soc30 / lms
connected
back to day 26
WEEK_4 · DAY_26 · LAB

Lab 26 — Run an IR Tabletop

PICERL — Prepare, Identify, Contain, Eradicate, Recover, Lessons

LAB PROGRESS0/4 steps · 0%

Lab Objectives

  • Run an IR tabletop on a real ransomware scenario
  • Apply PICERL stage by stage
  • Manage stakeholders (legal, comms, exec, IT)
  • Produce post-incident report and detection improvements

Lab Instructions

  1. 1
    Open Splunk ES → Investigations → INV-104 (Ransomware on FIN-WS-091).
  2. 2
    Walk PICERL stage by stage with hypothetical decisions.
  3. 3
    Identify which stakeholders to notify and when.
  4. 4
    Document 3 detection gaps and 3 process gaps.
← LAB 25
Lab 25 — Run a Hunt
LAB 27
Lab 27 — Brute Force Playbook