All Collections
SIEM
Understanding Run Books
Understanding Run Books

This guide explains what Run Books are and why they're so useful.

Matthew Elliott avatar
Written by Matthew Elliott
Updated over a week ago

Mainly used with our Managed Log Monitoring (SIEM) service, a Run Book is a set of instructions for how our SOC team and yourselves should respond to different types of Security Events. They were created to help our SOC analysts with the handling of security incidents, as well as to help the end clients in understanding the process behind mitigating a security event.

Our Run Books have been created with as little technical detail as possible, to ensure they can be understood by anyone, regardless of their technical knowledge.


Our Run Books are created using the SANS 6 Steps for Incident Response. Using a well-established and globally recognised process such as the SANS process, allows all users to understand the processes being used and followed by our analysts. The SANS 6 steps are as follows:

  • Preparation: Ensuring that all the users involved in the incident response process are suitably prepared. This includes having appropriate documentation and toolsets.

  • Identification: This is the first stage of an incident where it becomes apparent that an attack of some form has occurred.

  • Containment: Containment involves ensuring that further damage does not occur from the incident. If the incident is a malware outbreak, this could include removing the infected host from the network.

  • Eradication: This step involves removing the threat from the environment.

  • Recovery: Recovery involves making sure all business functions are running as usual with as little impact as possible. Such as bringing compromised hosts back online.

  • Lessons Learned: The final step in incident response is around learning from an incident. This typically involves asking how the incident could have been dealt with in a better way, and what could be done next time to speed up the time between identification and recovery.

Out of the SANS 6 steps, it is the responsibility of our SOC team to ensure that they are well prepared for any security incident that they may face as well as ensuring that these incidents are identified as early as possible.

It’s typically the responsibility of the client to conduct the steps of Containment, Eradication, and Recovery, although we'll advise on these steps where necessary.

Lessons learned are something that is important to both the SOC team and the client. Ensuring there are smooth workings between both teams is the key to dealing with an incident quickly and effectively.

Did this answer your question?