Professional Documents
Culture Documents
SOC Play Books
SOC Play Books
Identification
Brute Force /
Start Event Password Attack
Identified
Yes
Credentials
YES
Disable the targeted service
application
IR Action
Update the installed software
such as Flash player , java ,
browser …etc
Mitigate all detected
vulnerability in the impacted web
application and in the public
facing service
Yes
Terminate unwanted connections from No
routers or perimeter firewalls
Malware
Start Event Identified No
Yes
Disable targeted user account
Containment
Remove suspicious
Eradication & Remediation
Password /
Start Event Credential Attack
Identified
Yes
Disable targeted user account
Restore Action
Connect the machine to network
Case Close End
Keep monitoring the target
machine and user account for
some time until confirming no
suspicious activity detected
Check Attachment
Yes
network
Incident Ticket
IR Action No
Created
Block the Sender Email / IP / Update Case
sender Domain / URL
Privilege Elevation
Start Event Identified
YES
SQL Injection
Start Event
Detected
Yes