracy of contact lists, tool procedures, and escalation paths
  • Track playbook metrics: mean time to contain, mean time to resolve, false positive rate

Key Concepts

Term Definition
Playbook Documented, repeatable set of procedures for responding to a specific incident type
Runbook More granular than a playbook; step-by-step technical instructions for a specific task within a playbook
RACI Matrix Responsibility assignment chart defining who is Responsible, Accountable, Consulted, and Informed for each activity
Decision Tree Flowchart-based logic defining the response path based on binary conditions at each decision point
Escalation Criteria Predefined conditions that trigger notification of higher-level personnel or external parties
SOAR Playbook Automated workflow in a Security Orchestration, Automation, and Response platform executing playbook steps

Tools & Systems

  • Cortex XSOAR: SOAR platform with visual playbook editor, 700+ integrations, and collaborative War Room
  • Splunk SOAR: SOAR platform integrated with Splunk ES, drag-and-drop playbook builder with 2,800+ automated actions
  • TheHive: Open-source incident response platform with case templates that function as playbook frameworks
  • Confluence / GitLab Wiki: Documentation platforms for maintaining human-readable playbook documents with version control
  • Tines: No-code security automation platform for building playbook workflows without programming

Common Scenarios

Scenario: Building a Phishing Response Playbook from Scratch

Context: An organization with a 5-person SOC has no documented phishing response procedure. Analysts handle phishing reports inconsistently.

Approach:

  1. Interview SOC analysts to document their current ad hoc process
  2. Define the trigger: user reports phishing email via abuse@ mailbox or phishing button
  3. Write triage steps: extract email headers, check sender reputation, analyze URLs/attachments in sandbox
  4. Define containment: quarantine email from all mailboxes, block sender domain, reset passwords if credentials entered
  5. Build SOAR automation: auto-extract IOCs from reported email, enrich via VirusTotal, create case in TheHive
  6. Test with simulated phishing email and measure response time improvement

Pitfalls:

  • Writing overly generic procedures that don't reference specific tool interfaces or commands
  • Not including the communication plan for notifying users who received the phishing email
  • Forgetting to define the criteria for when a phishing report becomes a full incident investigation
  • Not versioning the playbook or scheduling regular review cycles

Output Format

INCIDENT RESPONSE PLAYBOOK
============================
Playbook Name:    Phishing Incident Response
Version:          2.1
Owner:            SOC Manager
Last Reviewed:    2025-11-01
Next Review:      2026-02-01
Trigger:          Phishing email reported via abuse@corp.com or phish button
 
RACI MATRIX
Activity                    | SOC L1 | SOC L2 | IR Lead | Legal | Comms
Initial Triage              |   R    |   C    |   I     |       |
Email Analysis              |   R    |   A    |   I     |       |
Containment                 |        |   R    |   A     |   I   |
Credential Reset            |        |   R    |   A     |       |
User Notification           |        |   C    |   A     |       |   R
Regulatory Notification     |        |        |   C     |   R   |   A
Lessons Learned             |   C    |   C    |   R     |   I   |   I
 
PROCEDURE STEPS
[Detailed steps with tool-specific instructions]
 
DECISION TREE
[Flowchart logic]
 
ESCALATION MATRIX
[Conditions and contacts]
 
METRICS
Target MTTA: 15 minutes
Target MTTC: 1 hour
Target MTTR: 4 hours
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.3 KB

API Reference: Building Incident Response Playbook

TheHive API (Case Management)

import requests
 
THEHIVE_URL = "http://thehive:9000"
headers = {"Authorization": "Bearer <api_key>"}
 
# Create a new case from playbook
resp = requests.post(f"{THEHIVE_URL}/api/v1/case", headers=headers, json={
    "title": "Ransomware - IR-2024-0450",
    "severity": 3,
    "tlp": 3,
    "pap": 2,
    "tags": ["ransomware", "playbook:ransomware-v2.1"],
    "description": "Ransomware detected on WORKSTATION-042",
})
 
# Add tasks from playbook phases
resp = requests.post(f"{THEHIVE_URL}/api/v1/case/{case_id}/task",
    headers=headers, json={
        "title": "Isolate affected hosts",
        "group": "Containment",
        "status": "Waiting",
    })
 
# Add observable (IOC)
resp = requests.post(f"{THEHIVE_URL}/api/v1/case/{case_id}/observable",
    headers=headers, json={
        "dataType": "ip",
        "data": "185.234.218.50",
        "message": "C2 server",
        "tlp": 2,
        "ioc": True,
    })

Cortex XSOAR API (SOAR Playbook)

# Trigger a playbook run
resp = requests.post("https://xsoar/api/v2/incident/investigate",
    headers={"Authorization": "<api_key>"},
    json={"id": "incident-123", "playbookId": "Phishing_Response_v2"})
 
