Cc/response plans

response_templates/DataBreach_v2.json

@@ -0,0 +1 @@
+{"id": "b0ad7421-221a-4859-8af7-7cd8949ad10f", "create_time": 1764862877.558638, "update_time": 1765481882.0017216, "name": "Data Breach", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "3864ce09-a850-44af-86ef-9ade49d18356", "create_time": 1765481830.6013758, "update_time": 1765481881.9174762, "name": "Escalate to accountable system owners", "order": 1, "tasks": [{"id": "5a3d4ceb-6a30-4aa3-8e8a-b30e3438dff4", "create_time": 1764758755.724739, "update_time": 1765481881.9169092, "name": "Identify accountable system owners", "order": 1, "tag": "f45e1890-72d0-4bdf-8932-ea8d78c2c58f", "description": "Query%20configuration%20management%20databases,%20ask%20teammates,%20and%20query%20on-call%20personnel%20directories%20to%20find%20the%20right%20people%20for%20notification%20and%20response.%0A%0ASuggested%20Integrations%0A1.%20%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8d090f83-6590-48b7-8233-db738d054005", "create_time": 1764758755.7248507, "update_time": 1765481881.9171314, "name": "Notify accountable system owners", "order": 2, "tag": "b0816205-58e4-4e29-991b-f415717d1c03", "description": "Determine%20what%20is%20needed%20from%20each%20team%20member%20and%20notify%20them%20as%20soon%20as%20possible.%20Consider%20speed,%20confidentiality,%20integrity,%20and%20availability%20when%20choosing%20a%20communication%20channel.%20The%20right%20choice%20may%20be%20an%20in-person%20meeting,%20email,%20chat,%20text,%20phone%20call,%20or%20a%20notification%20in%20Splunk%20Mission%20Control.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2950919f-a5ca-4dec-b3d0-5ef7edf213e3", "create_time": 1764758755.7249453, "update_time": 1765481881.9173613, "name": "Set up collaboration channels", "order": 3, "tag": "2b1518b8-77a6-4e03-8b50-e0a89dc40ed8", "description": "Establish%20shared%20access%20to%20the%20appropriate%20notable%20investigation%20that%20is%20tracking%20the%20data%20breach.%20If%20necessary%20establish%20an%20additional%20channel%20for%20communications%20such%20as%20a%20chat%20room,%20email%20chain,%20ticketing%20system,%20or%20VictorOps%20Incident.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "fa5bb456-dfe8-4f27-88a3-1639a35796c6", "create_time": 1765481830.6017647, "update_time": 1765481881.918081, "name": "Stop exfiltration", "order": 2, "tasks": [{"id": "3fcbd598-8be3-4c81-a89e-1896912ffea4", "create_time": 1764758755.725092, "update_time": 1765481881.9176087, "name": "Identify likely means of exfiltration", "order": 1, "tag": "b562799f-7155-43a2-a36a-e736575a6b1d", "description": "Evaluate%20likely%20means%20of%20exfiltration%20using%20the%20information%20from%20the%20initial%20detection%20and%20any%20other%20associated%20investigation%20the%20team%20can%20conduct.%20Use%20https://attack.mitre.org/wiki/Persistence%20and%20other%20open%20source%20intelligence%20to%20check%20for%20common%20exfiltration%20mechanisms.%20Consider%20the%20sophistication%20of%20the%20adversary,%20the%20data%20that%20is%20likely%20to%20be%20targeted,%20the%20systems%20that%20may%20have%20been%20breached,%20and%20any%20other%20knowledge%20from%20further%20investigation.%20Query%20the%20logs%20of%20any%20available%20systems%20around%20the%20time%20of%20the%20incident%20for%20context%20and%20additional%20leads.%20If%20possible%20analyze%20and/or%20reverse%20engineer%20any%20executables%20or%20scripts%20discovered%20in%20the%20investigation.%20Try%20to%20determine%20exfiltration%20mechanisms,%20protocols,%20ports,%20IP%20addresses,%20hostnames,%20URLs,%20and%20other%20indicators.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b7bfe3f3-8035-45bd-a16a-4d847cb74ba3", "create_time": 1764758755.725215, "update_time": 1765481881.9178276, "name": "Determine mitigations and remediations", "order": 2, "tag": "2c398364-ef0f-4e7d-877e-0abfaa91d72d", "description": "Taking into account the confidentiality and availability considerations of the systems involved, determine which mitigations and remediations are appropriate.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0a27527c-f0c1-4e54-a875-d110a8f71cb8", "create_time": 1764758755.7253134, "update_time": 1765481881.9179668, "name": "Stop exfiltration", "order": 3, "tag": "e80c691b-9bab-4f4d-86ca-8496300842c3", "description": "Use%20host-based%20or%20network%20controls%20to%20interrupt%20exfiltration.