A comprehensive library of professional incident response playbooks, templates, detection rules, and automation scripts for enterprise Security Operations Centers. This repository demonstrates practical SOC operations knowledge and incident response capabilities suitable for production security environments.

This repository contains a complete set of SOC operational resources including:

• 7 Detailed Incident Response Playbooks covering the most common security incidents
• 3 Realistic Incident Reports demonstrating professional documentation practices
• Detection Rules and Use Cases with both plain language and Splunk SPL queries
• SOC Metrics Dashboard tracking KPIs like MTTD, MTTR, and SLA compliance
• Reusable Templates for incident tickets, chain of custody, and post-incident reviews
• Python Automation Scripts for incident reporting, metrics calculation, and log analysis

This represents the type of operational documentation and tooling used by professional Security Operations Centers in enterprise environments.

Security-Operations-Center-Playbooks/
├── playbooks/
│   ├── phishing-attack-response.md
│   ├── ransomware-incident-response.md
│   ├── brute-force-attack-response.md
│   ├── insider-threat-response.md
│   ├── malware-infection-response.md
│   ├── data-exfiltration-response.md
│   └── unauthorized-access-response.md
├── incident-reports/
│   ├── IR-2025-047-Business-Email-Compromise.md
│   ├── IR-2025-063-Ransomware-Outbreak.md
│   └── IR-2025-028-Insider-Data-Theft.md
├── detection-rules/
│   └── detection-rules-and-queries.md
├── metrics-and-reporting/
│   ├── soc-metrics-dashboard.md
│   └── monthly-performance-report-template.md
├── templates/
│   ├── incident-ticket-template.md
│   ├── chain-of-custody-form.md
│   └── post-incident-review-template.md
├── scripts/
│   ├── generate_incident_report.py
│   ├── calculate_soc_metrics.py
│   └── parse_logs_for_threats.py
└── README.md

The playbooks folder contains comprehensive step-by-step procedures for responding to common security incidents. Each playbook follows the incident response lifecycle and includes:

1. Overview - Threat description, attack vectors, and common indicators
2. Detection Indicators - Technical and behavioral signs of compromise
3. Initial Triage - First 15-30 minutes of response
4. Containment Procedures - Immediate and extended containment actions
5. Eradication Steps - Removing attacker access and persistence
6. Recovery Procedures - Restoring normal operations
7. Post-Incident Activities - Lessons learned and improvements
8. Escalation Criteria - When to escalate to management or external parties
9. Roles and Responsibilities - Who does what during response
10. Tools and Resources - Required tools and reference materials
11. Key Performance Indicators - Target metrics for effective response

1. Phishing Attack Response Procedures for handling phishing emails, credential harvesting, and business email compromise (BEC) attacks. Covers detection, email removal, account containment, and user awareness.

2. Ransomware Incident Response Comprehensive response to ransomware incidents including network isolation, backup restoration, and recovery procedures. Addresses both encryption and double-extortion scenarios.

3. Brute Force Attack Response Detection and response to brute force authentication attacks including password spraying, credential stuffing, and traditional brute force attempts.

4. Insider Threat Response Sensitive procedures for investigating and responding to malicious or negligent insider actions, including data theft and sabotage. Includes legal and HR coordination guidance.

5. Malware Infection Response Standard response procedures for malware infections including trojans, worms, and spyware. Covers endpoint isolation, malware removal, and system validation.

6. Data Exfiltration Response Procedures for responding to unauthorized data transfer, including cloud storage exfiltration, database dumps, and insider data theft.

7. Unauthorized Access Response Response to compromised accounts and unauthorized system access, including credential theft, exploitation, and privilege escalation.

