Module 13: Incident Response & Case Management
When something is real — contain, investigate, document, close.
Lessons
Incident Response Lifecycle & Frameworks
NIST SP 800-61, SANS 6-step, severity classification P1-P4, IR team roles, escalation matrices
TheHive & Case Management
Cases, tasks, observables, Cortex analyzers, case templates, MISP integration
Containment, Eradication & Recovery
Short/long-term containment, evidence preservation, eradication checklists, recovery validation
Post-Incident Review & Lessons Learned
Blameless PIRs, root cause analysis, 5-Whys, MTTD/MTTR metrics, updating playbooks
Incident Reporting & Communication
Report templates, audience-appropriate communication, regulatory requirements, stakeholder updates
Labs
Lab 13.1 — IR Tabletop Exercise
Walk through a ransomware scenario: classify severity, assign roles, make containment decisions.
Lab 13.2 — Case Management with TheHive
Create case from alert, add observables, run Cortex analyzers, document findings.
Lab 13.3 — Incident Containment Simulation
Multi-host compromise: isolate endpoints, block IOCs, preserve evidence, validate eradication.
Lab 13.4 — Post-Incident Documentation
Conduct PIR, calculate MTTD/MTTR, update detection rules, write lessons learned.
Lab 13.5 — Complete Incident Report
Write formal incident report: executive summary, technical timeline, IOC table, ATT&CK mapping.