RP and RA use cases and best practicies

[dsvetlov]

Hi all,

I have seen an interesting discussion about RP usage.

I would like to talk about your and my use cases for response playbooks. In my ATC installation, RPs are mainly used as "Triage" instructions. So the biggest part of my RP is focused on the identification of a threat, search of additional information and adding more context in case. After that escalation for 2nd line of SOC. In some simple cases, of course, there are other actions for containment.

Maybe we do need to separate "Triage phase" from others?
What are your use cases of RP?

[yugoslavskiy]

Hello @dsvetlov !

Sorry for the late reply.

Maybe we do need to separate "Triage phase" from others?

Yes, some sort of separation is totally required.
But I don't think that it makes sense to develop a separate IR Stage for it, because basically the activity under "Triage" actions perfectly fit into the existing stages (Identification, Containment, and in some cases — Eradication). It doesn't make much sense to create such separation on that level.

I would suggest creating Playbooks with a prefix "Triage" in the title. Or maybe we could add a category or a special tag to the Playbook template, and then automatically categorize it as a Triage Playbook.

What do you think?