diff --git a/response_templates/AccountCompromise_v2.json b/response_templates/AccountCompromise_v2.json
new file mode 100644
index 0000000000..8dfebb8553
--- /dev/null
+++ b/response_templates/AccountCompromise_v2.json
@@ -0,0 +1 @@
+{"id": "94198adf-1fc1-4c2d-8c94-baf4523bee4f", "create_time": 1765479652.5729501, "update_time": 1765479652.5729501, "name": "Account Compromise", "description": "This response template defines a response to the potential compromise of one or more system or application accounts. Across the enterprise, user and service accounts are high-value targets that provide access to wide varieties of resources and capabilities. If an unauthorized entity gains access to an account in your organization, you can use these phases and tasks to organize the effort to investigate and respond. No two account compromises are the same, so some portions of this template might not apply to certain types of account takeovers, and in most cases there will be additional appropriate responses going beyond those listed below. The general structure of this template is based on NIST SP 800-61 Revision 2, and some of the techniques come from the Credential Access tactic in the MITRE ATT&CK framework (https://attack.mitre.org/tactics/TA0006/).", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "59f2cf8d-3c77-491f-8ff4-65ed341c7503", "create_time": 1765479652.5742395, "update_time": 1765479652.57424, "name": "Detection and Analysis", "order": 1, "tasks": [{"id": "ea986cd7-db3e-48d5-8a44-e9f0f6420d24", "create_time": 1764758755.835523, "update_time": 1765479652.5730562, "name": "Contact account owner", "order": 1, "tag": "51815ce4-c186-4418-9d6c-716e101953f0", "description": "If%20situational%20awareness%20concerns%20allow%20it,%20contact%20the%20legitimate%20owner%20of%20the%20account%20to%20gather%20additional%20insight,%20rule%20out%20false%20positives,%20and%20provide%20guidance%20on%20how%20to%20cooperate.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c24b5ac1-3e44-4f91-a55e-5c93a0c17a8a", "create_time": 1764758755.8356514, "update_time": 1765479652.573373, "name": "Determine the scope of the compromise", "order": 2, "tag": "4f6e6b64-aeec-456c-806d-d0b66c9db56c", "description": "Determine%20the%20resources%20and%20capabilities%20available%20to%20the%20compromised%20account.%20Consider%20other%20types%20of%20accounts%20that%20can%20also%20be%20accessed%20based%20on%20the%20initial%20compromise.%20Is%20this%20account%20an%20Administrative%20account?%20What%20systems%20has%20the%20account%20logged%20into?%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4b7b5058-f28e-4776-8806-c71fdfaab979", "create_time": 1764758755.8357468, "update_time": 1765479652.5734894, "name": "Analyze usage of access", "order": 3, "tag": "62fe4b55-7da1-44ba-ae88-93f42cb724c8", "description": "Query%20monitoring%20systems%20to%20determine%20which%20of%20the%20potential%20resources%20and%20capabilities%20were%20actually%20used%20by%20the%20adversary.%20Look%20for%20patterns%20in%20targeted%20resources%20and%20capabilities.%20Was%20the%20compromised%20account%20used%20to%20install%20or%20download%20something?%20Were%20credentials%20to%20other%20accounts%20collected%20and%20used?%0A%0ASuggested%20Integrations%0A1.%20%5BAccess%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_center)%0A2.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)%0A3.%20%5BAccess%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ad738c70-a259-4627-84fc-30f881b1065f", "create_time": 1764758755.835839, "update_time": 1765479652.5735939, "name": "Estimate impact", "order": 4, "tag": "5abdf8e0-f364-4f39-956a-aa912e0543c0", "description": "Estimate the business impact to appropriately allocate priority and resources.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1bc12376-4d51-45ed-9e37-38abc31a497a", "create_time": 1764758755.8359327, "update_time": 1765479652.5736716, "name": "Track stolen credentials", "order": 5, "tag": "b7814a6d-ac12-4936-a5ef-8e1a636a08dd", "description": "If%20compromised%20credentials%20were%20used,%20try%20to%20determine%20where%20else%20they%20may%20grant%20access%0A%0ASuggested%20Integrations%0A1.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5de28da8-76f3-4104-8d62-b44f8f46a4a4", "create_time": 1764758755.8360248, "update_time": 1765479652.573762, "name": "Investigate external communications", "order": 6, "tag": "4a46b5da-c9b9-453a-80ad-161db306822e", "description": "Look%20for%20exfiltration%20and/or%20command%20and%20control%20activity.%20Inspect%20network%20traffic%20with%20abnormal%20content,%20focusing%20on%20traffic%20to%20external%20hosts%20and%20internal%20systems%20that%20are%20not%20normally%20connected%20to%20the%20system%20under%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "6956c82f-6811-4b3d-975b-fe690e0b54ef", "create_time": 1764758755.836118, "update_time": 1765479652.5738606, "name": "Determine initial access mechanism", "order": 7, "tag": "3b962a5e-16da-4962-9f9f-c237e88e24a3", "description": "Attempt%20to%20trace%20activity%20back%20to%20the%20point%20of%20initial%20access.%20Consider%20phishing,%20watering%20hole%20attacks,%20public-facing%20exploits,%20supply%20chain%20compromises,%20and%20other%20common%20attack%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "62a7c0a4-1c2e-4922-8dd2-9114ef305607", "create_time": 1764758755.8362353, "update_time": 1765479652.573958, "name": "Detect persistent system access", "order": 8, "tag": "023e3b98-335b-4364-8292-e34e221dcdcd", "description": "Look%20for%20attempts%20to%20establish%20persistent%20access%20to%20one%20or%20more%20systems.%20The%20persistence%20technique%20could%20include%20an%20email%20forwarding%20rule%20for%20an%20email%20account,%20a%20scheduled%20task%20on%20an%20endpoint,%20a%20newly%20added%20login%20method%20for%20a%20business%20application,%20or%20a%20wide%20array%20of%20others.%20One%20non-exhaustive%20list%20of%20persistence%20techniques%20is%20in%20the%20MITRE%20ATT&CK%20framework%20(https://attack.mitre.org/tactics/TA0003/)%20and%20another%20for%20Windows%20endpoints%20in%20particular%20is%20within%20the%20SysInternals%20Autoruns%20tool.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0bc09ecd-b582-4b51-82bd-845113fe9025", "create_time": 1764758755.8363278, "update_time": 1765479652.5740716, "name": "Enumerate other similarly vulnerable accounts", "order": 9, "tag": "44b55fc1-e45f-46ce-82d8-d23b1392790f", "description": "If an initial attack vector or other activity pattern is found, use it to look for other similarly compromised accounts.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "60b63967-c82f-4378-80ab-7234d3b8d01a", "create_time": 1764758755.8364184, "update_time": 1765479652.5741494, "name": "Notify stakeholders", "order": 10, "tag": "6f26711e-c173-4394-91cf-f2e9c7c88d8a", "description": "Notify%20incident%20response%20leadership,%20system%20owners,%20and%20other%20stakeholders%20in%20accordance%20with%20established%20incident%20notification%20and%20escalation%20procedures.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "48075a18-75b5-45d5-9c14-c791c0975316", "create_time": 1765479652.574572, "update_time": 1765479652.5745726, "name": "Containment, Eradication, and Recovery", "order": 2, "tasks": [{"id": "4fa28acc-820f-4b9c-8fbe-b06dc8f735bb", "create_time": 1764758755.8365533, "update_time": 1765479652.5743093, "name": "Disable account", "order": 1, "tag": "582f0358-63c7-4a15-ba9e-a42861e854b5", "description": "If%20the%20business%20risk%20is%20deemed%20acceptable,%20disable%20the%20account%20or%20reset%20credentials%20to%20prevent%20further%20malicious%20usage.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f20c28db-b508-4cce-bd08-df4a1b92b1e4", "create_time": 1764758755.836641, "update_time": 1765479652.5744092, "name": "Remove persistent system access", "order": 2, "tag": "5cfd8324-141b-407f-ac19-3ab946178fc8", "description": "If%20persistent%20access%20mechanisms%20were%20detected,%20remove%20them%20by%20uninstalling%20software,%20unhooking%20libraries,%20reimaging%20systems,%20disabling%20compromised%20credentials,%20or%20implementing%20other%20remediations.%20If%20this%20action%20will%20cause%20a%20service%20outage,%20it%20may%20be%20prudent%20to%20notify%20the%20affected%20teams%20or%20organizations.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b94cc55d-a653-466a-8faf-846f699ebb75", "create_time": 1764758755.836737, "update_time": 1765479652.5745091, "name": "Mitigate or remediate vulnerabilities", "order": 3, "tag": "25d66876-4448-420d-80b5-bc359805598b", "description": "If%20any%20vulnerabilities%20were%20used%20in%20this%20compromise,%20find%20a%20way%20to%20mitigate%20or%20remediate%20them.%20This%20could%20be%20a%20system%20update,%20a%20change%20in%20software,%20disabling%20a%20certain%20feature,%20a%20change%20in%20policy,%20or%20another%20action.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "36274751-b970-4375-85dc-b06a13d05cc2", "create_time": 1765479652.5748563, "update_time": 1765479652.5748568, "name": "Post-incident Activity", "order": 3, "tasks": [{"id": "c601515a-bbef-485f-819a-9c1e477e413e", "create_time": 1764758755.8368754, "update_time": 1765479652.57464, "name": "Notify necessary parties", "order": 1, "tag": "6e6b6839-fced-46a4-a660-e00281118cda", "description": "Determine%20if%20a%20regulatory%20risk%20calls%20for%20a%20notification%20to%20an%20internal%20or%20external%20compliance%20organization.%20Also%20consider%20an%20informational%20notice%20to%20users%20to%20prevent%20similar%20compromises%20through%20improved%20security%20hygiene.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "33acb96f-1113-489b-8dc4-882695963f99", "create_time": 1764758755.836966, "update_time": 1765479652.574736, "name": "Tune prevention systems", "order": 2, "tag": "47e3bd73-9fea-4f85-a805-9ebedfd000ed", "description": "Depending on the mechanism of access and the systems affected, there may be a clear next step to prevent similar compromises. This might involve deployment of strong multi-factor authentication, improved automated response, stronger application of least privilege, user training, and/or a wide array of other defensive measures. Consider using CIS Cybersecurity Best Practices (https://www.cisecurity.org/cybersecurity-best-practices/) or a similar framework to assess improvements in prevention.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0d0ded65-d9dd-497f-ab9d-f51864ad88af", "create_time": 1764758755.8370595, "update_time": 1765479652.574812, "name": "Tune detection systems", "order": 3, "tag": "9411f544-f06a-4e79-9972-3844f61cc1f7", "description": "Any of the steps taken within the Detection and Analysis phase may be candidates for automated or regularly scheduled detections to find similar activity. Focus on the most generalizable patterns that will catch high-impact compromises as early as possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8b0ea69b-c29f-4a70-b58b-59164312a491", "active": true, "used": true, "_user": "nobody", "_key": "94198adf-1fc1-4c2d-8c94-baf4523bee4f"}
diff --git a/response_templates/DataBreach_v2.json b/response_templates/DataBreach_v2.json
new file mode 100644
index 0000000000..7e8bf46071
--- /dev/null
+++ b/response_templates/DataBreach_v2.json
@@ -0,0 +1 @@
