Expert Investigation Guides

Investigation Playbook Specification

These investigation guides adhere to the structure and conventions published here:

• Investigation Playbook Markdown Specification

That specification shows how to use Markdown to capture investigation specific semantics.

The main goal of these extensions is to provide some structure to the investigation questions such that they can be reused, tagged and managed. Sample playbooks or guides are included in the repository to ilustrate the format and style writing.

This project was presented by Francisco Matias Acuna-Cuenca and Ismael Valenzuela at the SANS SOC Summit 2017. The presentation is available here:

• "The Need for Investigation Playbooks at the SOC" by Francisco Matias Cuenca-Acuna & Ismael Valenzuela, SANS SOC Summit 2017

On this repository you will also find a few examples of investigation guides that use this spec.

Published Investigation Guides

• Threat Hunting