-
-
Notifications
You must be signed in to change notification settings - Fork 117
/
mkdocs.yml
253 lines (250 loc) · 25.9 KB
/
mkdocs.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
site_name: RE&CT
site_dir: site/
docs_dir: docs/
theme:
name: null
custom_dir: 'docs/readthedocs/'
navigation_depth: 4
search_index_only: true
titles_only: true
repo_url: https://github.com/atc-project/atc-react
edit_uri: blob/master/docs/
google_analytics: ['UA-165240552-2', 'https://atc-project.github.io/atc-react/']
plugins:
- awesome-pages
- exclude:
glob:
- "*DS_Store"
- "*.git"
- "*.idea"
- "thehive_templates"
nav:
- Introduction:
- RE&CT Framework (EN): index.md
- RE&CT Framework (RU): index_RU.md
- Response Stages: responsestages.md
- Response Actions:
- Preparation:
- "RA1001: Practice": ./Response_Actions/RA_1001_practice.md
- "RA1002: Take trainings": ./Response_Actions/RA_1002_take_trainings.md
- "RA1003: Raise personnel awareness": ./Response_Actions/RA_1003_raise_personnel_awareness.md
- "RA1004: Make personnel report suspicious activity": ./Response_Actions/RA_1004_make_personnel_report_suspicious_activity.md
- "RA1005: Set up relevant data collection": ./Response_Actions/RA_1005_set_up_relevant_data_collection.md
- "RA1006: Set up a centralized long-term log storage": ./Response_Actions/RA_1006_set_up_a_centralized_long-term_log_storage.md
- "RA1007: Develop communication map": ./Response_Actions/RA_1007_develop_communication_map.md
- "RA1008: Make sure there are backups": ./Response_Actions/RA_1008_make_sure_there_are_backups.md
- "RA1009: Get network architecture map": ./Response_Actions/RA_1009_get_network_architecture_map.md
- "RA1010: Get access control matrix": ./Response_Actions/RA_1010_get_access_control_matrix.md
- "RA1011: Develop assets knowledge base": ./Response_Actions/RA_1011_develop_assets_knowledge_base.md
- "RA1012: Check analysis toolset": ./Response_Actions/RA_1012_check_analysis_toolset.md
- "RA1013: Access vulnerability management system logs": ./Response_Actions/RA_1013_access_vulnerability_management_system_logs.md
- "RA1014: Connect with trusted communities": ./Response_Actions/RA_1014_connect_with_trusted_communities.md
- "RA1101: Access external network flow logs": ./Response_Actions/RA_1101_access_external_network_flow_logs.md
- "RA1102: Access internal network flow logs": ./Response_Actions/RA_1102_access_internal_network_flow_logs.md
- "RA1103: Access internal HTTP logs": ./Response_Actions/RA_1103_access_internal_http_logs.md
- "RA1104: Access external HTTP logs": ./Response_Actions/RA_1104_access_external_http_logs.md
- "RA1105: Access internal DNS logs": ./Response_Actions/RA_1105_access_internal_dns_logs.md
- "RA1106: Access external DNS logs": ./Response_Actions/RA_1106_access_external_dns_logs.md
- "RA1107: Access VPN logs": ./Response_Actions/RA_1107_access_vpn_logs.md
- "RA1108: Access DHCP logs": ./Response_Actions/RA_1108_access_dhcp_logs.md
- "RA1109: Access internal packet capture data": ./Response_Actions/RA_1109_access_internal_packet_capture_data.md
- "RA1110: Access external packet capture data": ./Response_Actions/RA_1110_access_external_packet_capture_data.md
- "RA1111: Get ability to block external IP address": ./Response_Actions/RA_1111_get_ability_to_block_external_ip_address.md
- "RA1112: Get ability to block internal IP address": ./Response_Actions/RA_1112_get_ability_to_block_internal_ip_address.md
- "RA1113: Get ability to block external domain": ./Response_Actions/RA_1113_get_ability_to_block_external_domain.md
- "RA1114: Get ability to block internal domain": ./Response_Actions/RA_1114_get_ability_to_block_internal_domain.md
- "RA1115: Get ability to block external URL": ./Response_Actions/RA_1115_get_ability_to_block_external_url.md
- "RA1116: Get ability to block internal URL": ./Response_Actions/RA_1116_get_ability_to_block_internal_url.md
- "RA1117: Get ability to block port external communication": ./Response_Actions/RA_1117_get_ability_to_block_port_external_communication.md
- "RA1118: Get ability to block port internal communication": ./Response_Actions/RA_1118_get_ability_to_block_port_internal_communication.md
- "RA1119: Get ability to block user external communication": ./Response_Actions/RA_1119_get_ability_to_block_user_external_communication.md
- "RA1120: Get ability to block user internal communication": ./Response_Actions/RA_1120_get_ability_to_block_user_internal_communication.md
- "RA1121: Get ability to find data transferred by content pattern": ./Response_Actions/RA_1121_get_ability_to_find_data_transferred_by_content_pattern.md
- "RA1122: Get ability to block data transferring by content pattern": ./Response_Actions/RA_1122_get_ability_to_block_data_transferring_by_content_pattern.md
- "RA1123: Get ability to list data transferred": ./Response_Actions/RA_1123_get_ability_to_list_data_transferred.md
- "RA1124: Get ability to collect transferred data": ./Response_Actions/RA_1124_get_ability_to_collect_transferred_data.md
- "RA1125: Get ability to identify transferred data": ./Response_Actions/RA_1125_get_ability_to_identify_transferred_data.md
