npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- Establishing or maturing an incident response program from scratch
- Documenting procedures for a new incident type after a novel attack
- Automating response workflows in a SOAR platform (Cortex XSOAR, Splunk SOAR)
- Preparing for compliance audits requiring documented IR procedures (SOC 2, PCI-DSS, HIPAA)
- Conducting a gap analysis of existing IR capabilities against specific threat scenarios
Do not use for one-time ad hoc investigations; playbooks are reusable procedure documents, not case-specific reports.
Prerequisites
- Organizational risk assessment identifying top incident scenarios by likelihood and impact
- NIST SP 800-61r3 or SANS PICERL framework adopted as the organizational IR standard
- Asset inventory with business criticality ratings and data classification
- RACI chart defining roles: Incident Commander, SOC analysts, system administrators, legal, communications
- Existing detection capabilities inventory (SIEM rules, EDR detections, IDS signatures)
- SOAR platform access if building automated playbooks
Workflow
Step 1: Select and Scope the Incident Type
Define the specific scenario the playbook will address:
- Identify the top incident types based on organizational risk assessment and historical data
- Scope each playbook to a single incident type for clarity (do not combine unrelated scenarios)
- Define trigger conditions that activate the playbook
Common playbook types:
Priority Playbooks (build first):
1. Ransomware incident response
2. Phishing/credential compromise
3. Business email compromise
4. Malware infection
5. Data breach/exfiltration
6. DDoS attack
7. Insider threat
8. Account takeover
9. Web application compromise
10. Cloud infrastructure compromiseStep 2: Define the Playbook Structure
Every playbook should follow a consistent structure:
PLAYBOOK TEMPLATE
━━━━━━━━━━━━━━━━
1. Playbook Metadata
- Name, version, owner, last review date
- Trigger conditions
- Severity criteria
2. RACI Matrix
- Who is Responsible, Accountable, Consulted, Informed for each step
3. Detection & Triage
- How the incident is detected
- Initial triage checklist
- Severity classification criteria
4. Containment
- Short-term containment actions
- Long-term containment actions
- Evidence preservation requirements
5. Eradication
- Root cause identification
- Malware/threat removal steps
- Verification procedures
6. Recovery
- System restoration steps
- Validation criteria
- Monitoring requirements post-recovery
7. Post-Incident
- Lessons learned meeting trigger
- Report template
- Detection improvement actions
8. Communication
- Internal notification matrix
- External notification requirements (regulators, customers, law enforcement)
- Status update cadence
9. Appendices
- Tool-specific procedures
- Contact lists
- Evidence collection checklistsStep 3: Write Decision Trees and Escalation Criteria
Define clear decision points with binary outcomes:
Detection Alert Received
├── Is the alert a true positive?
│ ├── YES → Classify severity
│ │ ├── P1 (Critical) → Page incident commander, begin containment immediately
│ │ ├── P2 (High) → Notify IR lead, begin investigation within 30 min
│ │ ├── P3 (Medium) → Queue for investigation within 4 hours
│ │ └── P4 (Low) → Document and investigate within 24 hours
│ └── NO → Document as false positive, tune detection rule
└── Cannot determine → Escalate to Tier 2 for deeper analysisEscalation triggers:
- Any P1 incident: Immediate escalation to IR lead and CISO
- Data exfiltration confirmed: Legal counsel and privacy officer notified
- Customer data involved: Customer notification process activated
- Third-party involvement: Vendor security contact engaged
- Law enforcement needed: General counsel authorizes before contact
Step 4: Define Specific Technical Procedures
Write tool-specific instructions for each step (not generic guidance):
CONTAINMENT - Endpoint Isolation via CrowdStrike:
1. Open Falcon Console > Hosts > Search for affected hostname
2. Click on the host > Host Details
3. Click "Contain Host" button in upper right
4. Confirm isolation (host will only communicate with CrowdStrike cloud)
5. Document containment action in incident ticket with timestamp
6. Verify containment: Host should show "Contained" status badge
CONTAINMENT - Block C2 Domain at DNS:
1. SSH to DNS server: ssh admin@dns-primary.corp.local
2. Add to block zone: echo "zone evil.com { type master; file /etc/bind/db.sinkhole; };" >> /etc/bind/named.conf.local
3. Reload DNS: rndc reload
4. Verify: dig @dns-primary evil.com (should resolve to sinkhole IP 10.0.0.99)
5. Document blocked domain in incident ticketStep 5: Integrate with SOAR Platform
Convert manual playbook steps into automated workflows:
- Map each playbook step to a SOAR action (API call, script, human decision point)
