building-soc-playbook-for-ransomware

Featured

Builds a structured SOC incident response playbook for ransomware attacks covering detection, containment, eradication, and recovery phases with specific SIEM queries, isolation procedures, and decision trees. Use when SOC teams need formalized response procedures for ransomware incidents aligned to NIST SP 800-61 and MITRE ATT&CK ransomware techniques.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Building SOC Playbook for Ransomware ## When to Use Use this skill when: - SOC teams need a standardized ransomware response playbook for Tier 1-3 analysts - An organization lacks documented procedures for ransomware containment and recovery - Tabletop exercises reveal gaps in ransomware response coordination - Compliance requirements (NIST CSF, ISO 27001) mandate documented incident playbooks **Do not use** during an active ransomware incident as the sole guide — have pre-built playbooks tested and rehearsed before incidents occur. ## Prerequisites - SIEM platform (Splunk ES, Elastic Security, or Sentinel) with endpoint and network data - EDR solution (CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint) with network isolation capability - Backup infrastructure with tested recovery procedures and offline/immutable backups - Communication plan with legal, executive leadership, and external IR retainer contacts - MITRE ATT&CK knowledge for ransomware technique chains ## Workflow ### Step 1: Define Detection Triggers Create SIEM detection rules for early ransomware indicators: **Mass File Encryption Detection (Splunk):** ```spl index=sysmon EventCode=11 | bin _time span=1m | stats dc(TargetFilename) AS unique_files, values(TargetFilename) AS sample_files by Computer, Image, _time | where unique_files > 100 | eval suspicious_extensions = if(match(mvjoin(sample_files, ","), "\.(encrypted|locked|crypt|enc|ransom)"), "YES", "NO") | where suspicious_extensions="Y...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

building-ransomware-playbook-with-cisa-framework

Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST Cybersecurity Framework. Covers preparation, detection, containment, eradication, recovery, and post-incident phases with actionable checklists. Activates for requests involving ransomware response planning, CISA compliance, incident response playbook creation, or ransomware preparedness assessment.

12,642 Updated today
mukul975
AI & Automation Featured

performing-ransomware-response

Executes a structured ransomware incident response from initial detection through containment, forensic analysis, decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment.

12,642 Updated today
mukul975
AI & Automation Featured

performing-ransomware-tabletop-exercise

Plans and facilitates tabletop exercises simulating ransomware incidents to test organizational readiness, decision-making, and communication procedures. Designs realistic scenarios based on current ransomware threat actors (LockBit, ALPHV/BlackCat, Cl0p), injects covering double extortion, backup destruction, and regulatory notification requirements. Evaluates participant responses against NIST CSF and CISA guidelines. Activates for requests involving ransomware tabletop, incident response exercise, or ransomware readiness drill.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-ransomware-precursors-in-network

Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access broker activity, command-and-control beaconing, credential harvesting, reconnaissance scanning, and staging behavior. Uses network detection tools (Zeek, Suricata, Arkime), SIEM correlation rules, and threat intelligence feeds to identify ransomware precursor patterns such as Cobalt Strike beacons, Mimikatz network signatures, and RDP brute-force attempts. Activates for requests involving pre-ransomware detection, network-based ransomware indicators, or early warning ransomware monitoring.

12,642 Updated today
mukul975
AI & Automation Featured

building-incident-response-playbook

Designs and documents structured incident response playbooks that define step-by-step procedures for specific incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident response procedure documentation, response runbook development, or SOAR playbook design.

12,642 Updated today
mukul975