NIST | Marketplace

Details
Content
Dependencies
Version History

This Content Pack helps you follow the phases in handling an incident according to the NIST computer security incident handling guidelines.

“Computer Security Incident Handling Guide” by NIST outlines the recommendations for handling a cyber security incident. The NIST Incident Response process contains four steps:

Preparation.
Detection and Analysis.
Containment, Eradication, and Recovery.
Post-Incident Activity.
This NIST content pack contains several playbooks to help streamline your incident response according to NIST guidelines.

What does this pack do?

The playbooks included in this pack help you follow the phases in handling an incident as described in the ‘Handling an Incident’ section of NIST - Computer Security Incident Handling Guide.
Handling an incident - Computer Security Incident Handling Guide
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
The “NIST - Handling an Incident Template” playbook helps analysts follow the stages in handling an incident according to NIST guidelines. The “NIST - Lessons Learned” playbook helps SOC teams process an incident after it occurs and facilitates the lessons learned, organized by NIST stages.
The “Access Investigation - Generic - NIST” playbook handles an access incident based on the stages described in the “Computer Security Incident Handling Guide”.
The playbook included in this pack helps you save time and automate repetitive tasks associated with Access incidents:

Handle the incident based on the stages in “Handling an incident - Computer Security Incident Handling Guide” by NIST.
Set the “NIST Stage” field to the different stages most relevant to the ongoing investigation.
Gather and enrich user and IP information.
Generate an investigation summary report.
Notify the relevant parties on the incident.
Interact with the suspected user about the activity.
Remediate the incident by blocking malicious indicators and disabling the account.
Run the “NIST - Lessons learned” sub-playbook to process the incident after the investigation and remediation is over.

As part of this pack, you will also get out-of-the-box “NIST” incident type views, with incident fields and a full layout. All of these are easily customizable to suit the needs of your organization.

For more information, visit our Cortex XSOAR Developer Docs

NIST_-_Handling_an_Incident_Template

“Computer Security Incident Handling Guide” by NIST outlines the recommendations for handling a cyber security incident. The NIST Incident Response process contains four steps:

Preparation.
Detection and Analysis.
Containment, Eradication, and Recovery.
Post-Incident Activity.
This NIST content pack contains several playbooks to help streamline your incident response according to NIST guidelines.

What does this pack do?

Handle the incident based on the stages in “Handling an incident - Computer Security Incident Handling Guide” by NIST.
Set the “NIST Stage” field to the different stages most relevant to the ongoing investigation.
Gather and enrich user and IP information.
Generate an investigation summary report.
Notify the relevant parties on the incident.
Interact with the suspected user about the activity.
Remediate the incident by blocking malicious indicators and disabling the account.
Run the “NIST - Lessons learned” sub-playbook to process the incident after the investigation and remediation is over.

For more information, visit our Cortex XSIAM Developer Docs

NIST_-_Handling_an_Incident_Template

Incident Fields

Name	Description
What precursors or indicators should be watched for in the future to detect similar incidents?	What precursors or indicators should be watched for in the future to detect similar incidents?
How could information sharing with other organizations have been improved?	How could information sharing with other organizations have been improved?
What information was needed sooner?	What information was needed sooner?
What additional tools or resources are needed to detect, analyze, and mitigate future incidents?	What additional tools or resources are needed to detect, analyze, and mitigate future incidents?
NIST Stage	The NIST stage the investigation is currently at.
What would the staff and management do differently the next time a similar incident occurs?	What would the staff and management do differently the next time a similar incident occurs?
Were any steps or actions taken that might have inhibited the recovery?	Were any steps or actions taken that might have inhibited the recovery?
What corrective actions can prevent similar incidents in the future?	What corrective actions can prevent similar incidents in the future?
Exactly what happened, and at what times?	Exactly what happened, and at what times?
How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?	How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?

Incident Types

Name	Description
NIST

Layouts

Name	Description
NIST Incident

Playbooks

Name	Description
Access Investigation - Generic - NIST	This playbook investigates an access incident by gathering user and IP information, and handling the incident based on the stages in "Handling an incident - Computer Security Incident Handling Guide" by NIST. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf Used Sub-playbooks: IP Enrichment - Generic v2 Account Enrichment - Generic v2.1 Block IP - Generic v3 NIST - Lessons Learned
NIST - Lessons Learned	This playbook assists in processing an incident after it occurs and facilitates the lessons learned stage.
NIST - Handling an Incident Template	This playbook contains the phases to handling an incident as described in the 'Handling an Incident' section of NIST - Computer Security Incident Handling Guide. Handling an incident - Computer Security Incident Handling Guide https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Incident Fields

Name	Description
Were any steps or actions taken that might have inhibited the recovery?	Were any steps or actions taken that might have inhibited the recovery?
What would the staff and management do differently the next time a similar incident occurs?	What would the staff and management do differently the next time a similar incident occurs?
NIST Stage	The NIST stage the investigation is currently at.
How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?	How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?
What corrective actions can prevent similar incidents in the future?	What corrective actions can prevent similar incidents in the future?
Exactly what happened, and at what times?	Exactly what happened, and at what times?
How could information sharing with other organizations have been improved?	How could information sharing with other organizations have been improved?
What additional tools or resources are needed to detect, analyze, and mitigate future incidents?	What additional tools or resources are needed to detect, analyze, and mitigate future incidents?
What information was needed sooner?	What information was needed sooner?
What precursors or indicators should be watched for in the future to detect similar incidents?	What precursors or indicators should be watched for in the future to detect similar incidents?

Incident Types

Name	Description
NIST

Playbooks

Name	Description
NIST - Lessons Learned	This playbook assists in processing an alert after it occurs and facilitates the lessons learned stage.
Access Investigation - Generic - NIST	This playbook investigates an access alert by gathering user and IP information, and handling the alert based on the stages in "Handling an alert - Computer Security Alert Handling Guide" by NIST. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf Used Sub-playbooks: IP Enrichment - Generic v2 Account Enrichment - Generic v2.1 Block IP - Generic v3 NIST - Lessons Learned
NIST - Handling an Alert Template	This playbook contains the phases to handling an alert as described in the 'Handling an Alert' section of NIST - Computer Security Alert Handling Guide. Handling an alert - Computer Security Alert Handling Guide https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (5)

Pack Name	Pack By
Active Directory Query	By: Cortex XSOAR
Gmail	By: Cortex XSOAR
Gmail Single User	By: Cortex XSOAR
Mail Sender (New)	By: Cortex XSOAR
Microsoft Graph Mail	By: Cortex XSOAR

All level dependencies (6)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Base	By: Cortex XSOAR

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	November 9, 2020
Last Release	June 25, 2024

Compliance

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.