forked from counteractive/incident-response-plan-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
info.yml
133 lines (89 loc) · 4.96 KB
/
info.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
---
# The name of your organization (e.g., Acme, Inc.)
COMPANY_NAME: '{{COMPANY_NAME}}'
# Name and email of plan author (e.g., Chris)
AUTHOR_NAME: '{{AUTHOR_NAME}}'
# Email of plan author (e.g., [email protected])
AUTHOR_EMAIL: '{{AUTHOR_EMAIL}}'
# Document control metadata (e.g., 1)
REVISION_NUMBER: '{{REVISION_NUMBER}}'
# Document control metadata (e.g., 7 Jan 2021)
RELEASE_DATE: '{{RELEASE_DATE}}'
# Date someone last reviewed the plan (e.g., 7 Jan 2021)
REVIEW_DATE: '{{REVIEW_DATE}}'
# Date someone last tested the plan (e.g., 7 Jan 2021)
TEST_DATE: '{{TEST_DATE}}'
# URL or reference to IR chat program like Teams, Slack, or Discord (e.g., chat.acme.tld/codename)
RESPONSE_CHAT: '{{RESPONSE_CHAT}}'
# Phone number for response teleconference (e.g., 123-456-7890)
RESPONSE_PHONE: '{{RESPONSE_PHONE}}'
# URL for response video teleconference (VTC) like Zoom or WebEx (e.g., zoom.acme.tld/codename)
RESPONSE_VTC: '{{RESPONSE_VTC}}'
# Description/URL for alternate email (e.g., alt 365 tenant at ir.acme.tld/othermail)
ALTERNATE_EMAIL: '{{ALTERNATE_EMAIL}}'
# Domain name for your organization (e.g., acme.tld)
ORGANIZATION_DOMAIN: '{{ORGANIZATION_DOMAIN}}'
# Number or URL to page Commander(s) (e.g., 555-PAGE)
INCIDENT_COMMANDER_PAGER_NUMBER: '{{INCIDENT_COMMANDER_PAGER_NUMBER}}'
# Number or URL to page Commander(s) (e.g., ir.acme.tld/ic-page)
INCIDENT_COMMANDER_PAGER_URL: '{{INCIDENT_COMMANDER_PAGER_URL}}'
# URL/path to Commander roster/list (e.g., ir.acme.tld/ic-roster)
INCIDENT_COMMANDER_ROSTER: '{{INCIDENT_COMMANDER_ROSTER}}'
# As above, for security team (e.g., ir.acme.tld/sec-roster)
SECURITY_TEAM_ROSTER: '{{SECURITY_TEAM_ROSTER}}'
# As above, for SMEs (e.g., ir.acme.tld/sme-roster)
TEAM_SME_ROSTER: '{{TEAM_SME_ROSTER}}'
# As above, for executive team (e.g., ir.acme.tld/exec-roster)
EXECUTIVE_ROSTER: '{{EXECUTIVE_ROSTER}}'
# Time to wait for on-duty IC on call (e.g., 15 minutes)
INCIDENT_COMMANDER_RESPONSE_SLA: '{{INCIDENT_COMMANDER_RESPONSE_SLA}}'
# Time between scheduled updates (e.g., 4 hours)
UPDATE_FREQUENCY: '{{UPDATE_FREQUENCY}}'
# URL/path to incident file (e.g., ir.acme.tld/files/codename)
INCIDENT_FILE_LOCATION: '{{INCIDENT_FILE_LOCATION}}'
# URL/path to critical information list, data you want to protect (e.g., ir.acme.tld/cil)
CRITICAL_INFO_LIST_LOCATION: '{{CRITICAL_INFO_LIST_LOCATION}}'
# URL/path to critical asset list, systems you want to protect (e.g., ir.acme.tld/cal)
CRITICAL_ASSET_LIST_LOCATION: '{{CRITICAL_ASSET_LIST_LOCATION}}'
# URL/path to asset management DB (e.g., ir.acme.tld/assets)
ASSET_MGMT_DB_LOCATION: '{{ASSET_MGMT_DB_LOCATION}}'
# URL/path to network map (e.g., ir.acme.tld/netmap)
NETWORK_MAP_LOCATION: '{NETWORK_MAP_LOCATION{}}'
# URL to SIEM (e.g., siem.acme.tld)
SIEM_CONSOLE_LOCATION: '{{SIEM_CONSOLE_LOCATION}}'
# URL to log aggregator (e.g., elk.acme.tld)
LOG_AGGREGATOR_CONSOLE: '{{LOG_AGGREGATOR_CONSOLE}}'
# Name/URL of live response tool (e.g., [velociraptor](https://www.velocidex.com))
LIVE_RESPONSE_TOOL: '{{LIVE_RESPONSE_TOOL}}'
# Name/URL of memory collection tool (e.g., [winpmem](https://github.com/Velocidex/WinPmem))
MEMORY_COLLECTION_TOOL: '{{MEMORY_COLLECTION_TOOL}}'
# Name/URL of disk imaging tool (e.g., [sumuri](https://sumuri.com/software))
DISK_IMAGE_TOOL: '{{DISK_IMAGE_TOOL}}'
# URL/path to IR report template (e.g., ir.acme.tld/report/template)
INCIDENT_REPORT_TEMPLATE: '{{INCIDENT_REPORT_TEMPLATE}}'
# URL/path to report recipient list (e.g., ir.acme.tld/report/recipients)
INCIDENT_REPORT_RECIPIENTS: '{{INCIDENT_REPORT_RECIPIENTS}}'
# Compliance team name and contact info (e.g., the legal team, [email protected])
COMPLIANCE_TEAM: '{COMPLIANCE_TEAM{}}'
# Communications team name and contact info (e.g., the marketing team, [email protected])
COMMUNICATIONS_TEAM: '{{COMMUNICATIONS_TEAM}}'
# Executive team name and contact info (e.g., the front office, [email protected])
EXECUTIVE_TEAM: '{{EXECUTIVE_TEAM}}'
# Legal team name (e.g., the legal team, [email protected])
LEGAL_TEAM: '{{LEGAL_TEAM}}'
# Local law enforcement contact info (e.g., Detective Jane Doe, [email protected])
LOCAL_LE_CONTACT: '{{LOCAL_LE_CONTACT}}'
# FBI contact info (e.g., 1-800-CALL-FBI (225-5324), https://www.fbi.gov/contact-us)
FBI_CONTACT: '{{FBI_CONTACT}}'
# Vendor for IR and infosec support (e.g., [Counteractive Security](https://www.counteractive.net))
INCIDENT_RESPONSE_VENDOR: '{{INCIDENT_RESPONSE_VENDOR}}'
# Vendor for PR support (e.g., public relations llc, pr.firm.tld)
PUBLIC_RELATIONS_VENDOR: '{{PUBLIC_RELATIONS_VENDOR}}'
# (Cyber) insurance provider (e.g., AAA insurance co., cyber.insurance.tld)
INSURANCE_VENDOR: '{{INSURANCE_VENDOR}}'
# Industry ISAC contact info (e.g., FS ISAC, https://en.wikipedia.org/wiki/Information_Sharing_and_Analysis_Center)
ISAC_CONTACT: '{{ISAC_CONTACT}}'
# After action review (AAR) service level agreement (time after completion of incident to conduct AAR) (e.g., 5 business days)
AAR_SLA: '{{AAR_SLA}}'
# AAR attendees (e.g., ir.acme.tld/aar/attendees)
AAR_ATTENDEES: '{{AAR_ATTENDEES}}'