+{"id": "b0ad7421-221a-4859-8af7-7cd8949ad10f", "create_time": 1764862877.558638, "update_time": 1765481882.0017216, "name": "Data Breach", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "3864ce09-a850-44af-86ef-9ade49d18356", "create_time": 1765481830.6013758, "update_time": 1765481881.9174762, "name": "Escalate to accountable system owners", "order": 1, "tasks": [{"id": "5a3d4ceb-6a30-4aa3-8e8a-b30e3438dff4", "create_time": 1764758755.724739, "update_time": 1765481881.9169092, "name": "Identify accountable system owners", "order": 1, "tag": "f45e1890-72d0-4bdf-8932-ea8d78c2c58f", "description": "Query%20configuration%20management%20databases,%20ask%20teammates,%20and%20query%20on-call%20personnel%20directories%20to%20find%20the%20right%20people%20for%20notification%20and%20response.%0A%0ASuggested%20Integrations%0A1.%20%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8d090f83-6590-48b7-8233-db738d054005", "create_time": 1764758755.7248507, "update_time": 1765481881.9171314, "name": "Notify accountable system owners", "order": 2, "tag": "b0816205-58e4-4e29-991b-f415717d1c03", "description": "Determine%20what%20is%20needed%20from%20each%20team%20member%20and%20notify%20them%20as%20soon%20as%20possible.%20Consider%20speed,%20confidentiality,%20integrity,%20and%20availability%20when%20choosing%20a%20communication%20channel.%20The%20right%20choice%20may%20be%20an%20in-person%20meeting,%20email,%20chat,%20text,%20phone%20call,%20or%20a%20notification%20in%20Splunk%20Mission%20Control.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2950919f-a5ca-4dec-b3d0-5ef7edf213e3", "create_time": 1764758755.7249453, "update_time": 1765481881.9173613, "name": "Set up collaboration channels", "order": 3, "tag": "2b1518b8-77a6-4e03-8b50-e0a89dc40ed8", "description": "Establish%20shared%20access%20to%20the%20appropriate%20notable%20investigation%20that%20is%20tracking%20the%20data%20breach.%20If%20necessary%20establish%20an%20additional%20channel%20for%20communications%20such%20as%20a%20chat%20room,%20email%20chain,%20ticketing%20system,%20or%20VictorOps%20Incident.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "fa5bb456-dfe8-4f27-88a3-1639a35796c6", "create_time": 1765481830.6017647, "update_time": 1765481881.918081, "name": "Stop exfiltration", "order": 2, "tasks": [{"id": "3fcbd598-8be3-4c81-a89e-1896912ffea4", "create_time": 1764758755.725092, "update_time": 1765481881.9176087, "name": "Identify likely means of exfiltration", "order": 1, "tag": "b562799f-7155-43a2-a36a-e736575a6b1d", "description": "Evaluate%20likely%20means%20of%20exfiltration%20using%20the%20information%20from%20the%20initial%20detection%20and%20any%20other%20associated%20investigation%20the%20team%20can%20conduct.%20Use%20https://attack.mitre.org/wiki/Persistence%20and%20other%20open%20source%20intelligence%20to%20check%20for%20common%20exfiltration%20mechanisms.%20Consider%20the%20sophistication%20of%20the%20adversary,%20the%20data%20that%20is%20likely%20to%20be%20targeted,%20the%20systems%20that%20may%20have%20been%20breached,%20and%20any%20other%20knowledge%20from%20further%20investigation.%20Query%20the%20logs%20of%20any%20available%20systems%20around%20the%20time%20of%20the%20incident%20for%20context%20and%20additional%20leads.%20If%20possible%20analyze%20and/or%20reverse%20engineer%20any%20executables%20or%20scripts%20discovered%20in%20the%20investigation.%20Try%20to%20determine%20exfiltration%20mechanisms,%20protocols,%20ports,%20IP%20addresses,%20hostnames,%20URLs,%20and%20other%20indicators.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b7bfe3f3-8035-45bd-a16a-4d847cb74ba3", "create_time": 1764758755.725215, "update_time": 1765481881.9178276, "name": "Determine mitigations and remediations", "order": 2, "tag": "2c398364-ef0f-4e7d-877e-0abfaa91d72d", "description": "Taking into account the confidentiality and availability considerations of the systems involved, determine which mitigations and remediations are appropriate.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0a27527c-f0c1-4e54-a875-d110a8f71cb8", "create_time": 1764758755.7253134, "update_time": 1765481881.9179668, "name": "Stop exfiltration", "order": 3, "tag": "e80c691b-9bab-4f4d-86ca-8496300842c3", "description": "Use%20host-based%20or%20network%20controls%20to%20interrupt%20exfiltration.%20Scope%20the%20response%20according%20to%20the%20severity%20of%20the%20event.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A6.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A7.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A8.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a1d5e293-2b61-43f1-a776-f8d2126a1d7a", "create_time": 1765481830.6020367, "update_time": 1765481881.918544, "name": "Remove persistent adversaries", "order": 3, "tasks": [{"id": "fecaae1e-a6d8-47b2-8386-5af5bcac6d54", "create_time": 1764758755.7254562, "update_time": 1765481881.9182255, "name": "Identify likely means of persistence", "order": 1, "tag": "27ff7f99-5263-4a23-ba71-775e2a96ea00", "description": "Trace%20exfiltration%20as%20far%20as%20possible%20back%20toward%20a%20root%20cause.%20Look%20for%20patterns%20of%20activity%20from%20scheduled%20tasks,%20system%20restarts,%20polling%20of%20external%20systems,%20and%20other%20common%20means%20of%20persistence.%20Sysinternals%20AutoRuns%20and%20other%20similar%20tools%20can%20check%20wide%20varieties%20of%20persistence%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a951c1a1-61c6-4afa-b0c7-c721a97b5d3e", "create_time": 1764758755.7255518, "update_time": 1765481881.9184313, "name": "Remove identified persistence mechanisms", "order": 2, "tag": "3c87ad49-a462-47b1-93fa-401c82da9270", "description": "Block%20adversary%20persistence%20at%20the%20host%20and/or%20network%20level.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5BPalo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9577e82b-f68e-4fa7-a86b-987bbb51a504", "create_time": 1765481830.6022003, "update_time": 1765481881.918786, "name": "Assess impact", "order": 4, "tasks": [{"id": "be68378a-13d6-499d-bc94-d7f54c51e012", "create_time": 1764758755.7256913, "update_time": 1765481881.9186735, "name": "Measure the size and scope", "order": 1, "tag": "26cca1bb-80c3-43ab-ab5b-13975111b607", "description": "Measure%20the%20impact%20of%20the%20breach%20by%20amount%20of%20data,%20importance%20of%20data,%20potential%20follow-on%20impacts,%20and%20other%20appropriate%20criteria.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20TrackerDashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "befcad6f-d66d-459c-8b71-9ac22c902c6f", "create_time": 1765481830.6024225, "update_time": 1765481881.9191456, "name": "Report to appropriate stakeholders", "order": 5, "tasks": [{"id": "aa30f51a-a2fb-4284-be1d-c8d6a0f2935b", "create_time": 1764758755.7259164, "update_time": 1765481881.91892, "name": "Identify appropriate stakeholders", "order": 1, "tag": "4bb2a31a-ccc7-4bc3-a5b7-cf946cb10fb0", "description": "Identify who should receive which information. This may include the regulatory compliance team, all internal employees, customers, partners, appropriate government officials, the public, system vendors, open source communities, and others.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c2c0365b-7e90-4f34-a074-05b31a6bbb00", "create_time": 1764758755.7260718, "update_time": 1765481881.9190648, "name": "Send reports", "order": 2, "tag": "03fd935b-9848-4eee-8179-1d33592a2658", "description": "Send the appropriate amount of information to identified parties. If it is beneficial, give them a way to respond to the information.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "370933e2-b9c1-4de8-90bd-10477e48ed7e", "create_time": 1765481830.602553, "update_time": 1765481881.9215052, "name": "Prevent future breaches", "order": 6, "tasks": [{"id": "574bfcd8-31c3-4b51-9e73-b8a35403894c", "create_time": 1764758755.726329, "update_time": 1765481881.921397, "name": "Prevent future breaches", "order": 1, "tag": "690e3199-c277-4a6f-8ada-9c4c5bbc3e48", "description": "Use information from this case to investigate further, apply patches, prevent behaviors, change systems, and otherwise prevent similar situations from occurring again. Setup automated checks for reinfection using similar indicators or TTP's.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "dcb047a2-c621-41c6-b3d5-acabcbb20b1d", "active": true, "used": false, "_user": "nobody", "_key": "b0ad7421-221a-4859-8af7-7cd8949ad10f"}
diff --git a/response_templates/GenericIncidentResponse_v2.json b/response_templates/GenericIncidentResponse_v2.json
new file mode 100644
index 0000000000..60d4b9303d
--- /dev/null
+++ b/response_templates/GenericIncidentResponse_v2.json
@@ -0,0 +1 @@
+{"id": "c3326c0e-417c-46de-b79a-7a33e457b91b", "create_time": 1764862802.518435, "update_time": 1765478297.8226988, "name": "Generic Incident Response", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "c8c1bb29-a14c-4230-ba02-283f98645b90", "create_time": 1765478297.7930639, "update_time": 1765478297.7930644, "name": "Detection", "order": 1, "tasks": [{"id": "76fd8383-b2f7-47d8-b952-49a60105c23f", "create_time": 1764758755.9055116, "update_time": 1765478297.7925363, "name": "Report incident response execution", "order": 1, "tag": "69c9baf1-bd12-4b09-b6b6-a77df9428682", "description": "Alert%20appropriate%20parties%20that%20incident%20response%20is%20starting.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c62f8956-c622-4c11-a664-9d68661f2df1", "create_time": 1764758755.905616, "update_time": 1765478297.7928247, "name": "Document associated events", "order": 2, "tag": "8ca56a2a-f0d7-43c1-96e3-06bac95deffe", "description": "This is the escalation. Create a notable and populate it with significant data.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8e84a157-60e0-4914-97e7-a59936ba4fcf", "create_time": 1764758755.9057095, "update_time": 1765478297.7929223, "name": "Document known attack surface and attacker information", "order": 3, "tag": "604e26c0-fb5a-4320-9d95-ef887d406d71", "description": "Rough triage of the situation. No complete picture of the situation, but targets to analyze.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ea952b70-0c68-4750-b791-7489117f5a3a", "create_time": 1764758755.9058, "update_time": 1765478297.7930133, "name": "Assign roles", "order": 4, "tag": "389fce05-2170-4971-aabb-da3d88ea668a", "description": "For example: Incident commander, Tech lead, Scribe, Intel analysts, Security analysts", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "816cf263-fcdd-45d6-8f5f-f4c5c3f638bd", "create_time": 1765478297.7943053, "update_time": 1765478297.7943058, "name": "Analysis", "order": 2, "tasks": [{"id": "2444a355-821e-4485-86c5-03c836cba7c5", "create_time": 1764758755.9059348, "update_time": 1765478297.7931442, "name": "Research intelligence resources", "order": 1, "tag": "595d75bb-316e-4dec-bfc6-6729d3e7b280", "description": "Find%20out%20if%20this%20attacker%20is%20a%20known%20agent%20and%20gather%20associated%20tactics,%20techniques,%20and%20procedures%20(TTP)%20used.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%203.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a947eacc-04e3-485e-bac4-6566e85df173", "create_time": 1764758755.9060266, "update_time": 1765478297.7932744, "name": "Research proxy logs", "order": 2, "tag": "7586c74e-6844-45bb-9535-4924752ff0de", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BWeb%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/web_center)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bfa0b1ad-7bb1-484d-bcfa-16df7989518c", "create_time": 1764758755.906122, "update_time": 1765478297.7933776, "name": "Research firewall logs", "order": 3, "tag": "5f7e4c57-343a-4a5c-8c90-643bdb578dbb", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BMalware%20Search%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0168209e-eb24-4a5a-b72a-7c074a96a19c", "create_time": 1764758755.906265, "update_time": 1765478297.7934852, "name": "Research OS logs", "order": 4, "tag": "357d8065-7af2-4968-a52e-1daba8d36bcb", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "82beb15d-df47-49e4-a504-6a7dd5f33558", "create_time": 1764758755.9063575, "update_time": 1765478297.7935877, "name": "Research network logs", "order": 5, "tag": "f5aabd39-0213-498c-9a91-db8b62c1d262", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BWeb%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/web_center)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d339af9b-fdfb-4944-8f9a-6febf9fbceb3", "create_time": 1764758755.9064476, "update_time": 1765478297.7936852, "name": "Research endpoint protection logs", "order": 6, "tag": "a0d0a5b6-e961-470a-8fed-2fd0f1f56e54", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8a6d8b29-55f0-4eb8-817b-281fbddccd40", "create_time": 1764758755.9065409, "update_time": 1765478297.7937844, "name": "Determine infection vector", "order": 7, "tag": "e840c5b9-b804-4851-ace7-ed2b20e94374", "description": "Find and document how the initial infection occurred.