triaging-security-incident-with-ir-playbook

# Triaging Security Incidents with IR Playbooks ## When to Use - New security alert received from SIEM, EDR, or other detection sources - SOC analyst needs to determine if an alert is a true positive requiring response - Incident needs severity classification and team assignment - Multiple concurrent incidents require prioritization - Automated triage rules need validation or tuning ## Prerequisites - SIEM platform with alert correlation (Splunk, Elastic, QRadar, Sentinel) - Incident response playbook library (by incident type) - Severity classification matrix approved by CISO - On-call rotation and escalation procedures - Ticketing system for incident tracking (ServiceNow, Jira, TheHive) - Threat intelligence feeds for IOC enrichment ## Workflow ### Step 1: Receive and Acknowledge Alert ```bash # Query Splunk for new critical/high severity alerts index=notable status=new severity IN ("critical","high") | table _time, rule_name, src, dest, severity, description | sort -_time # Query TheHive for new cases curl -s -H "Authorization: Bearer $THEHIVE_API_KEY" \ "https://thehive.local/api/v1/query?name=list-alerts" \ -H "Content-Type: application/json" \ -d '{"query":[{"_name":"listAlert"},{"_name":"filter","_field":"status","_value":"New"}]}' # Acknowledge alert in SIEM to prevent duplicate triage curl -X POST "https://splunk.local:8089/services/notable_update" \ -H "Authorization: Bearer $SPLUNK_TOKEN" \ -d "ruleUIDs=$RULE_UID&status=1&comment=Triage+initiated+by...