Common Investigation Steps#
Effective security operations often involve recurring tasks and procedures. This section isolates common, reusable steps that are frequently incorporated into larger, more comprehensive investigation and response runbooks. Documenting these common steps here promotes consistency, reduces redundancy, and simplifies the construction and maintenance of broader workflows.
Common Steps:
- Common Step: Check for Duplicate/Similar SOAR Cases
- Common Step: Close SOAR Case or Alert
- Common Step: Confirm Action with User
- Common Step: Correlate IOC with SIEM Alerts & SOAR Cases
- Common Step: Document Findings/Actions in SOAR Case
- Common Step: Enrich IOC (GTI + SIEM)
- Common Step: Find Relevant SOAR Case
- Common Step: Generate Report File
- Common Step: Pivot on IOC using GTI Relationships