%20Scope%20the%20response%20according%20to%20the%20severity%20of%20the%20event.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A6.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A7.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A8.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a1d5e293-2b61-43f1-a776-f8d2126a1d7a", "create_time": 1765481830.6020367, "update_time": 1765481881.918544, "name": "Remove persistent adversaries", "order": 3, "tasks": [{"id": "fecaae1e-a6d8-47b2-8386-5af5bcac6d54", "create_time": 1764758755.7254562, "update_time": 1765481881.9182255, "name": "Identify likely means of persistence", "order": 1, "tag": "27ff7f99-5263-4a23-ba71-775e2a96ea00", "description": "Trace%20exfiltration%20as%20far%20as%20possible%20back%20toward%20a%20root%20cause.%20Look%20for%20patterns%20of%20activity%20from%20scheduled%20tasks,%20system%20restarts,%20polling%20of%20external%20systems,%20and%20other%20common%20means%20of%20persistence.%20Sysinternals%20AutoRuns%20and%20other%20similar%20tools%20can%20check%20wide%20varieties%20of%20persistence%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a951c1a1-61c6-4afa-b0c7-c721a97b5d3e", "create_time": 1764758755.7255518, "update_time": 1765481881.9184313, "name": "Remove identified persistence mechanisms", "order": 2, "tag": "3c87ad49-a462-47b1-93fa-401c82da9270", "description": "Block%20adversary%20persistence%20at%20the%20host%20and/or%20network%20level.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5BPalo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9577e82b-f68e-4fa7-a86b-987bbb51a504", "create_time": 1765481830.6022003, "update_time": 1765481881.918786, "name": "Assess impact", "order": 4, "tasks": [{"id": "be68378a-13d6-499d-bc94-d7f54c51e012", "create_time": 1764758755.7256913, "update_time": 1765481881.9186735, "name": "Measure the size and scope", "order": 1, "tag": "26cca1bb-80c3-43ab-ab5b-13975111b607", "description": "Measure%20the%20impact%20of%20the%20breach%20by%20amount%20of%20data,%20importance%20of%20data,%20potential%20follow-on%20impacts,%20and%20other%20appropriate%20criteria.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20TrackerDashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "befcad6f-d66d-459c-8b71-9ac22c902c6f", "create_time": 1765481830.6024225, "update_time": 1765481881.9191456, "name": "Report to appropriate stakeholders", "order": 5, "tasks": [{"id": "aa30f51a-a2fb-4284-be1d-c8d6a0f2935b", "create_time": 1764758755.7259164, "update_time": 1765481881.91892, "name": "Identify appropriate stakeholders", "order": 1, "tag": "4bb2a31a-ccc7-4bc3-a5b7-cf946cb10fb0", "description": "Identify who should receive which information. This may include the regulatory compliance team, all internal employees, customers, partners, appropriate government officials, the public, system vendors, open source communities, and others.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c2c0365b-7e90-4f34-a074-05b31a6bbb00", "create_time": 1764758755.7260718, "update_time": 1765481881.9190648, "name": "Send reports", "order": 2, "tag": "03fd935b-9848-4eee-8179-1d33592a2658", "description": "Send the appropriate amount of information to identified parties. If it is beneficial, give them a way to respond to the information.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "370933e2-b9c1-4de8-90bd-10477e48ed7e", "create_time": 1765481830.602553, "update_time": 1765481881.9215052, "name": "Prevent future breaches", "order": 6, "tasks": [{"id": "574bfcd8-31c3-4b51-9e73-b8a35403894c", "create_time": 1764758755.726329, "update_time": 1765481881.921397, "name": "Prevent future breaches", "order": 1, "tag": "690e3199-c277-4a6f-8ada-9c4c5bbc3e48", "description": "Use information from this case to investigate further, apply patches, prevent behaviors, change systems, and otherwise prevent similar situations from occurring again. Setup automated checks for reinfection using similar indicators or TTP's.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "dcb047a2-c621-41c6-b3d5-acabcbb20b1d", "active": true, "used": false, "_user": "nobody", "_key": "b0ad7421-221a-4859-8af7-7cd8949ad10f"}