├── .gitignore ├── Customers ├── .gitkeep ├── CustomerTemplate.md └── README.md ├── IRP-AccountCompromised ├── .gitkeep ├── README.md └── Workflows │ ├── .gitkeep │ ├── AccountCompromised-Workflow-Analyze.png │ ├── AccountCompromised-Workflow-Contain_Eradicate.png │ ├── AccountCompromised-Workflow-Detect.png │ ├── AccountCompromised-Workflow-Post_Incident.png │ ├── AccountCompromised-Workflow-Recover.png │ └── AccountCompromised.drawio ├── IRP-Critical ├── README.md └── Workflow │ ├── Critical-Incident.drawio │ └── Critical-Incident.png ├── IRP-DataLoss ├── README.md └── Workflows │ ├── DataLoss-Workflow-Analyze.png │ ├── DataLoss-Workflow-Contain_Eradicate.png │ ├── DataLoss-Workflow-Detect.png │ ├── DataLoss-Workflow-Post Incident.png │ ├── DataLoss-Workflow-Recover.png │ └── DataLoss-Workflow.drawio ├── IRP-Malware ├── README.md └── Workflows │ ├── .gitkeep │ ├── Malware-Workflow-Analyze.png │ ├── Malware-Workflow-Contain_Eradicate.png │ ├── Malware-Workflow-Detect.png │ ├── Malware-Workflow-Post Incident.png │ ├── Malware-Workflow-Recover.png │ └── Malware-Workflow.drawio ├── IRP-Phishing ├── .gitkeep ├── README.md └── Workflows │ ├── .gitkeep │ ├── Phishing-Workflow-Analyze.png │ ├── Phishing-Workflow-Contain_Eradicate.png │ ├── Phishing-Workflow-Detect.png │ ├── Phishing-Workflow-Post Incident.png │ ├── Phishing-Workflow-Recover.png │ └── Phishing-Workflow.drawio ├── IRP-Ransom ├── README.md └── Workflows │ ├── .gitkeep │ ├── Ransom-Workflow-Analyze.png │ ├── Ransom-Workflow-Contain_Eradicate.png │ ├── Ransom-Workflow-Detect.png │ ├── Ransom-Workflow-Post_Incident.png │ ├── Ransom-Workflow-Recover.png │ └── Ransom-Workflow.drawio ├── IRP-TEMPLATE.md ├── Products ├── .gitkeep ├── AMP.md ├── ArcSight.md ├── BigIP.md ├── CrowdStrike.md ├── Defender-ATP.md ├── Elastic.md ├── FirePower.md ├── FortiWAF.md ├── Fortigate.md ├── IntruShield.md ├── McAfee.md ├── NetWitness.md ├── ProofPoint.md ├── README.md ├── Splunk.md ├── StealthWatch.md ├── Symantec.md ├── TrendMicro.md └── Zeek.md ├── README.md ├── TEMPLATE-Incident_EventLog.xlsx └── Tools └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /Customers/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Customers/CustomerTemplate.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Customers/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/Customers/README.md -------------------------------------------------------------------------------- /IRP-AccountCompromised/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /IRP-AccountCompromised/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-AccountCompromised/README.md -------------------------------------------------------------------------------- /IRP-AccountCompromised/Workflows/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /IRP-AccountCompromised/Workflows/AccountCompromised-Workflow-Analyze.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-AccountCompromised/Workflows/AccountCompromised-Workflow-Analyze.png -------------------------------------------------------------------------------- /IRP-AccountCompromised/Workflows/AccountCompromised-Workflow-Contain_Eradicate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-AccountCompromised/Workflows/AccountCompromised-Workflow-Contain_Eradicate.png -------------------------------------------------------------------------------- /IRP-AccountCompromised/Workflows/AccountCompromised-Workflow-Detect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-AccountCompromised/Workflows/AccountCompromised-Workflow-Detect.png -------------------------------------------------------------------------------- /IRP-AccountCompromised/Workflows/AccountCompromised-Workflow-Post_Incident.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-AccountCompromised/Workflows/AccountCompromised-Workflow-Post_Incident.png -------------------------------------------------------------------------------- /IRP-AccountCompromised/Workflows/AccountCompromised-Workflow-Recover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-AccountCompromised/Workflows/AccountCompromised-Workflow-Recover.png -------------------------------------------------------------------------------- /IRP-AccountCompromised/Workflows/AccountCompromised.drawio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-AccountCompromised/Workflows/AccountCompromised.drawio -------------------------------------------------------------------------------- /IRP-Critical/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Critical/README.md -------------------------------------------------------------------------------- /IRP-Critical/Workflow/Critical-Incident.drawio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Critical/Workflow/Critical-Incident.drawio -------------------------------------------------------------------------------- /IRP-Critical/Workflow/Critical-Incident.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Critical/Workflow/Critical-Incident.png -------------------------------------------------------------------------------- /IRP-DataLoss/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-DataLoss/README.md -------------------------------------------------------------------------------- /IRP-DataLoss/Workflows/DataLoss-Workflow-Analyze.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-DataLoss/Workflows/DataLoss-Workflow-Analyze.png -------------------------------------------------------------------------------- /IRP-DataLoss/Workflows/DataLoss-Workflow-Contain_Eradicate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-DataLoss/Workflows/DataLoss-Workflow-Contain_Eradicate.png -------------------------------------------------------------------------------- /IRP-DataLoss/Workflows/DataLoss-Workflow-Detect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-DataLoss/Workflows/DataLoss-Workflow-Detect.png -------------------------------------------------------------------------------- /IRP-DataLoss/Workflows/DataLoss-Workflow-Post Incident.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-DataLoss/Workflows/DataLoss-Workflow-Post Incident.png -------------------------------------------------------------------------------- /IRP-DataLoss/Workflows/DataLoss-Workflow-Recover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-DataLoss/Workflows/DataLoss-Workflow-Recover.png -------------------------------------------------------------------------------- /IRP-DataLoss/Workflows/DataLoss-Workflow.drawio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-DataLoss/Workflows/DataLoss-Workflow.drawio -------------------------------------------------------------------------------- /IRP-Malware/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Malware/README.md -------------------------------------------------------------------------------- /IRP-Malware/Workflows/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /IRP-Malware/Workflows/Malware-Workflow-Analyze.