- Define automation boundaries (what runs automatically vs. what requires analyst approval)
- Build enrichment automations for the triage phase
- Create containment automations with approval gates for high-impact actions
- Configure notification automations for stakeholder communication
Step 6: Test and Maintain the Playbook
Validate the playbook through exercises and maintain currency:
- Conduct tabletop exercises with the IR team walking through the playbook
- Perform live-fire exercises simulating the incident type in a test environment
- Review and update after every real incident that uses the playbook
- Schedule quarterly reviews for accuracy of contact lists, tool procedures, and escalation paths
- Track playbook metrics: mean time to contain, mean time to resolve, false positive rate
Key Concepts
| Term | Definition |
|---|---|
| Playbook | Documented, repeatable set of procedures for responding to a specific incident type |
| Runbook | More granular than a playbook; step-by-step technical instructions for a specific task within a playbook |
| RACI Matrix | Responsibility assignment chart defining who is Responsible, Accountable, Consulted, and Informed for each activity |
| Decision Tree | Flowchart-based logic defining the response path based on binary conditions at each decision point |
| Escalation Criteria | Predefined conditions that trigger notification of higher-level personnel or external parties |
| SOAR Playbook | Automated workflow in a Security Orchestration, Automation, and Response platform executing playbook steps |
Tools & Systems
- Cortex XSOAR: SOAR platform with visual playbook editor, 700+ integrations, and collaborative War Room
- Splunk SOAR: SOAR platform integrated with Splunk ES, drag-and-drop playbook builder with 2,800+ automated actions
- TheHive: Open-source incident response platform with case templates that function as playbook frameworks
- Confluence / GitLab Wiki: Documentation platforms for maintaining human-readable playbook documents with version control
- Tines: No-code security automation platform for building playbook workflows without programming
Common Scenarios
Scenario: Building a Phishing Response Playbook from Scratch
Context: An organization with a 5-person SOC has no documented phishing response procedure. Analysts handle phishing reports inconsistently.
Approach:
- Interview SOC analysts to document their current ad hoc process
- Define the trigger: user reports phishing email via abuse@ mailbox or phishing button
- Write triage steps: extract email headers, check sender reputation, analyze URLs/attachments in sandbox
- Define containment: quarantine email from all mailboxes, block sender domain, reset passwords if credentials entered
- Build SOAR automation: auto-extract IOCs from reported email, enrich via VirusTotal, create case in TheHive
- Test with simulated phishing email and measure response time improvement
Pitfalls:
- Writing overly generic procedures that don't reference specific tool interfaces or commands
- Not including the communication plan for notifying users who received the phishing email
- Forgetting to define the criteria for when a phishing report becomes a full incident investigation
- Not versioning the playbook or scheduling regular review cycles
Output Format
INCIDENT RESPONSE PLAYBOOK
============================
Playbook Name: Phishing Incident Response
Version: 2.1
Owner: SOC Manager
Last Reviewed: 2025-11-01
Next Review: 2026-02-01
Trigger: Phishing email reported via abuse@corp.com or phish button
RACI MATRIX
Activity | SOC L1 | SOC L2 | IR Lead | Legal | Comms
Initial Triage | R | C | I | |
Email Analysis | R | A | I | |
Containment | | R | A | I |
Credential Reset | | R | A | |
User Notification | | C | A | | R
Regulatory Notification | | | C | R | A
Lessons Learned | C | C | R | I | I
PROCEDURE STEPS
[Detailed steps with tool-specific instructions]
DECISION TREE
[Flowchart logic]
ESCALATION MATRIX
[Conditions and contacts]
METRICS
Target MTTA: 15 minutes
Target MTTC: 1 hour
Target MTTR: 4 hoursReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.3 KB
API Reference: Building Incident Response Playbook
TheHive API (Case Management)
import requests
THEHIVE_URL = "http://thehive:9000"
headers = {"Authorization": "Bearer <api_key>"}
# Create a new case from playbook
resp = requests.post(f"{THEHIVE_URL}/api/v1/case", headers=headers, json={
"title": "Ransomware - IR-2024-0450",
"severity": 3,
"tlp": 3,
"pap": 2,
"tags": ["ransomware", "playbook:ransomware-v2.1"],
"description": "Ransomware detected on WORKSTATION-042",
})
# Add tasks from playbook phases
resp = requests.post(f"{THEHIVE_URL}/api/v1/case/{case_id}/task",
headers=headers, json={
"title": "Isolate affected hosts",
"group": "Containment",
"status": "Waiting",
})
# Add observable (IOC)
resp = requests.post(f"{THEHIVE_URL}/api/v1/case/{case_id}/observable",
headers=headers, json={
