(AKA Playbook)
[Provide non-technical, high-level information, references, and background.]
[Provide a succinct statement that describes what the Use Case addresses (e.g. Antivirus Detection Alert).]
[Describe the problem, beginning with any necessary background information.]
[Define the goals of the Use Case.]
[List the Compliance Framework and individual checks/requirements the Use Case relates to in bulleted format.]
[List the MITRE ATT&CK Framework Tactics/Techniques the Use Case relates to in bulleted format.]
[Describe any assumptions/limitations regarding law, licensing, policies, or technicalities.]
[Provide insights on the actions of and tools for those who are expected to monitor and respond.]
[Describe expected paths that would lead to this Use Case being identified as the proper course of action/response. Include steps to validate true or false positive and whether Containment, Remediation, and Recovery steps are necessary. List specific monitors, dashboards, reports, automated emails, alerts, etc. In cases where a user may provide the initial notification, provide language to look for. e.g.:
- A call from a user referencing a Symantec Antivirus popup or window.
- An email from a System Administrator citing an antivirus alert in Symantec Manager.]
[Provide recommended actions that determine investigation scope, collect, and preserve data, and perform technical analysis, when, where, and who to escalate to.]
[Provide recommended actions that limit the impact and spread of the situation.]
[Provide steps to determine whether a system can be restored after cleanup versus requiring reimaging, disk replacement, or entire system replacement. Provide recommend actions to eradicate all artifacts revert all changes to the system when viable, including how to validate those actions taken.]
[Provide any useful resources or references that can help understand the vulnerability, attack, detection, affected software, protocols, etc. Usually in the form of URLs with page names (in case the Website owner restructure their links, like Microsoft does often.]