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Malware/Workflows/Malware-Workflow-Analyze.png -------------------------------------------------------------------------------- /IRP-Malware/Workflows/Malware-Workflow-Contain_Eradicate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Malware/Workflows/Malware-Workflow-Contain_Eradicate.png -------------------------------------------------------------------------------- /IRP-Malware/Workflows/Malware-Workflow-Detect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Malware/Workflows/Malware-Workflow-Detect.png -------------------------------------------------------------------------------- /IRP-Malware/Workflows/Malware-Workflow-Post Incident.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Malware/Workflows/Malware-Workflow-Post Incident.png -------------------------------------------------------------------------------- /IRP-Malware/Workflows/Malware-Workflow-Recover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Malware/Workflows/Malware-Workflow-Recover.png -------------------------------------------------------------------------------- /IRP-Malware/Workflows/Malware-Workflow.drawio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Malware/Workflows/Malware-Workflow.drawio -------------------------------------------------------------------------------- /IRP-Phishing/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /IRP-Phishing/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Phishing/README.md -------------------------------------------------------------------------------- /IRP-Phishing/Workflows/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /IRP-Phishing/Workflows/Phishing-Workflow-Analyze.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Phishing/Workflows/Phishing-Workflow-Analyze.png -------------------------------------------------------------------------------- /IRP-Phishing/Workflows/Phishing-Workflow-Contain_Eradicate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Phishing/Workflows/Phishing-Workflow-Contain_Eradicate.png -------------------------------------------------------------------------------- /IRP-Phishing/Workflows/Phishing-Workflow-Detect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Phishing/Workflows/Phishing-Workflow-Detect.png -------------------------------------------------------------------------------- /IRP-Phishing/Workflows/Phishing-Workflow-Post Incident.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Phishing/Workflows/Phishing-Workflow-Post Incident.png -------------------------------------------------------------------------------- /IRP-Phishing/Workflows/Phishing-Workflow-Recover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Phishing/Workflows/Phishing-Workflow-Recover.png -------------------------------------------------------------------------------- /IRP-Phishing/Workflows/Phishing-Workflow.drawio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Phishing/Workflows/Phishing-Workflow.drawio -------------------------------------------------------------------------------- /IRP-Ransom/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Ransom/README.md -------------------------------------------------------------------------------- /IRP-Ransom/Workflows/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /IRP-Ransom/Workflows/Ransom-Workflow-Analyze.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Ransom/Workflows/Ransom-Workflow-Analyze.png -------------------------------------------------------------------------------- /IRP-Ransom/Workflows/Ransom-Workflow-Contain_Eradicate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Ransom/Workflows/Ransom-Workflow-Contain_Eradicate.png -------------------------------------------------------------------------------- /IRP-Ransom/Workflows/Ransom-Workflow-Detect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Ransom/Workflows/Ransom-Workflow-Detect.png -------------------------------------------------------------------------------- /IRP-Ransom/Workflows/Ransom-Workflow-Post_Incident.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Ransom/Workflows/Ransom-Workflow-Post_Incident.png -------------------------------------------------------------------------------- /IRP-Ransom/Workflows/Ransom-Workflow-Recover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Ransom/Workflows/Ransom-Workflow-Recover.png -------------------------------------------------------------------------------- /IRP-Ransom/Workflows/Ransom-Workflow.drawio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-Ransom/Workflows/Ransom-Workflow.drawio -------------------------------------------------------------------------------- /IRP-TEMPLATE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/IRP-TEMPLATE.md -------------------------------------------------------------------------------- /Products/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/AMP.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/ArcSight.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/BigIP.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/CrowdStrike.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/Defender-ATP.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/Elastic.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/FirePower.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/FortiWAF.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/Fortigate.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/IntruShield.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/McAfee.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/NetWitness.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/ProofPoint.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/Products/README.md -------------------------------------------------------------------------------- /Products/Splunk.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/StealthWatch.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/Symantec.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/TrendMicro.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Products/Zeek.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/README.md -------------------------------------------------------------------------------- /TEMPLATE-Incident_EventLog.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/TEMPLATE-Incident_EventLog.xlsx -------------------------------------------------------------------------------- /Tools/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/msraju/Incident-Response-Playbooks/HEAD/Tools/README.md --------------------------------------------------------------------------------