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ef1d9524-231c-4c12-9544-f01fe50f0e9b", "create_time": 1764758755.9066322, "update_time": 1765478297.7938728, "name": "Document all attack targets", "order": 8, "tag": "2a1efed7-4cba-4f66-b7f4-c51555f6dafd", "description": "Find and document the full attack surface.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "27b6ef2b-735d-4598-ab6e-6875f837a484", "create_time": 1764758755.9067245, "update_time": 1765478297.7939599, "name": "Document all attacker sources and TTP", "order": 9, "tag": "3ce58599-9e4e-4936-a604-9b2783fbb4be", "description": "Document all discovered attack sources and tactics, techniques, and procedures (TTP).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a2fdf16b-e79d-4cf6-8f57-026a2c0b63d0", "create_time": 1764758755.9068127, "update_time": 1765478297.794048, "name": "Document infected devices", "order": 10, "tag": "8854bf07-df2e-4536-a7ef-c268776eba0e", "description": "Document all devices known to have been modified by the attacker.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a16d098a-10a7-4b53-a798-fd83c467ddb6", "create_time": 1764758755.9069023, "update_time": 1765478297.7941349, "name": "Determine full impact of attack", "order": 11, "tag": "2419ca1b-fa9e-4443-8334-4642877218c4", "description": "For example, the functional and informational impact of the attack.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "92b46948-e8f0-4194-9ada-76bbf21bea3a", "create_time": 1764758755.9069924, "update_time": 1765478297.7942424, "name": "Analyze malware samples", "order": 12, "tag": "7486b744-568f-4a71-b6ab-6c18b0975234", "description": "Analyze%20discovered%20malware%20and%20document%20indicators%20of%20compromise%20(IOCs).%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1cfc9549-b74f-4dfd-b1c5-956b1587e546", "create_time": 1765478297.7946434, "update_time": 1765478297.7946439, "name": "Containment", "order": 3, "tasks": [{"id": "91691144-6812-44e7-ae84-769b7c91778f", "create_time": 1764758755.9071276, "update_time": 1765478297.7943835, "name": "Acquire, preserve, secure, and document evidence", "order": 1, "tag": "fa5fbdd4-4224-460f-80b1-081083c3a8e5", "description": "Before modifying systems housing evidence of the attack, document the evidence.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "884da2c4-4fb8-494f-bd5a-2c0eacb81646", "create_time": 1764758755.9072351, "update_time": 1765478297.794471, "name": "Report devices and applications to be contained to proper channels", "order": 2, "tag": "f735a650-8d7e-42ee-95fa-ca8122e29df4", "description": "Suggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5b6fd766-744a-4ada-9612-9934ff090668", "create_time": 1764758755.9073257, "update_time": 1765478297.7945688, "name": "Contain incident", "order": 3, "tag": "de5b8d96-bc90-47e5-a707-4b4ce273b2f5", "description": "Suggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A8.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A9.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A10.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A11.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A12.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a5675456-ec54-4045-beb4-d521f14192cc", "create_time": 1765478297.7949696, "update_time": 1765478297.7949698, "name": "Eradication", "order": 4, "tasks": [{"id": "74739ca3-8849-4d32-b41f-6dcf53ab6598", "create_time": 1764758755.9074597, "update_time": 1765478297.7947214, "name": "Identify and mitigate all vulnerabilities that were exploited", "order": 1, "tag": "160a14ef-e1d7-46db-9a35-5e452602416a", "description": "Suggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bf7fc36c-f08b-4fda-89ec-95594bbf238c", "create_time": 1764758755.9075792, "update_time": 1765478297.794821, "name": "Remove malware, inappropriate materials and other components", "order": 2, "tag": "f02e09fa-0ed7-4ca7-a001-a6adcfe83437", "description": "Suggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f5c72b7c-f274-4825-9b9f-5c34f8d384e9", "create_time": 1764758755.907677, "update_time": 1765478297.7949193, "name": "Repeat analysis and containment on any newly discovered infected hosts", "order": 3, "tag": "c8032097-7574-438a-8473-d614b8f135ff", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "50452b43-98af-43ab-bfb0-1e9f7368b2c9", "create_time": 1765478297.795289, "update_time": 1765478297.7952893, "name": "Recovery", "order": 5, "tasks": [{"id": "91a74317-f931-4ced-b4aa-6cdf54433221", "create_time": 1764758755.9079046, "update_time": 1765478297.7950459, "name": "Return affected systems to an operationally ready state", "order": 1, "tag": "c3c83a87-0d75-4d0a-b4e7-9fef0d60e5f4", "description": "Restore network connectivity and system access.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "91f6342d-a92b-4157-a124-5e87ab0c9827", "create_time": 1764758755.9080007, "update_time": 1765478297.7951343, "name": "Confirm that the affected systems are functioning normally", "order": 2, "tag": "27d8d5a5-4c1b-470c-b995-c39275b61444", "description": "Work with system owners to validate successful recovery.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5840a534-399b-4ac1-b0bc-80927edf8f8b", "create_time": 1764758755.9080942, "update_time": 1765478297.7952387, "name": "If necessary, implement additional monitoring to look for future related activity", "order": 3, "tag": "085d0c66-3bb9-48c8-9403-0fc21217d77c", "description": "Be ready to identify a similar attack with proper monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "dd359232-b8be-435a-b5bc-1a5fd3e44559", "create_time": 1765478297.795616, "update_time": 1765478297.7956161, "name": "Post", "order": 6, "tasks": [{"id": "0f4c6d6e-5e22-4d2c-8de3-8fb45346b917", "create_time": 1764758755.908245, "update_time": 1765478297.7953663, "name": "Schedule after-action review meeting", "order": 1, "tag": "815e442f-e87d-42ef-81ea-5c13b4d1e3cf", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8864f28a-1b75-4317-b6e7-4088f8d19d9a", "create_time": 1764758755.9083498, "update_time": 1765478297.7954535, "name": "Generate incident response action report", "order": 2, "tag": "5a4862af-5001-4418-a48b-e028ef91b542", "description": "Both an executive report and a detailed final report.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "08014d2b-5977-45d2-a14e-519c990aed93", "create_time": 1764758755.9084463, "update_time": 1765478297.7955399, "name": "Report incident response complete", "order": 3, "tag": "4b12a641-8105-4b64-bd89-eef26fabb47a", "description": "Alert%20appropriate%20parties%20that%20incident%20response%20is%20complete.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "28753dcd-47c7-44ad-b85f-f840c3f0da96", "active": true, "used": false, "_user": "nobody", "_key": "c3326c0e-417c-46de-b79a-7a33e457b91b"}
diff --git a/response_templates/NIST80061_v2.json b/response_templates/NIST80061_v2.json
new file mode 100644
index 0000000000..2766ec7983
--- /dev/null
+++ b/response_templates/NIST80061_v2.json
@@ -0,0 +1 @@
+{"id": "475a4c40-0996-4b54-a634-711205549572", "create_time": 1765482414.4679432, "update_time": 1765482414.4679432, "name": "NIST%20800-61:%20Computer%20Security%20Incident%20Handling%20Guide", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "97bc8622-69ca-48a1-bf2b-e4067281f71a", "create_time": 1765482414.4685507, "update_time": 1765482414.4685512, "name": "Detection", "order": 1, "tasks": [{"id": "9126eb2f-d5e2-48e7-a9f5-0c851f2ecc57", "create_time": 1764758755.7593036, "update_time": 1765482414.4680352, "name": "Determine if an incident has occurred", "order": 1, "tag": "dd8a2e5b-9131-4321-ad10-0cef889e30f1", "description": "Suggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1d9a756c-20dc-4e2e-94e1-87f4eb164447", "create_time": 1764758755.7594106, "update_time": 1765482414.4681613, "name": "Analyze precursors and indicators", "order": 2, "tag": "cd6639cc-79b1-4f66-b03a-0b29118e9439", "description": "Suggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "974fdd62-7d20-40f3-912d-60d708146ac7", "create_time": 1764758755.7595055, "update_time": 1765482414.4682908, "name": "Look for correlating information", "order": 3, "tag": "64b3aaa7-416e-4ec2-8cc1-b54b1e0758db", "description": "Suggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c8d1664e-4d06-4470-8b99-124c615500ca", "create_time": 1764758755.759612, "update_time": 1765482414.4683938, "name": "Perform research", "order": 4, "tag": "c534e89d-327c-4deb-bc29-51fb49f65af6", "description": "Use%20search%20engines,%20knowledge%20bases,%20etc..%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "247f8ee3-e7db-437d-9a16-07e2d19673c0", "create_time": 1764758755.7597096, "update_time": 1765482414.4685001, "name": "Confirmed incident", "order": 5, "tag": "415e3412-85ed-4af6-bf6e-09e6e13542b3", "description": "For a confirmed incident, document the investigation and gather evidence. Attach all relevant information from detection steps to the notable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ef47436d-de45-4aab-ba6b-736137c41076", "create_time": 1765482414.4691532, "update_time": 1765482414.469154, "name": "Analysis and Containment", "order": 2, "tasks": [{"id": "27f4ca0d-ef69-4211-9401-34d3817e879f", "create_time": 1764758755.759852, "update_time": 1765482414.4686282, "name": "Determine functional impact", "order": 1, "tag": "58850454-d4af-4cc4-a5dd-fded4be0ff4d", "description": "Suggested categories: None, Low, Medium, High", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b298ad0a-b53c-4e4d-9e27-0307d2b49d9f", "create_time": 1764758755.759945, "update_time": 1765482414.4687133, "name": "Determine information impact", "order": 2, "tag": "1150410e-72c0-4259-a499-d632727e083b", "description": "Suggested categories: None, Privacy breach, Proprietary breach, Integrity loss", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "650388ac-fa31-48c9-8031-fab7fbc1cce8", "create_time": 1764758755.760036, "update_time": 1765482414.4687974, "name": "Determine recoverability effort", "order": 3, "tag": "d6e187c9-188c-49de-ac41-5092d7ce6435", "description": "Suggested categories: Regular, Supplemented, Extended, Not Recoverable", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ae810a6c-7314-49f2-84cb-b40557c17734", "create_time": 1764758755.7601304, "update_time": 1765482414.4688811, "name": "Prioritize incident", "order": 4, "tag": "082dfce7-169c-4bd2-aa73-7d39f5e26be8", "description": "Prioritize handling the incident based on the relevant factors", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3db4552a-5c3b-46e2-8792-88f27397d5ef", "create_time": 1764758755.760304, "update_time": 1765482414.4689677, "name": "Report incident", "order": 5, "tag": "716c8ff4-f8f9-406a-aa10-871b499d0892", "description": "Report%20the%20incident%20to%20the%20the%20appropriate%20internal%20personnel%20and%20external%20organizations%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2ab31b96-9544-4949-8e63-04a674e6bdb6", "create_time": 1764758755.7604578, "update_time": 1765482414.4690719, "name": "Contain incident", "order": 6, "tag": "d05de9e0-1c72-4835-874a-83f6127ef09a", "description": "Suggested%20Integrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A4.