"dataType": "ip",
"data": "185.234.218.50",
"message": "C2 server",
"tlp": 2,
"ioc": True,
})Cortex XSOAR API (SOAR Playbook)
# Trigger a playbook run
resp = requests.post("https://xsoar/api/v2/incident/investigate",
headers={"Authorization": "<api_key>"},
json={"id": "incident-123", "playbookId": "Phishing_Response_v2"})
# List available playbooks
resp = requests.get("https://xsoar/api/v2/playbook/search",
headers={"Authorization": "<api_key>"},
json={"query": "name:Phishing*"})Splunk SOAR (Phantom) API
# Run a playbook on a container
resp = requests.post("https://phantom/rest/playbook_run",
headers={"ph-auth-token": "<token>"},
json={"container_id": 42, "playbook_id": 15, "scope": "new"})NIST SP 800-61r3 Phases
| Phase | Key Actions |
|---|---|
| Preparation | Playbooks, tools, contacts, training |
| Detection & Analysis | Alerts, triage, scoping, severity |
| Containment | Isolation, blocking, evidence preservation |
| Eradication | Root cause removal, IOC sweep |
| Recovery | Restore, validate, monitor |
| Post-Incident | Lessons learned, detection improvement |
References
- TheHive API: https://docs.strangebee.com/thehive/api-docs/
- Cortex XSOAR API: https://xsoar.pan.dev/docs/reference/api/
- NIST SP 800-61r3: https://csrc.nist.gov/pubs/sp/800/61/r3/final
- Splunk SOAR API: https://docs.splunk.com/Documentation/SOAR/
Scripts 1
agent.py9.5 KB
#!/usr/bin/env python3
"""Agent for building and managing incident response playbooks."""
import os
import json
import argparse
from datetime import datetime
import requests
PLAYBOOK_TYPES = {
"ransomware": {
"name": "Ransomware Incident Response",
"trigger": "EDR alert for file encryption activity or ransom note detection",
"severity_default": "P1",
"phases": {
"detection": [
"EDR alerts on mass file encryption (CrowdStrike, SentinelOne)",
"Canary file modification alerts from deception tools",
"User reports of inaccessible files or ransom note",
],
"containment": [
"Isolate affected hosts via EDR network containment",
"Block C2 IPs/domains at firewall and DNS sinkhole",
"Disable compromised accounts in Active Directory",
"Segment affected network VLANs at switch level",
],
"eradication": [
"Identify ransomware variant and initial access vector",
"Remove persistence mechanisms (scheduled tasks, services, registry)",
"Scan enterprise for IOCs using EDR threat hunt",
"Patch exploited vulnerability if applicable",
],
"recovery": [
"Restore from verified clean backups (test integrity first)",
"Rebuild compromised systems from gold images",
"Re-enable accounts with forced password reset and MFA",
"Monitor restored systems for 72 hours post-recovery",
],
},
},
"phishing": {
"name": "Phishing Incident Response",
"trigger": "User report via abuse mailbox or phishing button",
"severity_default": "P2",
"phases": {
"detection": [
"User report to abuse@company.com or phish report button",
"Email gateway alert on suspicious attachment/link",
"SIEM correlation of multiple reports for same sender",
],
"containment": [
"Quarantine phishing email from all mailboxes (O365 purge or Exchange)",
"Block sender domain and reply-to address in email gateway",
"If credentials entered: force password reset and revoke sessions",
"Block malicious URL at web proxy",
],
"eradication": [
"Extract and submit IOCs (URLs, hashes, sender) to TI platform",
"Search email logs for all recipients of the phishing email",
"Verify no malware payload executed on endpoints",
"Update email filtering rules to catch similar campaigns",
],
"recovery": [
"Notify affected users with guidance on what to watch for",
"Restore any quarantined legitimate emails (false positives)",
"Schedule targeted phishing awareness training for clickers",
],
},
},
"data_breach": {
"name": "Data Breach / Exfiltration Response",
"trigger": "DLP alert, anomalous data transfer, or external notification",
"severity_default": "P1",
"phases": {
"detection": [
"DLP policy violation alert on sensitive data movement",
"Network anomaly detection for large outbound transfers",
"Cloud access broker alert for unauthorized file sharing",
],
"containment": [
"Block exfiltration channel (IP, domain, cloud service)",
"Revoke access for compromised account",
"Preserve affected system for forensic imaging",
"Engage legal counsel for breach notification assessment",
],
"eradication": [
"Determine scope: what data, how much, which systems",
"Identify root cause and attack vector",
"Remove attacker access and persistence",
"Audit all access to affected data stores",
],
"recovery": [
"Implement additional DLP controls on affected data",
"Reset credentials for all accounts with access to breached data",
"Execute breach notification plan if PII/PHI involved",
"Engage external forensics firm if required by cyber insurance",
],
},
},
}
def generate_playbook(playbook_type):
"""Generate a structured IR playbook for the given incident type."""