1. During an Incident: Reference the appropriate playbook based on incident type
2. Training: Use playbooks for tabletop exercises and training scenarios
3. Customization: Adapt procedures to your organization's environment and tools
4. Review: Update playbooks quarterly based on lessons learned and new threats

The incident-reports folder contains three realistic simulated incident reports demonstrating professional documentation practices:

A sophisticated BEC attack targeting the CFO that was detected and contained before financial loss occurred. Demonstrates:

• Detailed timeline reconstruction
• Executive summary for non-technical leadership
• Root cause analysis
• Lessons learned and improvements implemented
• Financial impact analysis showing ROI on security investments

Key Takeaways:

• Importance of MFA enforcement
• Value of geographic anomaly detection
• Effectiveness of dual-approval financial controls

LockBit 3.0 ransomware deployment that was contained through rapid EDR detection, preventing catastrophic data encryption. Demonstrates:

• Incident response during off-hours
• Coordination between SOC, IT, and management
• Decision-making under pressure
• Recovery from backups
• Prevention of $2.3M in losses

Key Takeaways:

• Critical importance of patch management
• Value of EDR behavioral analytics
• Necessity of tested backups

Data theft by departing employee moving to competitor, detected through DLP and UEBA. Demonstrates:

• Covert investigation procedures
• Legal and HR coordination
• Evidence collection and chain of custody
• Balancing employee rights with investigation needs
• Ongoing legal action

Key Takeaways:

• Need for insider threat program
• Importance of access controls during resignation period
• Value of behavioral analytics

The detection-rules folder contains use cases for identifying threats covered in the playbooks. Each rule includes:

• Plain language description of what is being detected
• Splunk SPL query for implementation in SIEM
• Tuning guidance for reducing false positives
• Expected false positive rate based on typical environments
• Severity classification and priority
• Response actions to take when rule triggers

1. Brute Force Attacks

   • Multiple failed login attempts
   • Password spray detection
   • Successful login after failed attempts

2. Suspicious Login Activity

   • Impossible travel detection
   • Logins from high-risk countries
   • Off-hours access by privileged accounts

3. Data Exfiltration

   • Large outbound data transfers
   • Uploads to personal cloud storage
   • Database exports and dumps

4. Malware Beaconing

   • Regular periodic outbound connections (C2 beacons)
   • DNS tunneling detection

5. Lateral Movement

   • Unusual RDP connections
   • PsExec usage

6. Privilege Escalation

   • Addition to privileged groups
   • Unauthorized privilege elevation attempts

Implementation Steps:

1. Review rule description and understand detection logic
2. Copy Splunk SPL query to your SIEM
3. Adjust thresholds based on your environment
4. Test rule and tune to reduce false positives
5. Document expected alert volume and response procedures
6. Train SOC analysts on rule purpose and response

Best Practices:

• Start with higher thresholds and lower over time
• Document all tuning changes
• Track false positive rate monthly
• Review and update rules quarterly

The metrics-and-reporting folder contains tools for tracking SOC performance:

Tracks key performance indicators including:

1. Mean Time to Detect (MTTD) Average time from when a security event occurs to when it is detected. Target varies by severity (P1: <15 min, P2: <1 hour).

2. Mean Time to Respond (MTTR) Average time from detection to initial containment. Target varies by severity (P1: <30 min, P2: <2 hours).

3. Mean Time to Resolve Average time from detection to full incident closure. Target varies by severity (P1: <72 hours, P2: <7 days).

4. Incident Volume by Category Tracks distribution of incidents by type (phishing, malware, brute force, etc.) to identify trends.

5. False Positive Rate Percentage of alerts that are determined to be false positives. Target: <20%.

6. SLA Compliance Rate Percentage of incidents meeting defined service level agreements. Target: >95%.

7. Detection Coverage by MITRE ATT&CK Percentage of MITRE ATT&CK techniques with detection capability. Current: 72% overall.

