[ { "name": "1. Collect & Distribute", "color": "#c51152", "list": [ { "name": "2-way Ticket synchronization", "items": {} }, { "name": "Email management", "items": { "name": "Release a quarantined message", "items": {} } }, { "name": "EDR to ticket", "items": { "name": "Get host information", "items": {} } }, { "name": "SIEM to ticket", "items": {} }, { "name": "ChatOps", "items": {} }, { "name": "Threat Intel received", "items": {} }, { "name": "Domain investigation with LetsEncrypt", "items": {} }, { "name": "Botnet tracker", "items": {} }, { "name": "Get running containers", "items": {} }, { "name": "Assign tickets", "items": {} }, { "name": "Firewall alerts", "items": { "name": "URL filtering", "items": {} } }, { "name": "IDS/IPS alerts", "items": { "name": "Manage policies", "items": {} } }, { "name": "Deduplicate information", "items": {} }, { "name": "Correlate information", "items": {} } ] }, { "name": "2. Enrich", "color": "#f4c20d", "list": [ { "name": "Internal Enrichment", "items": { "name": "...", "items": {} } }, { "name": "External historical Enrichment", "items": { "name": "...", "items": {} } }, { "name": "Realtime", "items": { "name": "Analyze screenshots", "items": {} } }, { "name": "Ticketing webhook verification", "items": {} } ] }, { "name": "3. Detect", "color": "#3cba54", "list": [ { "name": "Search SIEM (Sigma)", "items": { "name": "Endpoint", "items": {} } }, { "name": "Search EDR (OSQuery)", "items": {} }, { "name": "Search emails (Phish)", "items": { "name": "Check headers and IOCs", "items": {} } }, { "name": "Search IOCs (ioc-finder)", "items": {} }, { "name": "Search files (Yara)", "items": {} }, { "name": "Correlate tickets", "items": {} }, { "name": "Honeypot access", "items": { "name": "...", "items": {} } } ] }, { "name": "4. Respond", "color": "#4a148c", "list": [ { "name": "Eradicate malware", "items": {} }, { "name": "Quarantine host(s)", "items": {} }, { "name": "Trigger scans", "items": {} }, { "name": "Update indicators (FW, EDR, SIEM...)", "items": {} }, { "name": "Autoblock activity when threat intel is received", "items": {} }, { "name": "Lock/Delete/Reset account", "items": {} }, { "name": "Lock vault", "items": {} }, { "name": "Increase authentication", "items": {} }, { "name": "Get policies from assets", "items": {} } ] }, { "name": "5. Verify", "color": "#4885ed", "list": [ { "name": "Discover vulnerabilities", "items": {} }, { "name": "Discover assets", "items": {} }, { "name": "Ensure policies are followed", "items": {} }, { "name": "Find Inactive users", "items": {} }, { "name": "Ensure access rights match HR systems", "items": {} }, { "name": "Ensure onboarding is followed", "items": {} }, { "name": "Third party apps in SaaS", "items": {} }, { "name": "Devices used for your cloud account", "items": {} }, { "name": "Too much access in GCP/Azure/AWS/ other clouds", "items": {} }, { "name": "Certificate validation", "items": {} }, { "name": "Monitor new DNS entries for domain with passive DNS", "items": {} }, { "name": "Monitor and track password dumps", "items": {} }, { "name": "Monitor for mentions of domain on darknet sites", "items": {} }, { "name": "Reporting", "items": { "name": "Monthly reports", "items": { "name": "...", "items": {} } } } ] } ]