building-incident-response-playbook

# Building Incident Response Playbooks ## When to Use - Establishing or maturing an incident response program from scratch - Documenting procedures for a new incident type after a novel attack - Automating response workflows in a SOAR platform (Cortex XSOAR, Splunk SOAR) - Preparing for compliance audits requiring documented IR procedures (SOC 2, PCI-DSS, HIPAA) - Conducting a gap analysis of existing IR capabilities against specific threat scenarios **Do not use** for one-time ad hoc investigations; playbooks are reusable procedure documents, not case-specific reports. ## Prerequisites - Organizational risk assessment identifying top incident scenarios by likelihood and impact - NIST SP 800-61r3 or SANS PICERL framework adopted as the organizational IR standard - Asset inventory with business criticality ratings and data classification - RACI chart defining roles: Incident Commander, SOC analysts, system administrators, legal, communications - Existing detection capabilities inventory (SIEM rules, EDR detections, IDS signatures) - SOAR platform access if building automated playbooks ## Workflow ### Step 1: Select and Scope the Incident Type Define the specific scenario the playbook will address: - Identify the top incident types based on organizational risk assessment and historical data - Scope each playbook to a single incident type for clarity (do not combine unrelated scenarios) - Define trigger conditions that activate the playbook Common playbook types: ``` P...