I built documented incident response playbooks around the four-phase NIST SP 800-61 lifecycle and drove triage from Splunk correlation searches. Codifying the workflow brought mean time to detect below 15 minutes for high-fidelity alert classes.

Objective & Context

Ad-hoc response loses time and evidence. This lab turns the NIST SP 800-61 phases – Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident – into repeatable runbooks with explicit decision points and evidence-handling rules.

  • T1078 Valid Accounts – anomalous logon correlation as a primary detection.
  • T1486 Data Encrypted for Impact – ransomware playbook with isolation-first containment.

Environment & Prerequisites

  • Splunk with endpoint and auth log sources onboarded.
  • An asset inventory and defined severity matrix (SEV1–SEV4).
  • A chain-of-custody template and out-of-band comms plan.

Methodology

Why severity drives the path

Each playbook branches on severity: SEV1 (active compromise) triggers immediate isolation, while SEV3 follows monitored analysis. This prevents over-reacting to noise and under-reacting to real intrusions.

Step-by-Step Execution

1. Detection: a Splunk correlation search

index=auth action=failure | stats count by src_ip | where count > 20

2. Triage: enrich and classify severity

splunk search "src_ip=203.0.113.45" -maxout 100 | lookup threat_intel ip

3. Containment: isolate the host

nft add rule inet filter output ip daddr != 192.168.10.0/24 drop # [PRIVILEGED]
[SEV1] host 192.168.20.15 isolated; case IR-2026-0142 opened

Validation & Testing

Run a tabletop using a simulated brute-force-then-lateral-movement scenario and time each phase. Pass criteria: detection under 15 minutes, containment decision documented, and a complete post-incident report with lessons learned.

Advanced: Troubleshooting
  • Alert fatigue: tune thresholds and add risk-based scoring before escalating.
  • Evidence gaps: capture volatile data before isolation where SEV permits.
  • Slow triage: pre-build lookups for threat intel and asset ownership.

Key Results

  • Reduced mean time to detect (MTTD) to under 15 minutes for priority alert classes.
  • Documented 4 severity-branched playbooks covering 12 common incident types.
  • Achieved 100% chain-of-custody completion across tabletop exercises.
  • Cut average triage time by roughly 50% with pre-built enrichment lookups.