Access Investigation - Generic - NIST

Investigates an access incident by gathering user and IP address information, and handling the incident based on the stages in "Handling an incident - Computer Security Incident Handling Guide" by NIST.

Used Sub-playbooks:

  • IP Enrichment - Generic v2
  • Account Enrichment - Generic v2.1
  • Block IP - Generic v2
  • NIST - Lessons Learned


This playbook uses the following sub-playbooks, integrations, and scripts.


  • IP Enrichment - Generic v2
  • NIST - Lessons Learned
  • Block IP - Generic v2
  • Account Enrichment - Generic v2.1


  • Active Directory Query v2
  • Builtin


  • ADGetUser
  • GenerateInvestigationSummaryReport


  • closeInvestigation
  • send-mail
  • ad-expire-password
  • setIncident
  • ad-disable-account

Playbook Inputs

SrcIPThe source IP address from which the incident originated.Optional
DstIPThe target IP address that was accessed.Optional
UsernameThe email address of the account that was used to access the DstIP.Optional
NotifyEmailThe email addresses to notify about the incident.Optional
RemediationSLAThe remediation SLA for the "Containment, Eradication, and Recovery" stage (in minutes).Optional
IPBlacklistMinerThe name of the IP address blacklist miner in MineMeld.Optional

Playbook Outputs

Account.Email.AddressThe email address object associated with the account.string
DBotScoreThe Indicator, Score, Type, and Vendor.unknown
Account.IDThe unique account DN (Distinguished Name).string
Account.UsernameThe account username.string
Account.EmailThe email address associated with the account.unknown
Account.TypeThe type of the account entity.string
Account.GroupsThe groups the account is part of.unknown
AccountThe account object.unknown
Account.DisplayNameThe account display name.string
Account.ManagerThe account's manager.string
DBotScore.IndicatorThe indicator value.string
DBotScore.TypeThe indicator's type.string
DBotScore.VendorThe indicator's vendor.string
DBotScore.ScoreThe indicator's score.number
IPThe IP address's objects.unknown
EndpointThe Endpoint's object.unknown
Endpoint.HostnameThe hostname to enrich.string
Endpoint.OSThe Endpoint OS.string
Endpoint.IPThe list of Endpoint IP addresses.unknown
Endpoint.MACThe list of Endpoint MAC addressesunknown
Endpoint.DomainThe Endpoint domain name.string

Playbook Image