SANS | Marketplace

Details
Content
Dependencies
Version History

This SANS Content Pack helps you streamline incident response according to SANS guidelines as outlined in the SANS Incident Handler’s Handbook.

The SANS Incident Response process for handling a cyber security incident contains the following steps:

Preparation.
Identification
Containment
Eradication
Recovery
Lessons Learned

This SANS content pack contains several playbooks to help streamline your incident response according to SANS guidelines as outlined in the SANS Incident Handler’s Handbook.

What does this pack do?

The playbooks in this pack contain the phases for handling an incident as they are described in the SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral.
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
Disclaimer: This playbooks don’t ensure compliance to SANS regulations.
The “SANS - Incident Handler's Handbook Template” playbook provides a template that helps analysts follow these stages.
The “SANS - Incident Handlers Checklist” playbook follows the “Incident Handler’s Checklist” described in the SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral, and provides the analyst an easy solution for following the correct stages and tasks while handling an incident.
The “SANS - Lessons Learned” helps SOC teams process an incident after it occurs and facilitates the lessons learned, organized by SANS stages.
The “Brute Force Investigation - Generic - SANS” playbook handles a Brute Force incident based on the stages described above.
The playbooks included in this pack helps you save time and automate repetitive tasks associated with Access incidents:

Handle the incident based on the stages in SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral.
Set the “SANS Stage” field to the different stages most relevant to the ongoing investigation.
Gather and enrich user and IP information.
Interact with the suspected user about the activity.
Calculate the incident’s severity
Remediate the incident by blocking malicious indicators and disabling the account.
Generate an investigation summary report.
Run the “SANS - Lessons learned” sub-playbook to process the incident after the investigation and remediation is over.

For more information, visit our Cortex XSOAR Developer Docs

SANS_-_Incident_Handler's_Handbook_Template

The SANS Incident Response process for handling a cyber security incident contains the following steps:

Preparation.
Identification
Containment
Eradication
Recovery
Lessons Learned

This SANS content pack contains several playbooks to help streamline your incident response according to SANS guidelines as outlined in the SANS Incident Handler’s Handbook.

What does this pack do?

Handle the incident based on the stages in SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral.
Set the “SANS Stage” field to the different stages most relevant to the ongoing investigation.
Gather and enrich user and IP information.
Interact with the suspected user about the activity.
Calculate the incident’s severity
Remediate the incident by blocking malicious indicators and disabling the account.
Generate an investigation summary report.
Run the “SANS - Lessons learned” sub-playbook to process the incident after the investigation and remediation is over.

For more information, visit our Cortex XSIAM Developer Docs

SANS_-_Incident_Handler's_Handbook_Template

Incident Fields

Name	Description
What was the work performed during recovery?	What was the work performed during recovery?
When was the problem first detected and by whom?	When was the problem first detected and by whom?
How was the incident contained and eradicated?	How was the incident contained and eradicated?
What are the areas that need improvement?	What are the areas that need improvement?
What were the areas where the CIRT teams were effective?	What were the areas where the CIRT teams were effective?
Suggestions and discussion of how to improve the team	Share ideas and information in order to improve team effectiveness in future incidents.
SANS Stage	SANS stage
What was the scope of the incident?	What was the scope of the incident?

Incident Types

Name	Description
SANS

Layouts

Name	Description
SANS Incident

Playbooks

Name	Description
Brute Force Investigation - Generic - SANS	This playbook investigates a "Brute Force" incident by gathering user and IP information, and calculating the incident severity based on the gathered information and information received from the user. It then performs remediation. This is done based on the phases for handling an incident as they are described in the SANS Institute â€˜Incident Handlerâ€™s Handbookâ€™ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 The playbook handles the following use-cases: Brute Force IP Detected - A detection of source IPs that are exceeding a high threshold of rejected and/or invalid logins. Brute Force Increase Percentage - A detection of large increase percentages in various brute force statistics over different periods of time. Brute Force Potentially Compromised Accounts - A detection of accounts that have shown high amount of failed logins with one successful login. Used Sub-playbooks: IP Enrichment - Generic v2 Account Enrichment - Generic v2.1 Calculate Severity - Critical Assets v2 Isolate Endpoint - Generic v2 Block Indicators - Generic v3 SANS - Lessons Learned ***Disclaimer: This playbook does not ensure compliance to SANS regulations.
SANS - Incident Handlers Checklist	This playbook follows the "Incident Handler's Checklist" described in the SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ***Disclaimer: This playbook does not ensure compliance to SANS regulations.
SANS - Incident Handler's Handbook Template	This playbook contains the phases for handling an incident as they are described in the SANS Institute ‘Incident Handler's Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ***Disclaimer: This playbook does not ensure compliance to SANS regulations.
SANS - Lessons Learned	This playbook assists in post-processing an incident and facilitates the lessons learned stage, as presented by SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ***Disclaimer: This playbook does not ensure compliance to SANS regulations.

