General Security Runbooks#
This section houses a broader collection of general security runbooks. Unlike atomic runbooks that focus on singular tasks, these runbooks often orchestrate multiple steps and tools to address more complex scenarios such as comprehensive alert triage, in-depth incident investigations, proactive threat hunting campaigns, and specific incident response plans. They also include guidelines and common steps that can be referenced across various procedures.
General Runbooks:
- Advanced Threat Hunting (Hypothesis-Driven) Runbook
- Alert Investigation Summary Report Runbook
- Runbook: APT Threat Hunt
- Basic Endpoint Triage & Isolation Runbook
- Basic IOC Enrichment Runbook
- Case Event Timeline & Process Analysis Workflow
- Runbook: Generate Case Investigation Report
- Close duplicate/similar Cases Workflow
- Cloud Vulnerability Triage & Contextualization
- Common Investigation Steps
- Compare GTI Collection to IoCs, Events in SecOps
- Runbook: Create Investigation Report
- Runbook: Data Lake Queries
- Deep Dive IOC Analysis Runbook
- SOC Analyst Tier 2 Demo Runbook (SOAR Focus)
- Runbook: Detection-as-Code Workflow (Placeholder)
- Runbook: Generate Detection Report
- Detection Rule Validation & Tuning Runbook
- Group Cases Workflow
- Graphviz Dotfile
- Runbook: Group Cases v2
- Guided TTP Hunt Runbook (Example: Credential Access)
- Guidelines and Workflows
- Investigate a Case + external tools
- Investigate Google Threat Intelligence Collection ID (Enhanced)
- IOC Containment Runbook
- Runbook: IOC Threat Hunt
- Incident Response Plans (IRPs)
- Lateral Movement Detection Hunt (Example: PsExec/WMI)
- Malware Triage Runbook
- Runbook: Meta-Analysis (Placeholder)
- Post-Incident Review (PIR) Runbook
- Prioritize and Investigate a Case
- Proactive Threat Hunting based on GTI Campaign/Actor
- Suspicious Login Alert Triage Runbook
- Runbook: Alert Triage
- Runbook: UEBA Report Analysis