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A5.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A6.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A7.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A8.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A9.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A10.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A11.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A12.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A13.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A14.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "37031e87-5234-4694-a5d9-cff1c29f8f4d", "create_time": 1765482414.4695153, "update_time": 1765482414.4695156, "name": "Eradicate", "order": 3, "tasks": [{"id": "31e6eacc-4f57-4329-b146-8d3f689e3086", "create_time": 1764758755.7606778, "update_time": 1765482414.4692445, "name": "Identify and mitigate all vulnerabilities", "order": 1, "tag": "f0381ae6-f28f-402a-9f05-3e990496dd50", "description": "Identify%20and%20mitigate%20all%20vulnerabilities%20that%20were%20exploited.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A4.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A5.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A6.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A7.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A8.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "680e54ac-3708-4d38-884f-20a1a7edf0de", "create_time": 1764758755.7608309, "update_time": 1765482414.4693527, "name": "Remove malicious content", "order": 2, "tag": "e7029c6f-cce7-4c43-9a1c-b0425432ad81", "description": "Remove%20malware,%20inappropriate%20materials%20and%20other%20components.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a41b242d-1640-4d15-8104-ec399e12d1de", "create_time": 1764758755.7609744, "update_time": 1765482414.469451, "name": "Verify no other hosts are affected", "order": 3, "tag": "7e41266d-aa31-4b86-b2f4-47f68023fb3e", "description": "If%20more%20affected%20hosts%20are%20discovered,%20repeat%20the%20Detection%20and%20Analysis%20Steps.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "b12466ec-8616-4519-b133-f6d93f9e32c4", "create_time": 1765482414.4698043, "update_time": 1765482414.4698048, "name": "Recovery", "order": 4, "tasks": [{"id": "43ba0f0e-1fda-4051-a97b-8f7f4682ac33", "create_time": 1764758755.7611475, "update_time": 1765482414.46959, "name": "Restore affected systems", "order": 1, "tag": "3a888228-8354-43a5-809b-41e85114db15", "description": "Return affected systems to an operationally ready state.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "579fa706-4719-4a36-92a0-8c89395b18e6", "create_time": 1764758755.7612762, "update_time": 1765482414.4696727, "name": "Validate restoration", "order": 2, "tag": "39fc29b1-1047-4d0c-bd88-4581b10fe376", "description": "Confirm that the affected systems are functioning normally.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "080aeef1-8fb9-40e2-863e-428fd8f7f017", "create_time": 1764758755.7614079, "update_time": 1765482414.4697568, "name": "Implement additional monitoring", "order": 3, "tag": "7d818e21-eb6b-48ef-92fa-e5c447194ae0", "description": "If necessary, implement additional monitoring to look for future activity.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1ec64d29-231e-4c34-aec1-4aee974fc8df", "create_time": 1765482414.4700096, "update_time": 1765482414.4700098, "name": "Post Incident Activity", "order": 5, "tasks": [{"id": "bab81f67-66e8-4326-be3c-6c11894e50c7", "create_time": 1764758755.7615948, "update_time": 1765482414.469876, "name": "Create a follow-up report", "order": 1, "tag": "e0d07d6c-00cb-44bc-8536-c8eeda5470a9", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77497e1-95ce-4ebe-8b62-4929dbfdd8a5", "create_time": 1764758755.7616863, "update_time": 1765482414.4699602, "name": "Lessons learned", "order": 2, "tag": "95974f42-e739-440a-ba79-00fc2d32a7ad", "description": "Hold a lessons learned meeting (mandatory for major incidents, optional otherwise).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8756f985-929a-4076-9343-86c92b82c94f", "active": true, "used": true, "_user": "nobody", "_key": "475a4c40-0996-4b54-a634-711205549572"}
diff --git a/response_templates/NetworkIndicatorEnrichment_v2.json b/response_templates/NetworkIndicatorEnrichment_v2.json
new file mode 100644
index 0000000000..70709c53b2
--- /dev/null
+++ b/response_templates/NetworkIndicatorEnrichment_v2.json
@@ -0,0 +1 @@
+{"id": "8b1df498-d692-4212-a4fd-6b99b99e9027", "create_time": 1765481757.0347831, "update_time": 1765481757.0347831, "name": "Network Indicator Enrichment", "description": "Gather and analyze contextual information about URLs, hostnames, top level domain names, IP addresses, TLS certificates, and MAC addresses. These network indicators can be involved in security investigations of all types, so this response template is meant to be added as a modular component into an event or case that can have other more specific phases and tasks. For instance, when investigating an account compromise, this response template can be used during the investigation phase to rule out false positives and inform decisions about further investigation and response.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "5fc00a86-ecb5-473c-af5f-0eabced9921e", "create_time": 1765481757.0357888, "update_time": 1765481757.0357893, "name": "Network Indicator Enrichment", "order": 1, "tasks": [{"id": "09b3b9c0-1c5b-4c3f-941f-fcc4bcb6f2f6", "create_time": 1764758755.7974405, "update_time": 1765481757.0349212, "name": "Enrich URLs", "order": 1, "tag": "8fab0a3f-b436-4e3e-8c3a-9cc0a9cff8b5", "description": "Gather%20reputation%20and%20behavioral%20information%20about%20a%20suspicious%20URL.%20Automated%20actions%20can%20include%20querying%20threat%20intelligence%20databases,%20dynamic%20profiling%20of%20the%20URL%20and%20the%20associated%20redirects,%20or%20checking%20the%20categorization%20of%20a%20URL%20in%20a%20proxy%20or%20other%20safe%20browsing%20tool.%20Manual%20actions%20can%20include%20checking%20for%20typosquatting/brandjacking,%20evaluating%20the%20appropriateness%20of%20the%20URL%20given%20the%20context%20in%20which%20it%20was%20detected,%20or%20manually%20investigating%20the%20site%20from%20a%20sandboxed%20environment.%20Additionally,%20it%20might%20be%20appropriate%20to%20ask%20the%20user%20if%20they%20can%20explain%20why%20the%20URL%20was%20accessed.%20Outputs%20from%20this%20task%20could%20be%20used%20to%20pivot%20to%20investigation%20to%20underlying%20or%20associated%20domain%20names,%20other%20URLs,%20TLS%20certificates,%20IP%20addresses,%20or%20specific%20behaviors%20associated%20with%20the%20website%20such%20as%20Javascript%20execution%20patterns%20or%20downloaded%20files.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77c2c5b-488b-4ef6-a987-d4f1795e8c09", "create_time": 1764758755.7976081, "update_time": 1765481757.0352638, "name": "Enrich domain names", "order": 2, "tag": "f494c551-d513-4503-a268-32d14cd9352c", "description": "Domain%20names%20can%20be%20involved%20in%20investigations%20of%20phishing,%20watering%20hole%20attacks,%20malware%20command%20and%20control,%20exfiltration,%20and%20many%20other%20malicious%20behaviors.%20Some%20of%20the%20key%20questions%20to%20answer%20about%20a%20domain%20are:%20Who%20controls%20the%20domain?%20Who%20registered%20the%20domain?%20What%20is%20the%20purpose%20of%20the%20domain?%20What%20services%20are%20hosted%20on%20the%20domain?%20What%20traffic%20would%20you%20expect%20to%20see%20to%20and%20from%20the%20domain?%20How%20popular%20is%20the%20domain?%20Does%20the%20domain%20host%20dynamic%20content%20such%20as%20cloud%20services?%20What%20sub-domains%20or%20parent%20domains%20are%20associated%20with%20the%20domain?%20Is%20the%20domain%20known%20to%20host%20malicious%20content?%20Where%20in%20the%20world%20is%20the%20domain%20hosted?%20How%20recently%20was%20the%20domain%20registered?%20What%20is%20the%20DNS%20history%20of%20the%20domain?%20Is%20the%20domain%20meant%20to%20look%20similar%20to%20another%20more%20legitimate%20domain?%20Does%20the%20domain%20name%20appear%20to%20have%20been%20randomly%20generated?%20The%20results%20of%20these%20queries%20can%20produce%20related%20IP%20addresses,%20file%20hashes,%20downloaded%20files,%20URLs,%20TLS%20certificates,%20and%20behaviors%20which%20are%20useful%20elsewhere%20in%20this%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fed103ab-b8bf-458e-a9d1-a80d7c1691ce", "create_time": 1764758755.7977073, "update_time": 1765481757.0354254, "name": "Enrich IP addresses", "order": 3, "tag": "b0444819-8d84-47b0-8011-97c9004966cc", "description": "Enrichment%20of%20IP%20addresses%20can%20be%20similar%20to%20domain%20names%20in%20many%20ways,%20but%20typically%20IP%20addresses%20will%20change%20more%20frequently.%20Frequent%20changes%20can%20be%20legitimate%20behavior%20caused%20by%20load%20balancers%20or%20content%20delivery%20networks,%20or%20it%20can%20be%20malicious%20behavior%20due%20to%20fast%20flux%20DNS%20changes,%20so%20additional%20context%20about%20the%20network%20traffic%20is%20needed.%20Also%20consider%20that%20traffic%20going%20straight%20to%20an%20IP%20address%20without%20doing%20a%20DNS%20query%20might%20be%20relevant%20to%20the%20investigation,%20and%20consider%20querying%20Tor%20or%20other%20anonymization%20systems%20to%20check%20if%20the%20IP%20address%20is%20a%20known%20exit%20node.%20Outputs%20of%20this%20task%20can%20inform%20URL%20enrichment,%20downloaded%20file%20analysis,%20domain%20name%20enrichment,%20TLS%20certificate%20enrichment,%20and%20more%20advanced%20behavioral%20analysis%20based%20on%20the%20services%20hosted%20at%20the%20IP%20address%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "9d096815-7876-4f42-9c93-73e3cc21d3ce", "create_time": 1764758755.7977993, "update_time": 1765481757.0355642, "name": "Enrich TLS certificates", "order": 4, "tag": "d98902d9-2620-41c6-90d2-d197a49a90ca", "description": "If%20an%20investigation%20involves%20a%20TLS%20certificate,%20it%20can%20be%20useful%20to%20gather%20registrant%20and%20certificate%20authority%20information%20about%20that%20certificate,%20and%20to%20query%20for%20other%20uses%20of%20similar%20infrastructure.%20The%20usage%20of%20free%20and%20automated%20certificate%20authorities%20such%20as%20Let's%20Encrypt%20does%20not%20necessarily%20imply%20that%20a%20domain%20is%20malicious,%20but%20that%20is%20a%20common%20technique%20used%20to%20build%20malicious%20infrastructure%20so%20it%20should%20warrant%20further%20investigation.%20Consider%20comparing%20the%20registrant%20information%20and%20certificate%20authority%20chain%20with%20the%20expected%20values%20for%20the%20organization%20allegedly%20hosting%20the%20website%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4e38a46a-1af2-477a-9349-8defa965ac2b", "create_time": 1764758755.7979288, "update_time": 1765481757.0357046, "name": "Enrich MAC addresses", "order": 5, "tag": "38d3329d-0ecd-494f-bbcf-5be0fd99a7c3", "description": "While%20MAC%20(media%20access%20control)%20addresses%20are%20less%20frequently%20involved%20in%20security%20investigations,%20when%20they%20are%20present%20they%20can%20sometimes%20be%20useful%20to%20cross-reference,%20identify,%20or%20profile%20a%20device.%20MAC%20addresses%20can%20be%20changed%20and%20spoofed,%20but%20it%20is%20usually%20less%20common%20than%20a%20change%20in%20IP%20address%20or%20hostname.%20In%20wifi%20investigations%20the%20MAC%20address%20can%20be%20used%20to%20identify%20both%20the%20access%20point%20and%20the%20clients%20that%20connect%20to%20it.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "47bb10fa-61c2-4bd8-b7dd-f69f376e2750", "active": true, "used": true, "_user": "nobody", "_key": "8b1df498-d692-4212-a4fd-6b99b99e9027"}