8. Analyst Productivity Metrics Average alerts per analyst, time per incident, escalation rates, and backlog.

Template for regular reporting to leadership including:

• Executive summary in business language
• Performance against KPIs with trend analysis
• Incident summary and major incidents
• Detection effectiveness and alert quality
• Team performance and staffing
• Improvements implemented
• Challenges and risks
• Action items and resource requests

The templates folder contains reusable forms for SOC operations:

Comprehensive incident tracking template including:

• Incident classification and severity
• Affected systems and users
• Timeline of events
• Investigation findings and IOCs
• Response actions taken
• Communication and notifications
• Resolution and lessons learned
• SLA tracking

Legal-grade evidence tracking form for forensic investigations including:

• Evidence item information
• Hash values for digital evidence
• Packaging and sealing procedures
• Chain of custody log with signatures
• Storage and examination records
• Court presentation tracking
• Final disposition

This form maintains evidentiary integrity for potential legal proceedings.

Structured template for conducting lessons learned sessions including:

• Incident overview and timeline
• Response analysis (detection, containment, eradication, recovery)
• What went well / what didn't go well
• Gap analysis (technical, process, training)
• Recommendations with owners and due dates
• Communication effectiveness review
• Metrics and performance analysis

The scripts folder contains automation tools for SOC operations:

Automatically generates formatted incident reports from structured JSON input.

Usage:

python generate_incident_report.py incident_data.json report.md

Input Format (JSON):

{
  "incident_id": "IR-2025-001",
  "title": "Incident Title",
  "severity": "P1 - Critical",
  "date_range": "January 1-5, 2025",
  "status": "Closed",
  "executive_summary": "Summary text...",
  "key_findings": ["Finding 1", "Finding 2"],
  "timeline": [
    {
      "timestamp": "2025-01-01T10:00:00",
      "description": "Event description",
      "details": ["Detail 1", "Detail 2"]
    }
  ],
  "impact_assessment": {...},
  "root_cause_analysis": {...},
  "response_actions": {...},
  "lessons_learned": {...},
  "conclusion": "Conclusion text..."
}

Features:

• Generates professional markdown-formatted reports
• Formats timestamps and structures data
• Includes all standard report sections
• Consistent formatting across all reports

Calculates SOC performance metrics from incident data CSV.

Usage:

python calculate_soc_metrics.py incidents.csv metrics_output.csv

Required CSV Columns:

• incident_id
• severity (P1, P2, P3, P4)
• category
• event_time
• detection_time
• containment_time
• resolution_time

Calculated Metrics:

• Mean Time to Detect (MTTD) by severity
• Mean Time to Respond (MTTR) by severity
• Mean Time to Resolve by severity
• Incident distribution by category and severity
• SLA compliance rates
• Statistical analysis (average, median, min, max)

Output:

• Console report with formatted metrics
• CSV export of calculated metrics (optional)
• Color-coded SLA status (GREEN/YELLOW/RED)

Parses log files and flags suspicious activity based on predefined rules.

Usage:

python parse_logs_for_threats.py server_logs.txt threat_report.txt

Detection Rules:

• Brute force attacks (multiple failed logins)
• SQL injection attempts
• Command injection
• Suspicious processes (mimikatz, psexec, etc.)
• Data exfiltration to cloud storage
• Port scanning activity
• Privilege escalation attempts
• Malware indicators

Features:

• Pattern matching with regular expressions
• Threshold-based alerting
• Severity classification (critical, high, medium, low)
• Source IP and user extraction
• Grouped reporting by severity and rule type
• Summary statistics

Output:

• Detailed threat detection report
• Summary by severity and threat type
• Unique sources identified
• Log line references for investigation

This repository demonstrates the following security operations and incident response skills:

• Incident response methodology (NIST, SANS frameworks)
• Threat detection and analysis
• SIEM query development (Splunk SPL)
• Log analysis and correlation
• Forensic evidence collection and chain of custody
• Malware analysis and eradication
• Network security and containment
• Python scripting for security automation
• MITRE ATT&CK framework application

• Root cause analysis
• Threat actor TTPs identification
• Timeline reconstruction
• Impact assessment (business and technical)
• Risk prioritization
• Trend analysis and pattern recognition
• Security metrics and KPI development

• Technical writing for SOC teams
• Executive reporting for non-technical leadership
• Incident documentation
• Playbook development
• Cross-functional coordination (IT, legal, HR, management)
• Stakeholder communication during incidents

