| IR Playbook | Script can be used when: |
|---|---|
| Account Compromise | Suspected or confirmed successful unauthorized use of an account to access system resources, configurations, and/or data. |
| Denial of Service Attack | System or network service(s) performance negatively impacted or disrupted by intentional resource saturation. |
| Excessive Phishing Emails | Above baseline level of phishing emails. |
| Excessive SPAM Emails | Above baseline level of SPAM. |
| Lost/ Stolen PC | A laptop or desktop computer is missing. |
| Lost/ Stolen Mobile Device | A smart phone, smart watch, tablet, or any other personal electronic device that may have stored data or direct access to internal resources is missing. |
| Lost/ Stolen Removable Media | USB drive, thumb drive, or CD/DVD is missing. |
| Phishing Compromise (Action Taken) | User has clicked on a link within a phishing email and/or provided information to an unverified/ unauthorized party. |
| Unauthorized Data Access | Suspected or confirmed successful unauthorized access to data with possible exfiltration. Consider network transmission, keyloggers, etc. |
| Unauthorized Data Destruction/ Erasure | Suspected or confirmed successful unauthorized data deletion including audit logs. |
| Unauthorized Disclosure/ Exposure | Suspected or confirmed data exposure via public display, email, guest access, etc. |
| Unauthorized Modification | Suspected or confirmed unauthorized data modification or configuration change. |
| Voice Solicitation (Vishing) Attempt(s) | Phone call soliciting sensitive data. |