diff --git a/response_templates/SelfReplicatingMalware_v2.json b/response_templates/SelfReplicatingMalware_v2.json
new file mode 100644
index 0000000000..116b99843f
--- /dev/null
+++ b/response_templates/SelfReplicatingMalware_v2.json
@@ -0,0 +1 @@
+{"id": "ec7f5b1d-f689-4ea7-b00c-703d062755ef", "create_time": 1764862816.2406306, "update_time": 1765478655.8295362, "name": "Self-Replicating Malware", "description": "This response template outlines a response to a potential infection by self-replicating malware (malware that propagates itself without human interaction). While there is much overlap between the response necessary for self-replicating malware and the response to any other malware, the ability to propagate from one system to the next automatically adds the potential for faster and more thorough infection of enterprise systems. Often the infection mechanism is a particular network service or shared resource, so an appropriate response tends to be a fast configuration change to contain the effect immediately.\n\nThis template is adapted from a modified version of the CERT Societe Generale Incident Response Methodology called Worm Infection Response. The full methodology is available at https://github.com/certsocietegenerale/IRM/blob/HEAD/EN/IRM-1-WormInfection.pdf and is covered under the Creative Commons Attribution 3.0 Imported license available at https://github.com/certsocietegenerale/IRM/blob/HEAD/LICENSE.md, while the CERT Societe Generale homepage is https://cert.societegenerale.com/en/.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "56b864aa-4f46-4eab-8631-15340fe85f3d", "create_time": 1765478655.800768, "update_time": 1765478655.8007686, "name": "Preparation", "order": 1, "tasks": [{"id": "ec3ed15c-7140-4e3d-ad5f-324edaf32d30", "create_time": 1764758755.867025, "update_time": 1765478655.8002567, "name": "Define team members", "order": 1, "tag": "a901e393-ab86-4ca7-95db-14d8774a60da", "description": "Determine%20which%20team%20members%20will%20play%20which%20role%20in%20the%20response%20and%20establish%20communications%20channels%20with%20all%20involved.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "faf9efef-e4dc-4100-98b4-3ed62777f915", "create_time": 1764758755.867135, "update_time": 1765478655.8004067, "name": "Check analysis tools", "order": 2, "tag": "6700e71f-245c-4f8c-b835-d91eaefe716b", "description": "Test%20connectivity,%20check%20patch%20level,%20and%20run%20example%20queries%20on%20all%20analysis%20tools.%0A%0ASuggested%20Integrations%0A1.%20%5BUpdate%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/update_center)%0A2.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A3.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A4.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A5.%20%20PhishTank%20(preconfigured)%0A6.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e8b572ad-9cb7-4a0b-accc-dc0d6bc672af", "create_time": 1764758755.867274, "update_time": 1765478655.8005216, "name": "Acquire architecture map", "order": 3, "tag": "10b5cc45-188d-4152-99c2-d9ee90a0df52", "description": "Find or build an up-to-date map of the network.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "49e8c224-9ffe-472f-b5d5-d0134314ddc0", "create_time": 1764758755.8673825, "update_time": 1765478655.800613, "name": "Acquire asset inventory", "order": 4, "tag": "27d598df-8c52-4d6b-871d-93ee5ccdaf3f", "description": "Find%20or%20build%20an%20up-to-date%20inventory%20of%20all%20devices.%0A%0ASuggested%20Integrations%0A1.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)%0A3.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bd65385f-53f6-4b16-ae5b-8480703a5e29", "create_time": 1764758755.8674753, "update_time": 1765478655.8007166, "name": "Continuous monitoring", "order": 5, "tag": "3959e856-64e9-486e-a0b6-0cb97176c283", "description": "Monitor threat trends and system activity.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d8781b52-5f94-496a-9221-20af11959541", "create_time": 1765478655.8011546, "update_time": 1765478655.8011549, "name": "Identification", "order": 2, "tasks": [{"id": "0fc8d25d-2b92-4617-b573-518330fb9da1", "create_time": 1764758755.867626, "update_time": 1765478655.8008454, "name": "Detect the infection", "order": 1, "tag": "27c2ab29-35d9-4643-9216-85a8c201e0ed", "description": "Detect%20abnormalities%20and%20potential%20infections%20using%20endpoint%20and%20network%20intrusion%20detection%20systems,%20application%20logs,%20authentication%20logs,%20system%20load%20monitoring,%20notification%20from%20external%20sources,%20and%20other%20methods.%20Seek%20a%20repeatable%20detection%20that%20is%20as%20reliable%20as%20possible,%20as%20future%20steps%20call%20for%20checking%20and%20re-checking%20to%20monitor%20progress.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "709ed3e1-de9b-421a-b7b2-eae661d66b04", "create_time": 1764758755.867718, "update_time": 1765478655.8009667, "name": "Identify the infection", "order": 2, "tag": "fcd59f33-221b-43aa-a26f-7a7536dc298a", "description": "Compare%20the%20known%20symptoms%20to%20all%20available%20threat%20intelligence%20and%20try%20to%20identify%20the%20threat%20as%20specifically%20as%20possible.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A6.%20%5BIndicators%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/threat_artifacts)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "07f7f8bf-c7d0-4312-a878-1cc5910284e3", "create_time": 1764758755.8678086, "update_time": 1765478655.8010774, "name": "Assess the perimeter of the infection", "order": 3, "tag": "d5aa1644-4d52-4274-92b7-c8b9e33b56e0", "description": "Check%20systems%20in%20different%20parts%20of%20the%20organization%20to%20define%20the%20perimeter%20of%20the%20infection%20and%20assess%20the%20potential%20business%20impact.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)%0A8.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "b077cd75-7ba9-467c-a53e-bfcea36eb013", "create_time": 1765478655.8017411, "update_time": 1765478655.8017416, "name": "Containment", "order": 3, "tasks": [{"id": "3aee7278-0f5f-48ff-ad16-9ddaec267689", "create_time": 1764758755.8679423, "update_time": 1765478655.80125, "name": "Disconnect infected areas from the internet", "order": 1, "tag": "e53fd536-8058-4a06-8c6c-e6fc9467ddf8", "description": "Stop%20command%20and%20control%20behavior%20and%20further%20propagation%20by%20disconnecting%20affected%20areas%20from%20the%20internet.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "50bcd8ba-7edc-4b44-8a04-fdd5ee6daa0b", "create_time": 1764758755.8680344, "update_time": 1765478655.8013616, "name": "Isolate infected area from all networks", "order": 2, "tag": "884437ea-ff98-40f7-999d-69efd55841ae", "description": "Enforce%20more%20strict%20network%20segmentation%20to%20prevent%20further%20internal%20spreading.%20Consider%20disconnecting%20mobile%20devices%20and%20laptops%20to%20minimize%20the%20propagation%20surface.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8ff5509b-ae70-431c-ac11-f4445d9bd890", "create_time": 1764758755.8681533, "update_time": 1765478655.8014727, "name": "Monitor business-critical network connections that cannot be disconnected", "order": 3, "tag": "400bb1f4-670c-4503-91a0-fe813d7285f2", "description": "For%20those%20applications%20that%20cannot%20be%20disconnected%20due%20to%20continuity%20needs,%20increase%20monitoring%20and%20analyze%20traffic%20for%20malicious%20activity.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)%0A8.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d220afbd-3306-4e8a-ad41-3028fb9f309f", "create_time": 1764758755.8682685, "update_time": 1765478655.8015823, "name": "Neutralize propagation vectors", "order": 4, "tag": "92bef873-aca9-4ef8-946b-edfb9ce66e36", "description": "Deploy%20patches,%20change%20configurations,%20sinkhole%20domains,%20re-image%20systems,%20stop%20services,%20or%20take%20other%20appropriate%20actions%20to%20prevent%20further%20propagation%20using%20all%20known%20vectors.%20Notify%20users%20of%20changes%20that%20will%20affect%20them%20and/or%20request%20their%20assistance%20for%20manual%20neutralization%20steps.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "640ecd84-2bff-4b55-b16e-2f00b863cfe0", "create_time": 1764758755.8683593, "update_time": 1765478655.8016906, "name": "Monitor progress", "order": 5, "tag": "66412e78-657c-4f0d-a15a-2533d1b9a948", "description": "Re-check neutralized systems and repeat or improve processes to cover important systems as quickly as possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "4999e420-9fa9-46ea-9da3-4ffb078c45a0", "create_time": 1765478655.8021305, "update_time": 1765478655.802131, "name": "Remediation", "order": 4, "tasks": [{"id": "06bd975f-1fb6-4333-b714-27ce6a1ced40", "create_time": 1764758755.8684924, "update_time": 1765478655.8018172, "name": "Identify", "order": 1, "tag": "7f4c59cc-2f64-459c-8245-31bb42439ea9", "description": "Consider vendor fixes, antivirus updates, external support options, and custom solutions. Use these to define a disinfection process and validate it with a reputable source if possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "93e47407-dfd0-40ba-a01d-1ef596ee0c42", "create_time": 1764758755.8685825, "update_time": 1765478655.8019052, "name": "Test", "order": 2, "tag": "e0cc2310-9631-4a7f-b637-79d890e0a79a", "description": "Test the disinfection process on a system that is as close to a production configuration as possible and verify that it works while not damaging any service.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "448524ff-39de-428d-95f7-2cc16c03ea28", "create_time": 1764758755.8686728, "update_time": 1765478655.801993, "name": "Deploy", "order": 3, "tag": "69ea1765-0326-4559-9f52-0202bcd1684e", "description": "Deploy the process and scale it up if possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "154ef40e-9a4e-4072-b222-e4b5c286ce4f", "create_time": 1764758755.8687656, "update_time": 1765478655.8020792, "name": "Confirm", "order": 4, "tag": "ec04ad38-972d-40d5-9672-64ccce7f2ebc", "description": "Confirm that the malware did not block remediations and find a workaround if it did.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "46c10e9a-74fd-4c28-ae23-80c66c6959ff", "create_time": 1765478655.802708, "update_time": 1765478655.8027081, "name": "Recovery", "order": 5, "tasks": [{"id": "b5137ace-0638-4c0d-bf3a-89808acb2796", "create_time": 1764758755.8689115, "update_time": 1765478655.8022254, "name": "Verify Containment and Remediation", "order": 1, "tag": "11e7491e-04ec-46dd-8763-7f7259aa86a9", "description": "Review current progress towards remediation by re-checking systems.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "916ce97e-d38f-41bd-8e31-fd4ebac266fa", "create_time": 1764758755.8690028, "update_time": 1765478655.8023124, "name": "Reopen propagation network mechanism", "order": 2, "tag": "3e4bb0aa-beab-472e-b19a-5d0974e25942", "description": "Turn off network enforcement for a segment of the network and monitor for new attempts to reinfect.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1d6b12db-a684-4eee-b942-8d720c1e7c1a", "create_time": 1764758755.8690934, "update_time": 1765478655.8024004, "name": "Reconnect isolated sub-areas to each other", "order": 3, "tag": "ecd50bc1-ba91-4333-b50e-8065b2552e83", "description": "Turn off inter-area network enforcement and monitor.