[Provide non-technical, high-level information, references, and background.]
[Provide a succinct statement that describes what the Playbook addresses (e.g. Antivirus Detection Alert).]
[Describe the problem, beginning with any necessary background information.]
[Define the goals of the Playbook.]
[List the Compliance Framework and individual checks/requirements thePlaybook relates to in bulleted format.]
[List the MITRE ATT&CK Framework Tactics/Techniques the Playbook relates to in bulleted format.]
[Describe any assumptions/limitations regarding law, licensing, policies, or technicalities.]
[Provide insights on the actions of and tools for those who are expected to monitor and respond.]
Describes how the detection will bring attention to itself. This typically involves monitors, dashboards, reports, emails, alerts, etc.
[Describe expected paths that would lead to this Playbook being identified as the proper course of action/response. List specific monitors, dashboards, reports, automated emails, alerts, etc. In cases where a user may provide the initial notification, provide language to look for. e.g.:
[Provide recommended actions that determine investigation scope, collect, and preserve data, and perform technical analysis, when, where, and who to escalate to.]
[Provide recommended actions that limit the impact and spread of the situation.]
[Provide steps to determine whether a system can be restored after cleanup versus requiring reimaging, disk replacement, or entire system replacement. Provide recommend actions to eradicate all artifacts revert all changes to the system when viable, including how to validate those actions taken.]
[Provide any useful resources or references that can help understand the vulnerability, attack, detection, affected software, protocols, etc. Usually in the form of URLs with page names (in case the Website owner restructure their links, like Microsoft does often.]
References (for this template)