# List available playbooks
resp = requests.get("https://xsoar/api/v2/playbook/search",
    headers={"Authorization": "<api_key>"},
    json={"query": "name:Phishing*"})

Splunk SOAR (Phantom) API

# Run a playbook on a container
resp = requests.post("https://phantom/rest/playbook_run",
    headers={"ph-auth-token": "<token>"},
    json={"container_id": 42, "playbook_id": 15, "scope": "new"})

NIST SP 800-61r3 Phases

Phase Key Actions
Preparation Playbooks, tools, contacts, training
Detection & Analysis Alerts, triage, scoping, severity
Containment Isolation, blocking, evidence preservation
Eradication Root cause removal, IOC sweep
Recovery Restore, validate, monitor
Post-Incident Lessons learned, detection improvement

References

Scripts 1

agent.py9.5 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for building and managing incident response playbooks."""

import os
import json
import argparse
from datetime import datetime

import requests


PLAYBOOK_TYPES = {
    "ransomware": {
        "name": "Ransomware Incident Response",
        "trigger": "EDR alert for file encryption activity or ransom note detection",
        "severity_default": "P1",
        "phases": {
            "detection": [
                "EDR alerts on mass file encryption (CrowdStrike, SentinelOne)",
                "Canary file modification alerts from deception tools",
                "User reports of inaccessible files or ransom note",
            ],
            "containment": [
                "Isolate affected hosts via EDR network containment",
                "Block C2 IPs/domains at firewall and DNS sinkhole",
                "Disable compromised accounts in Active Directory",
                "Segment affected network VLANs at switch level",
            ],
            "eradication": [
                "Identify ransomware variant and initial access vector",
                "Remove persistence mechanisms (scheduled tasks, services, registry)",
                "Scan enterprise for IOCs using EDR threat hunt",
                "Patch exploited vulnerability if applicable",
            ],
            "recovery": [
                "Restore from verified clean backups (test integrity first)",
                "Rebuild compromised systems from gold images",
                "Re-enable accounts with forced password reset and MFA",
                "Monitor restored systems for 72 hours post-recovery",
            ],
        },
    },
    "phishing": {
        "name": "Phishing Incident Response",
        "trigger": "User report via abuse mailbox or phishing button",
        "severity_default": "P2",
        "phases": {
            "detection": [
                "User report to abuse@company.com or phish report button",
                "Email gateway alert on suspicious attachment/link",
                "SIEM correlation of multiple reports for same sender",
            ],
            "containment": [
                "Quarantine phishing email from all mailboxes (O365 purge or Exchange)",
                "Block sender domain and reply-to address in email gateway",
                "If credentials entered: force password reset and revoke sessions",
                "Block malicious URL at web proxy",
            ],
            "eradication": [
                "Extract and submit IOCs (URLs, hashes, sender) to TI platform",
                "Search email logs for all recipients of the phishing email",
                "Verify no malware payload executed on endpoints",
                "Update email filtering rules to catch similar campaigns",
            ],
            "recovery": [
                "Notify affected users with guidance on what to watch for",
                "Restore any quarantined legitimate emails (false positives)",
                "Schedule targeted phishing awareness training for clickers",
            ],
        },
    },
    "data_breach": {
        "name": "Data Breach / Exfiltration Response",
        "trigger": "DLP alert, anomalous data transfer, or external notification",
        "severity_default": "P1",
        "phases": {
            "detection": [
                "DLP policy violation alert on sensitive data movement",
                "Network anomaly detection for large outbound transfers",
                "Cloud access broker alert for unauthorized file sharing",
            ],
            "containment": [
                "Block exfiltration channel (IP, domain, cloud service)",
                "Revoke access for compromised account",
                "Preserve affected system for forensic imaging",
                "Engage legal counsel for breach notification assessment",
            ],
            "eradication": [
                "Determine scope: what data, how much, which systems",
                "Identify root cause and attack vector",
                "Remove attacker access and persistence",
                "Audit all access to affected data stores",
            ],
            "recovery": [
                "Implement additional DLP controls on affected data",
                "Reset credentials for all accounts with access to breached data",
                "Execute breach notification plan if PII/PHI involved",
                "Engage external forensics firm if required by cyber insurance",
            ],
        },
    },
}


