# IR Playbook

This repository contains all the Incident Response Playbooks and Workflows of Company's SOC.

Each folder contains a Playbook based on process on [NIST - 800.61 r2](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf)

{% embed url="<https://gitlab.com/syntax-ir/playbooks/-/tree/main/IRP-AccountCompromised?ref_type=heads>" %}
Account Compromise
{% endembed %}

{% embed url="<https://gitlab.com/syntax-ir/playbooks/-/tree/main/IRP-Critical?ref_type=heads>" %}
Crisis/Critical
{% endembed %}

{% embed url="<https://gitlab.com/syntax-ir/playbooks/-/tree/main/IRP-DataLoss?ref_type=heads>" %}
DataLoss
{% endembed %}

{% embed url="<https://gitlab.com/syntax-ir/playbooks/-/tree/main/IRP-Malware?ref_type=heads>" %}
Malware
{% endembed %}

{% embed url="<https://gitlab.com/syntax-ir/playbooks/-/tree/main/IRP-Phishing?ref_type=heads>" %}
Phising
{% endembed %}

{% embed url="<https://gitlab.com/syntax-ir/playbooks/-/tree/main/IRP-Ransom?ref_type=heads>" %}
Ransomware
{% endembed %}

### 1. Preparation <a href="#user-content-1-preparation" id="user-content-1-preparation"></a>

This section should include the following information's

* List of *ALL* Assets
  * Servers
  * Endpoints (+critical ones)
  * Networks
  * Applications
  * Employees
  * Security Products
* Baselines
* Communication Plan
* Which Security Events
* Thresholds
* How to access Security Tools
  * How to provision access
* Create Playbooks
* Plan Exercises
  * Table Top
  * Hands On

### 2. Detection and Analysis <a href="#user-content-2-detection-and-analysis" id="user-content-2-detection-and-analysis"></a>

This section should include the following information's

* Gathering of Information
* Analyzing the Data
* Building Detections
* Root Cause Analysis
* Depth and Breath of the Attack
  * Admin Rights
  * Affected Systems
* Techniques Used
* Indicators of Compromise / Indicators of Attack
  * Tactics Techniques and Procedure's (TTP)
  * IP Address
  * Email Address
  * File Hash
  * Command Line
  * etc.

### 3. Containment, Eradication, and Recovery <a href="#user-content-3-containment-eradication-and-recovery" id="user-content-3-containment-eradication-and-recovery"></a>

This section should include the following information's

* Isolate Affected Systems
* Patch Threat Entry Point
* Predefine threshold
  * For Customers
  * For internal systems
  * For escalations
* Preauthorized actions
  * Per customers
  * Per environment
    * Prod
    * QA
    * Internet Facing
* How to Remove the Threat on All Affected Systems
* Get Systems Operational
* Rebuilt and Resume Service

### 4. Post-Incident Activity <a href="#user-content-4-post-incident-activity" id="user-content-4-post-incident-activity"></a>

* Lessons Learn
* New Detection
* New Hardening
* New Patch Management
* etc.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.anggipradana.com/tutorial-blue-team-area/ir-playbook.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.