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "77f860e3-1ab9-47f4-b9f5-29b02f762628", "create_time": 1764758755.8692014, "update_time": 1765478655.8024862, "name": "Reconnect mobile devices", "order": 4, "tag": "786a211c-5a54-4465-a6ae-fb26047d3d77", "description": "Reconnect mobile devices and laptops to monitor for persistence and check coverage across all device categories.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "eea6a167-30bf-434e-a7a5-7f0af8bd0ec6", "create_time": 1764758755.8692956, "update_time": 1765478655.802572, "name": "Reconnect isolated areas to main enterprise network", "order": 5, "tag": "739634b9-8f30-4fb4-b531-8f3e1bb5dcbc", "description": "Disable network enforcement between cleaned areas and the rest of the network while monitoring for reinfection.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "7947c3e9-c721-44ad-92e5-cbda84dd7687", "create_time": 1764758755.8693867, "update_time": 1765478655.8026576, "name": "Reconnect to the internet", "order": 6, "tag": "d80ab11b-58f4-4aed-a533-93f344fdc898", "description": "Reconnect to the internet and monitor.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "76b0e701-8fe2-49da-a85d-c100fc2a3a19", "create_time": 1765478655.80292, "update_time": 1765478655.8029208, "name": "Aftermath", "order": 6, "tasks": [{"id": "bb39e701-edec-47a4-a5d9-47483140b788", "create_time": 1764758755.8695176, "update_time": 1765478655.8027844, "name": "Build crisis report", "order": 1, "tag": "bb5d871c-99f4-408a-8a1e-9efa55ff1465", "description": "Notify affected parties with as much detail as is appropriate. Consider the initial cause of the infection, actions and timelines of important events, what went right, what went wrong, and the incident cost.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4a48b7c9-f36d-412f-a2e2-c369a98d4261", "create_time": 1764758755.8696067, "update_time": 1765478655.8028712, "name": "Improve processes", "order": 2, "tag": "114c1009-376f-4715-a825-145c3dbcbba0", "description": "Capitalize on the experience by improving the processes that were used, creating new processes where needed, and automating that which is generalizable and repeatable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "633942a9-b466-49c5-9cb0-1a4488da8473", "active": true, "used": false, "_user": "nobody", "_key": "ec7f5b1d-f689-4ea7-b00c-703d062755ef"}
diff --git a/response_templates/SuspiciousEmail_v2.json b/response_templates/SuspiciousEmail_v2.json
new file mode 100644
index 0000000000..922f38214b
--- /dev/null
+++ b/response_templates/SuspiciousEmail_v2.json
@@ -0,0 +1 @@
+{"id": "a72d40f3-a567-48e2-9fd3-c29db06c3907", "create_time": 1765479748.831508, "update_time": 1765479748.831508, "name": "Suspicious Email", "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods. The main objective of the first three phases is to determine if the email is malicious and what impact it might have if the attack is successful. The fourth and fifth phases focus on taking action to prevent further harm to the organization and conducting more investigation and analysis to learn more about the threat. Finally, the sixth phase describes communications to other parts of the organization which may be appropriate based on what was observed in the first five phases. This response template uses the structure of the SOEL framework (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1532986430.pdf) to organize the phases and tasks.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "7eddb898-085a-43fa-a03b-3ded48d53093", "create_time": 1765479748.831965, "update_time": 1765479796.6274312, "name": "Ingestion", "order": 1, "tasks": [{"id": "de8fa91f-bfad-41e6-bfe5-e3a2732db2c2", "create_time": 1764758755.6795278, "update_time": 1765479796.626802, "name": "Create ticket", "order": 1, "tag": "3d75cc89-a55b-4680-931c-7a5e091baaf6", "description": "Create%20any%20necessary%20tickets%20or%20tracking%20documents%20describing%20the%20initial%20conditions%20of%20the%20suspicious%20email%20investigation.%20As%20additional%20information%20is%20collected%20or%20actions%20are%20taken%20in%20the%20following%20tasks%20and%20phases,%20update%20the%20ticket%20with%20links%20and%20relevant%20information%20to%20allow%20collaboration%20and%20tracking.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "163d3490-d8de-4df9-8900-f5a2554b8024", "create_time": 1764758755.6797986, "update_time": 1765479796.6270301, "name": "Ingest email", "order": 2, "tag": "b4f73c35-e4af-40bf-a349-bed4c51cb0fc", "description": "Identify%20and%20ingest%20the%20suspicious%20email%20into%20Splunk%20Mission%20Control.%20Actual%20steps%20vary%20depending%20on%20how%20you%20create%20the%20Splunk%20Mission%20Control%20notable%20and%20where%20the%20suspicious%20email%20resides.%20For%20example,%20if%20you%20had%20a%20Splunk%20Enterprise%20Security%20correlation%20search%20running%20to%20identify%20suspicious%20emails,%20and%20forward%20those%20notable%20events%20to%20Splunk%20Mission%20Control%20as%20notables,%20you%20have%20many%20of%20the%20useful%20artifacts%20needed%20to%20investigate%20the%20email.%20If%20you%20need%20additional%20metadata,%20you%20can%20run%20the%20%22get%20email%22%20action%20to%20retrieve%20it,%20or%20the%20%22extract%20email%22%20action%20to%20add%20the%20email%20to%20Splunk%20Mission%20Control%20if%20it%20is%20in%20the%20.msg%20or%20.eml%20format.%20Or%20for%20example,%20if%20you%20send%20suspicious%20emails%20to%20a%20dedicated%20email%20address%20for%20suspected%20phishing%20attempts,%20you%20can%20use%20a%20connector%20such%20as%20IMAP,%20EWS%20for%20Exchange,%20EWS%20for%20OFfice,%20or%20GSuite%20for%20GMail%20to%20poll%20that%20inbox%20directly%20and%20send%20the%20suspicious%20email%20to%20Splunk%20Mission%20Control%20as%20a%20notable.%0A%0ASuggested%20Integrations%0A1.%20%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BMS%20Graph%20for%20Office%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%20%5BGmail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%20%5BIMAP%5D(https://splunkbase.splunk.com/app/5798)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a6d6d47d-3c94-42ea-b575-c197be210f97", "create_time": 1764758755.6799636, "update_time": 1765479796.627336, "name": "Extract actionable metadata and files", "order": 3, "tag": "0c5acee1-e985-43ec-aefa-9355f46fef2d", "description": "Depending on how the email was ingested, additional steps might be required to extract actionable metadata and files. For example, if the suspicious email is attached to the Splunk Mission Control notable as a file, run the \"extract ioc\" action to extract URLs, domain names, IP addresses, file hashes, and whole file attachments as artifacts. In some cases, you might need to write specific playbooks or ingestion scripts to extract or reformat fields from the email. Be aware that malicious emails can obfuscate links and file attachments, so it might be necessary to view the email in a sandboxed email client to see it in the same context as a user would see it.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9510afc9-a689-434d-8622-e7dbcf607e54", "create_time": 1765479748.832889, "update_time": 1765479796.6289487, "name": "External Investigation", "order": 2, "tasks": [{"id": "2bedd439-1521-4bc1-aa32-f6502bc3b4eb", "create_time": 1764758755.6802204, "update_time": 1765479796.6275756, "name": "Investigate URLs", "order": 1, "tag": "5c7e7c30-139a-45e5-9622-63c788fe10a3", "description": "Perhaps%20the%20most%20common%20email%20attack%20vector%20is%20a%20clickable%20link%20that%20brings%20a%20user%20to%20a%20malicious%20website.%20The%20malicious%20website%20might%20collect%20credentials%20or%20other%20confidential%20information,%20attempt%20to%20exploit%20the%20user's%20browser,%20lead%20the%20user%20to%20download%20a%20malicious%20file,%20or%20gather%20preliminary%20fingerprint%20information%20about%20the%20user%20to%20inform%20further%20operations.%20Investigate%20all%20URLs%20contained%20in%20the%20suspicious%20email%20using%20a%20mix%20of%20automated%20and%20manual%20techniques.%20Query%20threat%20intelligence%20services%20and%20other%20sources%20of%20reputation%20information%20to%20see%20if%20the%20URLs%20are%20linked%20to%20known%20malicious%20activity.%20Check%20the%20categorization%20of%20the%20URLs%20and%20their%20popularity%20using%20services%20such%20as%20Censys%20or%20Alexa.%20Determine%20whether%20the%20URL%20is%20spoofing%20a%20brand%20using%20a%20similar%20spelling,%20a%20unicode%20substitution,%20or%20an%20out-of-order%20domain%20name.%20Also%20consider%20using%20a%20less%20passive%20technique%20that%20analyzes%20the%20current%20state%20of%20the%20URL,%20such%20as%20a%20sandboxed%20URL%20detonation,%20a%20website%20scanning%20tool%20such%20as%20urlscan.io%20or%20SSL%20Labs,%20a%20manual%20inspection%20from%20a%20sandboxed%20environment,%20or%20a%20website%20screenshot%20engine%20such%20as%20Screenshot%20Machine.%20Consider%20that%20targeted%20attacks%20might%20only%20reveal%20the%20malicious%20behavior%20of%20a%20website%20if%20the%20user%20agent%20and/or%20the%20source%20address%20of%20the%20request%20matches%20the%20target%20environment.%20The%20output%20of%20this%20task%20might%20be%20more%20linked%20URLs,%20the%20domain%20names%20of%20the%20underlying%20servers%20responding%20to%20the%20request,%20other%20domain%20names%20used%20by%20the%20website,%20IP%20addresses,%20or%20downloadable%20files.%20All%20of%20the%20above%20should%20be%20passed%20on%20to%20further%20investigative%20tasks%20if%20needed.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "16fc04ea-4b88-4a0e-8f68-66ac2c216f8f", "create_time": 1764758755.6803753, "update_time": 1765479796.6279, "name": "Investigate file attachments", "order": 2, "tag": "87e971c5-924c-4eee-8a08-e84975c01812", "description": "Another%20common%20email%20attack%20vector%20is%20a%20malicious%20file%20attachment.%20Any%20file%20could%20be%20malicious,%20but%20most%20attacks%20involve%20executables,%20scripts,%20or%20documents.%20Investigate%20these%20files%20using%20either%20a%20whole%20copy%20of%20the%20file%20or%20the%20file%20hash.%20Query%20threat%20intelligence%20and%20reputation%20databases%20using%20the%20hash%20to%20see%20if%20the%20file%20has%20been%20seen%20before,%20to%20see%20if%20there%20is%20suspicious%20activity%20associated%20with%20the%20file,%20and%20to%20learn%20more%20about%20the%20file's%20behavior.%20Query%20for%20previous%20analyses%20or%20submit%20the%20file%20for%20examination%20in%20a%20dynamic%20or%20static%20tool%20to%20check%20for%20potentially%20malicious%20behaviors%20or%20properties.%20Actions%20used%20for%20this%20task%20might%20extract%20associated%20URLs,%20domain%20names,%20IP%20addresses,%20or%20secondary%20file%20hashes%20which%20can%20be%20explored%20further%20in%20other%20tasks.%0A%0A%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a259ee42-6bdf-4d0c-9b27-efae878c42c2", "create_time": 1764758755.6805224, "update_time": 1765479796.62813, "name": "Investigate%20email", "order": 3, "tag": "39af1503-2dae-40d0-8164-818a7232bf95", "description": "Analyze%20the%20full%20email%E2%80%94headers,%20subject,%20and%20body%E2%80%94using%20both%20automated%20and%20manual%20techniques%20to%20determine%20its%20origin%20and%20assess%20for%20malicious%20intent.%20Inspect%20header%20fields%20(e.g.,%20%E2%80%9CFrom,%E2%80%9D%20%E2%80%9CSender,%E2%80%9D%20%E2%80%9CReply-to%E2%80%9D)%20for%20inconsistencies,%20misleading%20display%20names,%20and%20suspicious%20infrastructure,%20validating%20authentication%20results%20such%20as%20SPF,%20DKIM,%20and%20DMARC.