Lab 15 – Response Playbooks & Workflow Design

This lab focuses on designing structured response playbooks for common attack scenarios. You’ll build workflows for brute‑force attacks, suspicious DNS activity, malware alerts, and lateral movement, then integrate them into your SIEM.

• Outcome 1: Response playbooks created for four attack types.
• Outcome 2: Workflow diagrams designed for each scenario.
• Outcome 3: Playbooks integrated into SIEM automation.
• Outcome 4: Documentation updated with response logic.

• DL15.1: Brute‑force response playbook.
• DL15.2: Suspicious DNS response playbook.
• DL15.3: Malware alert response playbook.
• DL15.4: Lateral movement response playbook.
• DL15.5: Workflow diagrams and documentation.

1. Define triggers:
   • Failed logon spikes
   • Password‑spray patterns
2. Define actions:
   • Disable account
   • Block source IP
   • Notify admin
3. Create workflow diagram.

1. Define triggers:
   • Queries to known malicious domains
   • High‑entropy DNS requests
2. Define actions:
   • Block domain
   • Check process responsible
   • Run enrichment
3. Create workflow diagram.

1. Define triggers:
   • Defender malware alerts
   • Suspicious process behavior
2. Define actions:
   • Isolate host
   • Collect logs
   • Scan system
3. Create workflow diagram.

1. Define triggers:
   • Unusual SMB traffic
   • Remote service creation
   • Unexpected admin logons
2. Define actions:
   • Disable compromised account
   • Block suspicious host
   • Review authentication logs
3. Create workflow diagram.

• Structure: How playbooks standardize response.
• Speed: How workflows accelerate triage.
• Consistency: How automation reduces human error.

With structured playbooks in place, you’re ready to validate your hunting and response logic in Week 16.