Module 14: Incident Response & Case Management
When something is real — contain, investigate, document, close.
You'll build a full TheHive case from the Shadow Broker alerts — timeline, IOCs, containment recommendations.
Lessons & Labs
Incident Response Lifecycle & Frameworks
NIST SP 800-61, SANS 6-step, severity classification P1-P4, IR team roles, escalation matrices
Lab 14.1 — IR Tabletop Exercise
Walk through a ransomware scenario: classify severity, assign roles, make containment decisions.
TheHive & Case Management
Cases, tasks, observables, Cortex analyzers, case templates, MISP integration
Lab 14.2 — Case Management with TheHive
Create case from alert, add observables, run Cortex analyzers, document findings.
Containment, Eradication & Recovery
Short/long-term containment, evidence preservation, eradication checklists, recovery validation
Lab 14.3 — Incident Containment Simulation
Multi-host compromise: isolate endpoints, block IOCs, preserve evidence, validate eradication.
Post-Incident Review & Lessons Learned
Blameless PIRs, root cause analysis, 5-Whys, MTTD/MTTR metrics, updating playbooks
Lab 14.4 — Post-Incident Documentation
Conduct PIR, calculate MTTD/MTTR, update detection rules, write lessons learned.
Incident Reporting & Communication
Report templates, audience-appropriate communication, regulatory requirements, stakeholder updates
Lab 14.5 — Complete Incident Report
Write formal incident report: executive summary, technical timeline, IOC table, ATT&CK mapping.
Compliance & Governance for Incident Responders
Risk management basics, NIST CSF, ISO 27001, PCI-DSS, HIPAA — how compliance frameworks shape detection, retention, and response requirements
PowerShell for Incident Response
PowerShell remoting, one-to-many collection, essential IR cmdlets, Kansa framework, comparison with Velociraptor VQL
Lab 14.6 — PowerShell Collection Exercise
Browser-only: Analyze IR scripts, build a collection script, map Kansa modules, compare PowerShell vs VQL approaches.