template = PLAYBOOK_TYPES.get(playbook_type)
if not template:
return {"error": f"Unknown playbook type: {playbook_type}"}
playbook = {
"metadata": {
"name": template["name"],
"version": "1.0",
"created": datetime.utcnow().isoformat(),
"owner": "SOC Manager",
"default_severity": template["severity_default"],
"trigger": template["trigger"],
"framework": "NIST SP 800-61r3",
},
"raci": {
"detection": {"R": "SOC L1", "A": "SOC L2", "C": "IR Lead", "I": ""},
"containment": {"R": "SOC L2", "A": "IR Lead", "C": "CISO", "I": "Legal"},
"eradication": {"R": "IR Lead", "A": "CISO", "C": "IT Ops", "I": "Mgmt"},
"recovery": {"R": "IT Ops", "A": "IR Lead", "C": "Business Owner", "I": "CISO"},
"post_incident": {"R": "IR Lead", "A": "CISO", "C": "All", "I": "Exec"},
},
"phases": template["phases"],
"escalation": {
"P1": "Immediate: IR Lead + CISO + Legal within 15 minutes",
"P2": "IR Lead notified within 30 minutes",
"P3": "Queued for investigation within 4 hours",
},
"communication": {
"internal_cadence": "Every 2 hours during active incident",
"executive_update": "Within 1 hour of P1 declaration",
"regulatory": "Within 72 hours if personal data involved (GDPR)",
},
}
return playbook
def check_thehive_cases(thehive_url, api_key):
"""List open incident cases from TheHive."""
headers = {"Authorization": f"Bearer {api_key}"}
resp = requests.post(f"{thehive_url}/api/v1/query", headers=headers, json={
"query": [
{"_name": "listCase"},
{"_name": "filter", "_field": "status", "_value": "Open"},
{"_name": "sort", "_fields": [{"startDate": "desc"}]},
{"_name": "page", "from": 0, "to": 50},
]
}, timeout=30)
resp.raise_for_status()
cases = []
for c in resp.json():
cases.append({
"number": c.get("number"),
"title": c.get("title"),
"severity": c.get("severity"),
"status": c.get("status"),
"start_date": c.get("startDate"),
"owner": c.get("owner"),
})
return cases
def calculate_ir_metrics(thehive_url, api_key, days=30):
"""Calculate incident response metrics from TheHive cases."""
headers = {"Authorization": f"Bearer {api_key}"}
resp = requests.post(f"{thehive_url}/api/v1/query", headers=headers, json={
"query": [
{"_name": "listCase"},
{"_name": "filter", "_field": "status", "_value": "Resolved"},
{"_name": "page", "from": 0, "to": 500},
]
}, timeout=30)
resp.raise_for_status()
cases = resp.json()
total_resolve_ms = 0
count = 0
for c in cases:
if c.get("endDate") and c.get("startDate"):
resolve_ms = c["endDate"] - c["startDate"]
total_resolve_ms += resolve_ms
count += 1
avg_mttr_hours = (total_resolve_ms / count / 3600000) if count else 0
return {"resolved_cases": count, "avg_mttr_hours": round(avg_mttr_hours, 1)}
def main():
parser = argparse.ArgumentParser(description="Incident Response Playbook Agent")
parser.add_argument("--playbook-type", choices=list(PLAYBOOK_TYPES.keys()))
parser.add_argument("--thehive-url", default=os.getenv("THEHIVE_URL"))
parser.add_argument("--thehive-key", default=os.getenv("THEHIVE_API_KEY"))
parser.add_argument("--output", default="ir_playbook_output.json")
parser.add_argument("--action", choices=[
"generate", "list_cases", "metrics", "all_playbooks"
], default="generate")
args = parser.parse_args()
report = {"generated_at": datetime.utcnow().isoformat()}
if args.action == "generate" and args.playbook_type:
playbook = generate_playbook(args.playbook_type)
report["playbook"] = playbook
print(f"[+] Generated playbook: {playbook['metadata']['name']}")
if args.action == "all_playbooks":
report["playbooks"] = {}
for ptype in PLAYBOOK_TYPES:
report["playbooks"][ptype] = generate_playbook(ptype)
print(f"[+] Generated: {PLAYBOOK_TYPES[ptype]['name']}")
if args.action == "list_cases" and args.thehive_url:
cases = check_thehive_cases(args.thehive_url, args.thehive_key)
report["open_cases"] = cases
print(f"[+] Open cases: {len(cases)}")
if args.action == "metrics" and args.thehive_url:
metrics = calculate_ir_metrics(args.thehive_url, args.thehive_key)
report["metrics"] = metrics
print(f"[+] Avg MTTR: {metrics['avg_mttr_hours']}h across {metrics['resolved_cases']} cases")
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"[+] Output saved to {args.output}")
if __name__ == "__main__":
main()