1 of 1

Creating a Procedure

A procedure is a predefined set of steps and actions that must be followed to accomplish a specific security-related task or address a particular issue. Procedures are often documented and provide a systematic approach to incident response, patch management, access control, and vulnerability assessment. They help ensure that tasks are executed consistently and comply with security policies.

Step 1: Click the Procedures tab of the RunbooksDB module.

Step 2: Click New Procedure.

Step 3: Fill out the provided fields.

Procedure Title (required): The procedure title should include MITRE technique numbers when applicable (e.g., T1027), with an additional local indicator to distinguish it from the official MITRE technique, such as "Obfuscated Files or Information AE-T1027."
Procedure ID (required): The procedure ID should combine the MITRE technique number (e.g., T1027) with an organization-specific identifier and a sequential number, such as "AE-T1027-001" or "T1027-AE-001". This maintains consistency, links to MITRE techniques, and supports standardization within an organization.
RunbooksDB Repository (required): Every procedure must be associated with a RunbooksDB repository and only repositories that the user can edit appear in the pulldown menu.
Procedure Description (required): A rich-text field to enter any content, images, or tables needed to describe the procedure. A procedure description should be detailed and actionable, including clear objectives, step-by-step instructions, and mapping to relevant MITRE ATT&CK techniques. It should be based on real-world adversary behaviors and include technical details, expected outcomes, and potential variations. Additionally, it should provide safety precautions and guidance on detection and mitigation strategies.
Tags: Enter any tags to help future search and filtering tasks.
Execution Steps (required): A set of steps to achieve specific security-related goals and address potential threats or vulnerabilities. A procedure must have at least one step.
Add Step Success Criteria: Click this to access a rich-text field to provide the success criteria of the previously entered step. A good step success criteria should include measurable outcomes that align with the exercise's objectives. These criteria should be based on observable indicators that reflect real-world adversary behaviors. For example, success might be defined as achieving unauthorized access within a certain timeframe using specific tactics.
Add Another Execution Step: Click this button to add additional steps.

Step 4: Click Save at the top of the page.

The procedure is now available from the Procedures tab and can be viewed, edited, or deleted from this location.

Creating a Procedure

Step 1: Click the Procedures tab of the RunbooksDB module.

Step 2: Click New Procedure.

Step 3: Fill out the provided fields.

Procedure Title (required): The procedure title should include MITRE technique numbers when applicable (e.g., T1027), with an additional local indicator to distinguish it from the official MITRE technique, such as "Obfuscated Files or Information AE-T1027."
Procedure ID (required): The procedure ID should combine the MITRE technique number (e.g., T1027) with an organization-specific identifier and a sequential number, such as "AE-T1027-001" or "T1027-AE-001". This maintains consistency, links to MITRE techniques, and supports standardization within an organization.
RunbooksDB Repository (required): Every procedure must be associated with a RunbooksDB repository and only repositories that the user can edit appear in the pulldown menu.
Techniques: Click Add Techniques to add existing techniques in RunbooksDB to the procedure. They will then appear on the "New Procedure" page.
Procedure Description (required): A rich-text field to enter any content, images, or tables needed to describe the procedure. A procedure description should be detailed and actionable, including clear objectives, step-by-step instructions, and mapping to relevant MITRE ATT&CK techniques. It should be based on real-world adversary behaviors and include technical details, expected outcomes, and potential variations. Additionally, it should provide safety precautions and guidance on detection and mitigation strategies.
Tags: Enter any tags to help future search and filtering tasks.
Execution Steps (required): A set of steps to achieve specific security-related goals and address potential threats or vulnerabilities. A procedure must have at least one step.
Add Step Success Criteria: Click this to access a rich-text field to provide the success criteria of the previously entered step. A good step success criteria should include measurable outcomes that align with the exercise's objectives. These criteria should be based on observable indicators that reflect real-world adversary behaviors. For example, success might be defined as achieving unauthorized access within a certain timeframe using specific tactics.
Add Another Execution Step: Click this button to add additional steps.

Step 4: Click Save at the top of the page.

The procedure is now available from the Procedures tab and can be viewed, edited, or deleted from this location.