%20Enrich%20findings%20with%20threat%20intelligence%20and%20reputation%20sources,%20and%20use%20tools%20like%20Microsoft%20Message%20Header%20Analyzer%20or%20MxToolbox%20for%20deeper%20interpretation.%20Evaluate%20the%20content%20for%20social%20engineering%20indicators%E2%80%94such%20as%20urgency,%20context%20manipulation,%20or%20attempts%20to%20solicit%20confidential%20information%E2%80%94recognizing%20that%20these%20often%20require%20manual%20judgment%20and,%20when%20appropriate,%20direct%20confirmation%20from%20the%20recipient.%20Outputs%20such%20as%20domains%20and%20IPs%20should%20be%20forwarded%20for%20further%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": [{"id": "cf182fd6-c616-4adb-a8f6-b9969549c873", "create_time": 1764952188.108695, "update_time": 1765479796.6283174, "name": "Email - Query on Affected User", "description": "You need to have your email data being ingested into the Email data model.  \n\nNOTE: in this search we have pulled the tokened field of \"src_user\" if you detection uses another output field you will need to update your search accordingly. ", "spl": "%7C%20tstats%20%60summariesonly%60%20max(_time)%20as%20_time%2C%20values(All_Email.action)%20as%20action%2C%20values(All_Email.message_id)%20as%20message_id%2C%20values(All_Email.subject)%20as%20subject%2C%20values(All_Email.size)%20as%20size%2C%20values(All_Email.protocol)%20as%20protocol%2C%20values(All_Email.recipient)%20as%20recipient%2C%20count%20from%20datamodel%3DEmail.All_Email%20by%20All_Email.src%2CAll_Email.src_user%2CAll_Email.dest%20%0A%7C%20%60drop_dm_object_name(%22All_Email%22)%60%20%0A%7C%20search%20recipient%20IN%20(%24src_user%24)%0A%7C%20sort%20-%20count%20%0A%7C%20normalizeip%20src%20dest%20%0A%7C%20fields%20_time%2C%20action%2C%20message_id%2C%20subject%2C%20size%2C%20protocol%2C%20src%2C%20src_user%2C%20dest%2C%20recipient%2C%20count"}]}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "987a5f9d-4fa2-4474-a923-10ee1fca36e9", "create_time": 1764758755.680672, "update_time": 1765479796.6285076, "name": "Investigate domains", "order": 4, "tag": "65ec0d02-4e41-4bef-ad64-bcbbe64589bf", "description": "At%20this%20point%20domain%20names%20from%20various%20sources%20should%20be%20collected%20in%20the%20notable,%20including%20email%20sending%20and%20receiving%20servers,%20web%20servers%20from%20URLs%20in%20the%20email,%20domains%20associated%20to%20other%20indicators%20in%20threat%20intelligence%20databases,%20and%20domains%20contained%20in%20the%20file%20attachment%20or%20detected%20by%20the%20detonation%20of%20the%20file%20attachment.%20Check%20each%20of%20these%20against%20threat%20intelligence%20and%20reputation%20databases,%20passive%20DNS%20trackers,%20whois%20services,%20and%20other%20information%20services.%20Look%20for%20known%20malicious%20or%20unknown%20domains,%20focusing%20more%20on%20those%20associated%20to%20clickable%20URLs%20and%20file%20attachments.%20Evaluate%20what%20services%20are%20running%20on%20each%20suspicious%20domain%20using%20a%20scanning%20service%20such%20as%20Censys%20or%20Shodan.%20Check%20the%20TLS%20certificate%20(if%20applicable),%20website%20categorization,%20popularity,%20and%20any%20other%20available%20information.%20Compare%20this%20information%20to%20the%20expected%20outcome%20given%20the%20alleged%20context%20of%20the%20email.%20For%20unknown%20domains,%20consider%20the%20domain%20history,%20the%20hosting%20provider,%20and%20whether%20the%20domain%20name%20appears%20to%20have%20been%20dynamically%20generated.%20IP%20addresses%20currently%20and%20previously%20associated%20with%20the%20domain%20should%20be%20further%20processed%20elsewhere%20in%20your%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c4f72802-ef36-47d2-a6c0-9d1ab5e0aa2c", "create_time": 1764758755.6808305, "update_time": 1765479796.6287827, "name": "Investigate IP addresses", "order": 5, "tag": "bd473b00-1dc1-4446-8ce2-36d7fc8ef468", "description": "IP%20addresses%20may%20be%20involved%20in%20this%20investigation%20for%20several%20reasons.%20Some%20email%20headers%20can%20contain%20IP%20addresses%20(such%20as%20X-Originating-IP),%20URLs%20can%20contain%20IP%20addresses%20instead%20of%20hostnames,%20file%20attachments%20can%20contain%20IP%20addresses%20or%20generate%20IP%20addresses%20and%20try%20to%20connect%20to%20them%20(like%20domain%20generation%20algorithms),%20and%20IP%20addresses%20can%20be%20added%20to%20the%20notable%20through%20association%20or%20domain%20name%20resolution%20in%20other%20tasks%20within%20this%20investigation.%20Consider%20IP%20addresses%20in%20URLs%20that%20are%20not%20internal%20IP%20addresses%20for%20the%20organization%20highly%20suspicious.%20Investigate%20all%20suspicious%20IP%20addresses%20by%20checking%20the%20reputation,%20geolocation,%20whois%20record,%20DNS%20history,%20and%20by%20gathering%20information%20from%20other%20available%20services.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d36a2713-63b9-4bfd-8a66-e50df079ace9", "create_time": 1765479748.8334155, "update_time": 1765479796.6299407, "name": "Internal Hunting", "order": 3, "tasks": [{"id": "4012859c-a956-4b21-ba9e-a2004dfeb036", "create_time": 1764758755.6812239, "update_time": 1765479796.6290972, "name": "Hunt email activity", "order": 1, "tag": "e7a6d9a6-8b9e-4f8c-afdb-475b0b3472b7", "description": "Find%20other%20similar%20emails%20sent%20into%20the%20organization%20based%20on%20the%20sender%20address,%20sender%20domain,%20subject,%20embedded%20URLs,%20file%20attachments,%20or%20other%20similar%20attributes%20shared%20across%20multiple%20emails.%20If%20possible%20determine%20which%20emails%20were%20opened,%20forwarded,%20deleted,%20marked%20as%20spam,%20or%20reported%20as%20potential%20phishing.%20Consider%20which%20types%20of%20users%20are%20targeted%20and%20why.%20Also%20check%20whether%20internal%20users%20replied%20to%20the%20emails%20and%20what%20information%20was%20contained%20in%20the%20replies.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%20%5BCisco%20Secure%20Malware%20Analytics%20(Threat%20Grid)%5D(https://splunkbase.splunk.com/app/6145)%0A3.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1701120f-ca73-42cf-87e1-5dcb228ab5a0", "create_time": 1764758755.681366, "update_time": 1765479796.629352, "name": "Hunt network activity", "order": 2, "tag": "427ba972-75bd-42eb-8218-4a522f98b947", "description": "Based%20on%20previously%20collected%20information,%20try%20to%20determine%20whether%20or%20not%20URLs%20in%20the%20email%20were%20clicked,%20phishing%20websites%20were%20visited,%20or%20other%20suspicious%20network%20connections%20were%20made%20from%20the%20computers%20of%20users%20who%20opened%20the%20email.%20This%20can%20be%20done%20using%20many%20types%20of%20network%20monitoring,%20including%20netflow,%20full%20packet%20capture,%20DNS%20logging,%20and/or%20endpoint%20monitoring.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A5.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24d8fa33-d658-4800-8113-5d7f7c90ad1d", "create_time": 1764758755.681554, "update_time": 1765479796.6295755, "name": "Hunt file executions", "order": 3, "tag": "ebe5a0e7-8705-4e69-b1e7-a21058c87822", "description": "If%20the%20email%20included%20a%20file%20attachment,%20try%20to%20determine%20which%20users%20downloaded%20the%20attachment%20and%20which%20users%20executed%20it%20or%20opened%20it%20in%20some%20other%20way.%20Use%20the%20file%20hash%20of%20the%20attachment%20to%20search%20across%20endpoint%20monitoring%20or%20network%20monitoring%20solutions%20for%20the%20transmission%20and/or%20execution%20of%20the%20file.%20If%20executions%20are%20detected,%20try%20to%20determine%20the%20behavior%20of%20the%20created%20process.%20If%20a%20potentially%20malicious%20document%20or%20other%20file%20type%20was%20opened,%20try%20to%20determine%20which%20application%20opened%20it%20and%20whether%20the%20file%20exploited%20or%20abused%20the%20opening%20application.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24ad66ec-2b93-4677-b1c4-a6e2c2bd6207", "create_time": 1764758755.6817021, "update_time": 1765479796.6298037, "name": "Hunt user activity", "order": 4, "tag": "32798d9d-6440-4f39-98c7-6d4c30d26e1e", "description": "If%20a%20phishing%20attempt%20or%20other%20user%20account%20compromise%20attempt%20is%20suspected,%20investigate%20how%20the%20credentials%20or%20account%20access%20are%20being%20used.%20Enumerate%20resources%20available%20to%20the%20account%20and%20search%20the%20access%20logs%20for%20those%20resources,%20looking%20for%20anomalous%20usage%20patterns.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)%0A3.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "42eb2edf-fc7d-4327-8f3e-37ee80c2536c", "create_time": 1765479748.8340182, "update_time": 1765479796.6310995, "name": "Enforcement and increased monitoring", "order": 4, "tasks": [{"id": "2eb1f1a5-8f1a-45d8-8953-ba30d1a8a6e9", "create_time": 1764758755.6819034, "update_time": 1765479796.6300797, "name": "Block or monitor email activity", "order": 1, "tag": "6b567916-424d-41b3-836f-b4abfa555448", "description": "If%20specific%20malicious%20emails%20have%20been%20identified,%20delete%20them%20from%20any%20mailboxes%20in%20which%20they%20still%20pose%20a%20threat.%20Similarly,%20if%20a%20sender%20address%20or%20an%20entire%20sender%20domain%20is%20found%20to%20be%20malicious,%20block%20inbound%20email%20from%20that%20source.%20Set%20filtering%20rules%20to%20block%20inbound%20email%20or%20increase%20monitoring%20of%20email%20based%20on%20other%20detected%20characteristics%20of%20an%20email%20campaign%20or%20malicious%20technique.%0A%0ASuggested%20Intergrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f0d28b16-b4ba-46a9-8d20-c888d0d50137", "create_time": 1764758755.6820495, "update_time": 1765479796.6303134, "name": "Block or monitor network activity", "order": 2, "tag": "b537f91c-ce46-4a52-8894-0797dbc13b6b", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20malicious%20network%20connections%20associated%20with%20the%20suspicious%20email.%20Prevent%20other%20receivers%20of%20similar%20phishing%20emails%20from%20accessing%20the%20clickable%20URL%20by%20blocking%20that%20URL%20itself,%20the%20underlying%20domain%20name,%20and/or%20the%20underlying%20IP%20addresses.%20If%20malware%20or%20unwanted%20software%20was%20detected,%20block%20outbound%20connections%20known%20to%20be%20associated%20with%20that%20malware%20based%20on%20threat%20intelligence%20or%20dynamic%20analysis.%20If%20the%20threat%20is%20severe%20enough,%20consider%20isolating%20entire%20portions%20of%20the%20network.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "79abbff6-2d34-46b0-b570-c9788da8668a", "create_time": 1764758755.6822183, "update_time": 1765479796.6305444, "name": "Block or monitor file executions", "order": 3, "tag": "e7cb23b5-9baa-4a66-994d-43cd0f17d017", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20endpoint%20activity%20caused%20by%20the%20suspicious%20email.%20This%20could%20mean%20blocking%20the%20hash%20of%20the%20file%20attachment,%20blocking%20the%20hash%20of%20a%20file%20downloaded%20from%20a%20URL%20in%20an%20email,%20blocking%20a%20malicious%20hash%20associated%20with%20the%20email%20by%20threat%20intelligence,%20or%20blocking%20secondary%20executions%20such%20as%20dropped%20stages%20of%20malware%20identified%20from%20dynamic%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fa4ad6aa-7fc1-4897-9588-e2366ce2cc8e", "create_time": 1764758755.6823559, "update_time": 1765479796.6307607, "name": "Contain endpoints", "order": 4, "tag": "746ae480-2639-4ffe-80ce-698238ec5721", "description": "If%20an%20endpoint%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20quarantine%20or%20otherwise%20contain%20that%20endpoint%20until%20further%20investigation%20and%20remediation%20can%20be%20done.