dashboard
WEEK_4 · DAY_26 · 1 HOUR
Incident Response Playbook
PICERL — Prepare, Identify, Contain, Eradicate, Recover, Lessons
Learning Objectives
- ›Run an IR tabletop on a real ransomware scenario
- ›Apply PICERL stage by stage
- ›Manage stakeholders (legal, comms, exec, IT)
- ›Produce post-incident report and detection improvements
Module 1 — PICERL
Prepare — playbooks, comms tree, contacts, IR tooling.
Identify — confirm the incident, classify severity, scope.
Contain — short-term (block IP, isolate host) + long-term (segmentation, password reset).
Eradicate — remove malware, close vulnerabilities, rotate secrets.
Recover — bring systems back online, validate, monitor.
Lessons — root cause, timeline, detection gaps, process gaps.
Module 2 — Stakeholder Map
Legal · Comms/PR · Exec · IT · HR (insider) · Customers (notification) · Regulators · Insurance · Law enforcement.
Module 3 — IR in Splunk ES
Use Investigations to centralize the case. Add notables, comments, files, timeline notes.
ES Investigation Workbench = IR case management.
Lab 26 — Run an IR Tabletop
- Open Splunk ES → Investigations → INV-104 (Ransomware on FIN-WS-091).
- Walk PICERL stage by stage with hypothetical decisions.
- Identify which stakeholders to notify and when.
- Document 3 detection gaps and 3 process gaps.
Key Takeaways
- ✓PICERL is the universal IR vocabulary
- ✓Use ES Investigations to centralize the case
- ✓Lessons learned must produce concrete detection + process improvements