• SOC operations and workflow management
• Incident triage and prioritization
• SLA management and tracking
• Team coordination during incidents
• Escalation procedures
• Evidence handling and legal compliance
• Continuous improvement and lessons learned

This repository can be used for:

1. SOC Operations - Reference playbooks during active incidents
2. Training and Onboarding - Train new SOC analysts on procedures
3. Tabletop Exercises - Use scenarios for incident response drills
4. Process Improvement - Template for developing organization-specific playbooks
5. Metrics Tracking - Implement SOC KPI dashboards
6. Automation - Python scripts for operational efficiency
7. Documentation - Examples of professional security documentation
8. Skill Demonstration - Portfolio piece showing SOC operations knowledge

Python 3.7 or higher is required to run the automation scripts.

All scripts use only Python standard library modules (no external dependencies):

• json
• csv
• datetime
• sys
• re
• typing
• statistics

1. Clone or download this repository

2. Explore the playbooks

   • Navigate to the playbooks folder
   • Review incident response procedures
   • Identify playbooks relevant to your environment

3. Review incident reports

   • Read example reports in incident-reports folder
   • Understand documentation best practices
   • Adapt format for your organization

4. Implement detection rules

   • Copy Splunk queries from detection-rules folder
   • Adapt to your SIEM platform
   • Tune thresholds for your environment

5. Use templates

   • Copy templates from templates folder
   • Customize for your organization
   • Integrate with ticketing systems

6. Run automation scripts

   • Test Python scripts with sample data
   • Integrate into SOC workflows
   • Automate report generation

To adapt these resources for your organization:

1. Update tool references (SIEM, EDR, etc.) to match your environment
2. Modify escalation criteria based on your org structure
3. Add organization-specific contact information
4. Adjust timelines and SLAs to your requirements
5. Include organization-specific compliance requirements

1. Adjust thresholds based on your environment size and norms
2. Translate Splunk queries to your SIEM platform
3. Add organization-specific asset inventory lookups
4. Customize severity classifications
5. Integrate with your alerting and ticketing systems

1. Add your organization logo and branding
2. Modify approval workflows
3. Integrate with your ticketing system fields
4. Add organization-specific incident categories
5. Update contact information and distribution lists

1. Modify input/output formats to match your systems
2. Add integration with your SIEM or ticketing platform
3. Customize metrics calculations for your SLAs
4. Add organization-specific detection rules
5. Integrate with reporting tools

• Review and update playbooks quarterly
• Conduct tabletop exercises using playbooks
• Gather feedback from incident responders after incidents
• Document deviations and update playbooks accordingly
• Ensure all team members know where playbooks are located

• Automate metrics collection where possible
• Review metrics monthly with SOC team
• Report metrics to leadership in business language
• Track trends over time, not just point-in-time values
• Use metrics to drive continuous improvement

• Start conservative and tune down false positives
• Document all tuning changes
• Review detection coverage against MITRE ATT&CK
• Test rules before deploying to production
• Maintain rule documentation including business justification

Potential additions to this repository:

• Additional playbooks (DDoS, supply chain attacks, cloud incidents)
• Detection rules for cloud platforms (AWS, Azure, GCP)
• Integration with SOAR platforms
• Automated report distribution
• Machine learning for anomaly detection
• Threat intelligence integration examples
• Red team vs blue team scenarios
• Compliance mapping (NIST CSF, ISO 27001, PCI-DSS)

This repository was created to demonstrate professional Security Operations Center capabilities including:

• Incident response procedures
• Detection engineering
• SOC operations management
• Security metrics and reporting
• Documentation best practices
• Security automation

The content represents the type of operational documentation and tooling used in enterprise SOC environments and can serve as a reference for building or improving SOC operations programs.

This repository is provided for educational and professional development purposes.

Playbooks, templates, and scripts may be used and adapted for organizational security operations with attribution.

For questions about SOC operations best practices or this repository, please open an issue in the repository.

Version: 1.0 Last Updated: February 2026 Maintained By: Security Operations Center Team