%20Consider%20the%20criticality%20of%20the%20system%20and%20the%20likelihood%20of%20a%20compromise.%20In%20other%20cases,%20simply%20increasing%20the%20monitoring%20or%20scanning%20for%20more%20information%20can%20be%20prudent.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8ffee892-3e52-4aed-ba5f-30554d3de579", "create_time": 1764758755.6824956, "update_time": 1765479796.6309698, "name": "Contain user accounts", "order": 5, "tag": "702244fa-e9c6-42d7-846a-697fb74ea060", "description": "If%20a%20user%20account%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20reset%20the%20credentials,%20reduce%20the%20account%20privileges,%20or%20disable%20the%20account%20until%20further%20investigation%20is%20completed.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f3f3a7c8-dcb4-4565-8827-356c60cac5f6", "create_time": 1765479748.8343027, "update_time": 1765479796.6315908, "name": "Longer-running analysis jobs", "order": 5, "tasks": [{"id": "09b37ed6-4b6e-4fe0-a4c5-561480ed7c10", "create_time": 1764758755.68271, "update_time": 1765479796.631251, "name": "Analyze network activity", "order": 1, "tag": "9cf69134-6b81-45ca-ada8-fd4136a1912f", "description": "Perform%20any%20resource-intensive%20analysis%20of%20network%20activity%20left%20over%20from%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20full%20packet%20capture%20collection%20and%20analysis,%20sandbox%20detonation%20of%20URLs,%20long-running%20queries%20of%20network%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "627cb8cc-b780-437e-951d-8ec9c64062e7", "create_time": 1764758755.682851, "update_time": 1765479796.631454, "name": "Analyze endpoint activity", "order": 2, "tag": "2497b494-b80f-417b-b51d-f4c8d7aff019", "description": "Conduct%20deeper%20analysis%20on%20remaining%20malware%20and%20endpoint%20investigation%20tasks%20not%20finished%20in%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20sandbox%20detonation%20of%20files,%20forensic%20analysis%20of%20associated%20devices%20or%20memory%20dumps,%20reverse%20engineering%20of%20suspected%20malware,%20long-running%20queries%20of%20endpoint%20activity%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A4.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "934b1327-2484-49e2-9701-36a33a1462f9", "create_time": 1765479748.8349223, "update_time": 1765479796.6327975, "name": "Notification", "order": 6, "tasks": [{"id": "3b692da7-b9dc-491b-add5-2c674251a7be", "create_time": 1764758755.683051, "update_time": 1765479796.6317682, "name": "Update tickets", "order": 1, "tag": "dad41274-fb84-4b6f-bed9-fb43be506987", "description": "Make%20sure%20that%20all%20the%20necessary%20outputs%20and%20status%20updates%20from%20the%20previous%20phases%20and%20tasks%20are%20documented%20in%20the%20appropriate%20system%20of%20record.%20Summarize%20the%20current%20state%20of%20the%20investigation%20and%20any%20remaining%20tasks.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "644d1cc6-f855-4dfb-ae28-a0a58fbee6d2", "create_time": 1764758755.6832078, "update_time": 1765479796.631959, "name": "Notify system owners", "order": 2, "tag": "824481e3-9dc5-4668-9abd-585d1cd331ca", "description": "For%20any%20systems%20that%20have%20been%20changed%20or%20need%20to%20be%20changed,%20notify%20the%20necessary%20system%20owners%20so%20the%20appropriate%20change%20management%20procedures%20can%20be%20followed.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "81905435-dd7e-493d-babf-fc5f108cbb9a", "create_time": 1764758755.6833851, "update_time": 1765479796.6321607, "name": "Notify regulatory compliance team", "order": 3, "tag": "c7f7005c-6b51-49a7-a3f9-f22aaf9dfbe4", "description": "If%20appropriate,%20notify%20the%20regulatory%20compliance%20team%20to%20support%20them%20as%20they%20report%20this%20incident%20to%20the%20correct%20regulatory%20or%20accrediting%20organizations.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a4260d25-53f9-45c4-b984-4c10deddbb82", "create_time": 1764758755.6836178, "update_time": 1765479796.6323862, "name": "Assign additional tasks", "order": 4, "tag": "29d21b34-5221-4dee-9bff-276a8241b2bd", "description": "Create tickets to track any follow-on tasks that came out of this investigation. Example tasks might include conducting deeper endpoint investigation, re-provisioning systems, re-enabling accounts, or tuning filtering systems to block future emails.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d0cf948f-2ba6-4a7d-82c9-851aacfa80a6", "create_time": 1764758755.6839995, "update_time": 1765479796.6325488, "name": "Educate users", "order": 5, "tag": "7ee89bfe-e39d-42c9-baa0-2e74b39adcd1", "description": "If appropriate, inform the broader user base about the types of suspicious emails being sent to the organization to try to prevent them from clicking malicious links or opening malicious file attachments in the future.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5b78276c-3dff-4546-8ff4-78cd4e1b04d3", "create_time": 1764758755.6842132, "update_time": 1765479796.6327078, "name": "Share threat intelligence", "order": 6, "tag": "3773742e-ecd3-4588-a0ae-6ac80e6b70ce", "description": "If appropriate, communicate relevant findings to trusted third parties and/or the public threat intelligence community. Make sure that outbound messages do not contain confidential information. Consider sharing or confirming the usage of indicators and techniques to peer organizations, security vendors, public databases, or industry-specific threat intelligence sharing communities.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "84c951b5-a7f7-439d-9e59-b8031190be63", "active": true, "used": true, "_user": "nobody", "_key": "a72d40f3-a567-48e2-9fd3-c29db06c3907"}
diff --git a/response_templates/VulnerabilityDisclosure_v2.json b/response_templates/VulnerabilityDisclosure_v2.json
new file mode 100644
index 0000000000..25f1e2a41e
--- /dev/null
+++ b/response_templates/VulnerabilityDisclosure_v2.json
@@ -0,0 +1 @@
+{"id": "83c7c93e-eb22-4a6c-981f-d7a857b71dfc", "create_time": 1764862787.2717, "update_time": 1765478160.218586, "name": "Vulnerability Disclosure", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "63140a0e-8d42-4aba-943a-899170cc7fd3", "create_time": 1765478079.1544676, "update_time": 1765478160.185931, "name": "Understand the vulnerability", "order": 1, "tasks": [{"id": "c2906aa1-2ba2-4d46-b927-04a348dfc8ed", "create_time": 1764758755.9402392, "update_time": 1765478160.1855013, "name": "Research types of systems that are affected", "order": 1, "tag": "f0045b4e-6680-4782-b80b-ba292805d290", "description": "Research%20the%20known%20hardware%20or%20software%20systems%20and%20versions%20that%20are%20affected.%20If%20possible%20use,%20a%20vulnerability%20database%20or%20software%20composition%20analysis%20solution%20to%20walk%20the%20dependency%20chain%20and%20evaluate%20the%20scope%20of%20the%20vulnerability.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bd74c974-5d88-4136-aae1-13642d0f5bb5", "create_time": 1764758755.9403417, "update_time": 1765478160.185846, "name": "Research how the vulnerability works", "order": 2, "tag": "207e6bdb-1eed-41f8-9ee6-f87bf260978a", "description": "Research%20the%20mechanism%20that%20makes%20the%20system%20vulnerable%20and%20the%20conditions%20in%20which%20the%20system%20is%20vulnerable.%20Often%20there%20are%20certain%20configurations,%20software%20packages,%20system%20states,%20operating%20modes,%20and%20other%20characteristics%20that%20make%20a%20vulnerability%20exploitable%20and%20affect%20the%20impact%20if%20exploited.%20Assess%20the%20difficulty%20to%20exploit%20the%20vulnerability%20and%20the%20reliability%20of%20the%20exploit.%0A%0A%0A1.%20%5BES%20Use%20Case%20Library%5D(/app/SplunkEnterpriseSecuritySuite/ess_use_case_library)%0A2.%20%5BSplunk%20Security%20Content%5D(https://research.splunk.com/)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "0e4796c9-bcb5-4837-b0cd-7c83b40dd2c3", "create_time": 1765478079.1550362, "update_time": 1765478160.1863368, "name": "Understand impact to the organization", "order": 2, "tasks": [{"id": "6dc2dedf-7fe4-4d02-bc74-4b386a320460", "create_time": 1764758755.940481, "update_time": 1765478160.186015, "name": "Find potentially affected systems", "order": 1, "tag": "b5bcfe17-e8a5-40a0-984c-c8fefe77093c", "description": "Check%20the%20internal%20environment%20and%20dependencies%20of%20the%20organization%20for%20the%20software%20or%20hardware%20that%20is%20vulnerable.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A7.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "26f32c1e-5de3-4565-9a72-c17aa0dfee4e", "create_time": 1764758755.9405725, "update_time": 1765478160.186133, "name": "Determine exploitability", "order": 2, "tag": "9b967031-b163-4c25-a971-011f10df8051", "description": "Check%20for%20exploitable%20conditions.%20If%20appropriate,%20attempt%20to%20implement%20the%20vulnerability%20or%20use%20a%20safe%20proof%20of%20concept%20to%20verify%20exploitability.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1f4e957a-1bc6-4b22-b222-44c845454b45", "create_time": 1764758755.9406626, "update_time": 1765478160.1862617, "name": "Investigate possible exploitation", "order": 3, "tag": "b944edaa-aa8a-4877-8b78-f022580d2731", "description": "Investigate%20whether%20or%20not%20vulnerable%20systems%20were%20exploited.%20Use%20the%20particular%20behavior%20of%20the%20exploit%20and%20likely%20post-exploitation%20techniques%20to%20narrow%20down%20the%20search%20for%20exploited%20systems.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "e8928704-4ba7-41c1-abba-a0444d548fe0", "create_time": 1765478079.1552103, "update_time": 1765478160.1864805, "name": "Decide how to respond", "order": 3, "tasks": [{"id": "860d180e-5d53-4eb7-b867-97ad48f470e6", "create_time": 1764758755.9407957, "update_time": 1765478160.1864188, "name": "Evaluate patches, workarounds, and service outages", "order": 1, "tag": "23a1b3d3-d2db-40d9-9a96-39a154c94ff0", "description": "Consider%20how%20mitigations,%20remediations,%20and%20forced%20system%20shutdowns%20affect%20the%20situation.%0A%0ASuggested%20Integrations%0A1.%20%5BUpdate%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/update_center)%0A2.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1559a28c-3e76-4910-a22e-f5e6977d0647", "create_time": 1765478079.1555555, "update_time": 1765478160.1868198, "name": "Execute the response", "order": 4, "tasks": [{"id": "1d4394f7-8781-4802-a6a2-7d77b655a9ee", "create_time": 1764758755.9409366, "update_time": 1765478160.1865623, "name": "Remediate", "order": 1, "tag": "6e13819e-dfdf-4e48-90fa-95c7ddfc139c", "description": "Apply%20patches,%20upgrades,%20configuration%20changes,%20or%20state%20changes%20that%20can%20remediate%20the%20vulnerability.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "43f50b91-ee22-4731-a5fe-c6b4463134cf", "create_time": 1764758755.941027, "update_time": 1765478160.186665, "name": "Mitigate", "order": 2, "tag": "5c813f0c-e55c-492a-933b-59b99ad11071", "description": "Apply%20workarounds,%20temporary%20fixes,%20additional%20hardening,%20new%20security%20tools,%20new%20detections,%20and%20other%20mitigations%20to%20reduce%20risk.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "90f60618-b458-4baa-ae0d-af0fe1c4b3ec", "create_time": 1764758755.941116, "update_time": 1765478160.1867695, "name": "Document accepted risks", "order": 3, "tag": "47c9830a-c0e1-4b75-ae76-4b5e0cddbf5c", "description": "Document remaining risk and notify stakeholders.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "b0687c98-dcde-4d9a-bf6f-4a31859fef16", "active": true, "used": false, "_user": "nobody", "_key": "83c7c93e-eb22-4a6c-981f-d7a857b71dfc"}