Incident Fields

Name	Description
What was the scope of the incident?	What was the scope of the incident?
What were the areas where the CIRT teams were effective?	What were the areas where the CIRT teams were effective?
What was the work performed during recovery?	What was the work performed during recovery?
What are the areas that need improvement?	What are the areas that need improvement?
How was the incident contained and eradicated?	How was the incident contained and eradicated?
When was the problem first detected and by whom?	When was the problem first detected and by whom?
SANS Stage	SANS stage
Suggestions and discussion of how to improve the team	Share ideas and information in order to improve team effectiveness in future incidents.

Incident Types

Name	Description
SANS

Playbooks

Name	Description
SANS - Alert Handlers Checklist	This playbook follows the "Alert Handler's Checklist" described in the SANS Institute ‘Alert Handler’s Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/alert/alert-handlers-handbook-33901 ***Disclaimer: This playbook does not ensure compliance to SANS regulations.
SANS - Alert Handler's Handbook Template	This playbook contains the phases for handling an alert as they are described in the SANS Institute ‘Alert Handler's Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/alert/alert-handlers-handbook-33901 ***Disclaimer: This playbook does not ensure compliance to SANS regulations.
Brute Force Investigation - Generic - SANS	This playbook investigates a "Brute Force" alert by gathering user and IP information, and calculating the alert severity based on the gathered information and information received from the user. It then performs remediation. This is done based on the phases for handling an alert as they are described in the SANS Institute â€˜Alert Handlerâ€™s Handbookâ€™ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/alert/alert-handlers-handbook-33901 The playbook handles the following use-cases: Brute Force IP Detected - A detection of source IPs that are exceeding a high threshold of rejected and/or invalid logins. Brute Force Increase Percentage - A detection of large increase percentages in various brute force statistics over different periods of time. Brute Force Potentially Compromised Accounts - A detection of accounts that have shown high amount of failed logins with one successful login. Used Sub-playbooks: IP Enrichment - Generic v2 Account Enrichment - Generic v2.1 Calculate Severity - Critical Assets v2 Isolate Endpoint - Generic v2 Block Indicators - Generic v3 SANS - Lessons Learned ***Disclaimer: This playbook does not ensure compliance to SANS regulations.
SANS - Lessons Learned	This playbook assists in post-processing an alert and facilitates the lessons learned stage, as presented by SANS Institute ‘Alert Handler’s Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/alert/alert-handlers-handbook-33901 ***Disclaimer: This playbook does not ensure compliance to SANS regulations.

Required Content Packs (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (5)

Pack Name	Pack By
Active Directory Query	By: Cortex XSOAR
Gmail	By: Cortex XSOAR
Gmail Single User	By: Cortex XSOAR
Mail Sender (New)	By: Cortex XSOAR
Microsoft Graph Mail	By: Cortex XSOAR

All level dependencies (8)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Base	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

1.1.6 - R995825 (May 5, 2024)

Playbooks

Brute Force Investigation - Generic - SANS

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Related pull requests:
- 33201

Download

1.1.5 - R828628 (February 14, 2024)

Playbooks

Brute Force Investigation - Generic - SANS

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added input AutoBlockIndicators - This input determines if to block the indicators automatically or manually using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Added input UserVerification - This input determines if blocking IPs is should be done with or without user verification. The IPs blocking is done by using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 25273

Download

1.1.4 - 4801189 (March 13, 2023)

Playbooks

Brute Force Investigation - Generic - SANS

Switch usage of deprecated Isolate Endpoint - Generic playbook with the Isolate Endpoint - Generic V2 playbook.

Related pull requests:
- 24608

Download

1.1.3 - R4718798 (March 1, 2023)

Layouts

SANS Incident
This item is no longer supported in XSIAM.

Related pull requests:
- 24223

Download

1.1.2 - R3921089 (October 26, 2022)

Incident Fields

Updated the following incident fields to conform to the new schema:

Suggestions and discussion of how to improve the team
What were the areas where the CIRT teams were effective?
How was the incident contained and eradicated?
What was the work performed during recovery?
What was the scope of the incident?
When was the problem first detected and by whom?
What are the areas that need improvement?
SANS Stage

Related pull requests:
- 10291

Download

1.1.1 - R180529 (November 9, 2020)

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	November 9, 2020
Last Release	May 5, 2024

Compliance

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.