Access Investigation - Generic - NIST
This playbook investigates an access incident by gathering user and IP information, and handling the incident based on the stages in "Handling an incident - Computer Security Incident Handling Guide" by NIST. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf Used Sub-playbooks: - IP Enrichment - Generic v2 - Account Enrichment - Generic v2.1 - Block IP - Generic v3 - NIST - Lessons Learned
NIST · 46 tasks · 6 inputs · 17 outputs
Inputs
SrcIP— The source IP address from which the incident originated.DstIP— The target IP address that was accessed.Username— The email address of the account that was used to access the DstIP.NotifyEmail— Email addresses to notify about the incident.RemediationSLA— The Remediation SLA for the 'Containment, Eradication, and Recovery' stage (in minutes).InternalRange— A list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes).
Outputs
IP— The IP objectsEndpoint— The Endpoint's objectEndpoint.Hostname— The hostname to enrichEndpoint.OS— Endpoint OSEndpoint.IP— List of endpoint IP addressesEndpoint.MAC— List of endpoint MAC addressesEndpoint.Domain— Endpoint domain nameAccount— The account object.Account.DisplayName— The user display name.Account.Groups— Groups for which the user is a member.Account.Manager— The user manager.Account.ID— The user distinguished name.Account.Username— The user sAMAccountName.Account.Email— The user email address.ActiveDirectory.Users.userAccountControl— The user account control flag.ActiveDirectory.Users.sAMAccountName— The user sAMAccountName.ActiveDirectory.Users.name— The user common name.
Commands used
ad-disable-account
ad-expire-password
ad-get-user
closeInvestigation
send-mail
setIncident