def generate_playbook(playbook_type):
    """Generate a structured IR playbook for the given incident type."""
    template = PLAYBOOK_TYPES.get(playbook_type)
    if not template:
        return {"error": f"Unknown playbook type: {playbook_type}"}
    playbook = {
        "metadata": {
            "name": template["name"],
            "version": "1.0",
            "created": datetime.utcnow().isoformat(),
            "owner": "SOC Manager",
            "default_severity": template["severity_default"],
            "trigger": template["trigger"],
            "framework": "NIST SP 800-61r3",
        },
        "raci": {
            "detection": {"R": "SOC L1", "A": "SOC L2", "C": "IR Lead", "I": ""},
            "containment": {"R": "SOC L2", "A": "IR Lead", "C": "CISO", "I": "Legal"},
            "eradication": {"R": "IR Lead", "A": "CISO", "C": "IT Ops", "I": "Mgmt"},
            "recovery": {"R": "IT Ops", "A": "IR Lead", "C": "Business Owner", "I": "CISO"},
            "post_incident": {"R": "IR Lead", "A": "CISO", "C": "All", "I": "Exec"},
        },
        "phases": template["phases"],
        "escalation": {
            "P1": "Immediate: IR Lead + CISO + Legal within 15 minutes",
            "P2": "IR Lead notified within 30 minutes",
            "P3": "Queued for investigation within 4 hours",
        },
        "communication": {
            "internal_cadence": "Every 2 hours during active incident",
            "executive_update": "Within 1 hour of P1 declaration",
            "regulatory": "Within 72 hours if personal data involved (GDPR)",
        },
    }
    return playbook


def check_thehive_cases(thehive_url, api_key):
    """List open incident cases from TheHive."""
    headers = {"Authorization": f"Bearer {api_key}"}
    resp = requests.post(f"{thehive_url}/api/v1/query", headers=headers, json={
        "query": [
            {"_name": "listCase"},
            {"_name": "filter", "_field": "status", "_value": "Open"},
            {"_name": "sort", "_fields": [{"startDate": "desc"}]},
            {"_name": "page", "from": 0, "to": 50},
        ]
    }, timeout=30)
    resp.raise_for_status()
    cases = []
    for c in resp.json():
        cases.append({
            "number": c.get("number"),
            "title": c.get("title"),
            "severity": c.get("severity"),
            "status": c.get("status"),
            "start_date": c.get("startDate"),
            "owner": c.get("owner"),
        })
    return cases


def calculate_ir_metrics(thehive_url, api_key, days=30):
    """Calculate incident response metrics from TheHive cases."""
    headers = {"Authorization": f"Bearer {api_key}"}
    resp = requests.post(f"{thehive_url}/api/v1/query", headers=headers, json={
        "query": [
            {"_name": "listCase"},
            {"_name": "filter", "_field": "status", "_value": "Resolved"},
            {"_name": "page", "from": 0, "to": 500},
        ]
    }, timeout=30)
    resp.raise_for_status()
    cases = resp.json()
    total_resolve_ms = 0
    count = 0
    for c in cases:
        if c.get("endDate") and c.get("startDate"):
            resolve_ms = c["endDate"] - c["startDate"]
            total_resolve_ms += resolve_ms
            count += 1
    avg_mttr_hours = (total_resolve_ms / count / 3600000) if count else 0
    return {"resolved_cases": count, "avg_mttr_hours": round(avg_mttr_hours, 1)}


def main():
    parser = argparse.ArgumentParser(description="Incident Response Playbook Agent")
    parser.add_argument("--playbook-type", choices=list(PLAYBOOK_TYPES.keys()))
    parser.add_argument("--thehive-url", default=os.getenv("THEHIVE_URL"))
    parser.add_argument("--thehive-key", default=os.getenv("THEHIVE_API_KEY"))
    parser.add_argument("--output", default="ir_playbook_output.json")
    parser.add_argument("--action", choices=[
        "generate", "list_cases", "metrics", "all_playbooks"
    ], default="generate")
    args = parser.parse_args()

    report = {"generated_at": datetime.utcnow().isoformat()}

    if args.action == "generate" and args.playbook_type:
        playbook = generate_playbook(args.playbook_type)
        report["playbook"] = playbook
        print(f"[+] Generated playbook: {playbook['metadata']['name']}")

    if args.action == "all_playbooks":
        report["playbooks"] = {}
        for ptype in PLAYBOOK_TYPES:
            report["playbooks"][ptype] = generate_playbook(ptype)
            print(f"[+] Generated: {PLAYBOOK_TYPES[ptype]['name']}")

    if args.action == "list_cases" and args.thehive_url:
        cases = check_thehive_cases(args.thehive_url, args.thehive_key)
        report["open_cases"] = cases
        print(f"[+] Open cases: {len(cases)}")

    if args.action == "metrics" and args.thehive_url:
        metrics = calculate_ir_metrics(args.thehive_url, args.thehive_key)
        report["metrics"] = metrics
        print(f"[+] Avg MTTR: {metrics['avg_mttr_hours']}h across {metrics['resolved_cases']} cases")

    with open(args.output, "w") as f:
        json.dump(report, f, indent=2, default=str)
    print(f"[+] Output saved to {args.output}")


if __name__ == "__main__":
    main()
Keep exploring