- "RA1126: Find data transferred by content pattern": ./Response_Actions/RA_1126_find_data_transferred_by_content_pattern.md
- "RA1127: Get ability to analyse user-agent": ./Response_Actions/RA_1127_get_ability_to_analyse_user-agent.md
- "RA1128: Get ability to list Firewall rules": ./Response_Actions/RA_1128_get_ability_to_list_firewall_rules.md
- "RA1201: Get ability to list users opened email message": ./Response_Actions/RA_1201_get_ability_to_list_users_opened_email_message.md
- "RA1202: Get ability to list email message receivers": ./Response_Actions/RA_1202_get_ability_to_list_email_message_receivers.md
- "RA1203: Get ability to block email domain": ./Response_Actions/RA_1203_get_ability_to_block_email_domain.md
- "RA1204: Get ability to block email sender": ./Response_Actions/RA_1204_get_ability_to_block_email_sender.md
- "RA1205: Get ability to delete email message": ./Response_Actions/RA_1205_get_ability_to_delete_email_message.md
- "RA1206: Get ability to quarantine email message": ./Response_Actions/RA_1206_get_ability_to_quarantine_email_message.md
- "RA1207: Get ability to collect email message": ./Response_Actions/RA_1207_get_ability_to_collect_email_message.md
- "RA1208: Get ability to analyse email address": ./Response_Actions/RA_1208_get_ability_to_analyse_email_address.md
- "RA1301: Get ability to list files created": ./Response_Actions/RA_1301_get_ability_to_list_files_created.md
- "RA1302: Get ability to list files modified": ./Response_Actions/RA_1302_get_ability_to_list_files_modified.md
- "RA1303: Get ability to list files deleted": ./Response_Actions/RA_1303_get_ability_to_list_files_deleted.md
- "RA1304: Get ability to list files downloaded": ./Response_Actions/RA_1304_get_ability_to_list_files_downloaded.md
- "RA1305: Get ability to list files with tampered timestamps": ./Response_Actions/RA_1305_get_ability_to_list_files_with_tampered_timestamps.md
- "RA1306: Get ability to find file by path": ./Response_Actions/RA_1306_get_ability_to_find_file_by_path.md
- "RA1307: Get ability to find file by metadata": ./Response_Actions/RA_1307_get_ability_to_find_file_by_metadata.md
- "RA1308: Get ability to find file by hash": ./Response_Actions/RA_1308_get_ability_to_find_file_by_hash.md
- "RA1309: Get ability to find file by format": ./Response_Actions/RA_1309_get_ability_to_find_file_by_format.md
- "RA1310: Get ability to find file by content pattern": ./Response_Actions/RA_1310_get_ability_to_find_file_by_content_pattern.md
- "RA1311: Get ability to collect file": ./Response_Actions/RA_1311_get_ability_to_collect_file.md
- "RA1312: Get ability to quarantine file by path": ./Response_Actions/RA_1312_get_ability_to_quarantine_file_by_path.md
- "RA1313: Get ability to quarantine file by hash": ./Response_Actions/RA_1313_get_ability_to_quarantine_file_by_hash.md
- "RA1314: Get ability to quarantine file by format": ./Response_Actions/RA_1314_get_ability_to_quarantine_file_by_format.md
- "RA1315: Get ability to quarantine file by content pattern": ./Response_Actions/RA_1315_get_ability_to_quarantine_file_by_content_pattern.md
- "RA1316: Get ability to remove file": ./Response_Actions/RA_1316_get_ability_to_remove_file.md
- "RA1317: Get ability to analyse file hash": ./Response_Actions/RA_1317_get_ability_to_analyse_file_hash.md
- "RA1318: Get ability to analyse Windows PE": ./Response_Actions/RA_1318_get_ability_to_analyse_windows_pe.md
- "RA1319: Get ability to analyse macos macho": ./Response_Actions/RA_1319_get_ability_to_analyse_macos_macho.md
- "RA1320: Get ability to analyse Unix ELF": ./Response_Actions/RA_1320_get_ability_to_analyse_unix_elf.md
- "RA1321: Get ability to analyse MS office file": ./Response_Actions/RA_1321_get_ability_to_analyse_ms_office_file.md
- "RA1322: Get ability to analyse PDF file": ./Response_Actions/RA_1322_get_ability_to_analyse_pdf_file.md
- "RA1323: Get ability to analyse script": ./Response_Actions/RA_1323_get_ability_to_analyse_script.md
- "RA1324: Get ability to analyse jar": ./Response_Actions/RA_1324_get_ability_to_analyse_jar.md
- "RA1325: Get ability to analyse filename": ./Response_Actions/RA_1325_get_ability_to_analyse_filename.md
- "RA1401: Get ability to list processes executed": ./Response_Actions/RA_1401_get_ability_to_list_processes_executed.md
- "RA1402: Get ability to find process by executable path": ./Response_Actions/RA_1402_get_ability_to_find_process_by_executable_path.md
- "RA1403: Get ability to find process by executable metadata": ./Response_Actions/RA_1403_get_ability_to_find_process_by_executable_metadata.md
- "RA1404: Get ability to find process by executable hash": ./Response_Actions/RA_1404_get_ability_to_find_process_by_executable_hash.md
- "RA1405: Get ability to find process by executable format": ./Response_Actions/RA_1405_get_ability_to_find_process_by_executable_format.md
- "RA1406: Get ability to find process by executable content pattern": ./Response_Actions/RA_1406_get_ability_to_find_process_by_executable_content_pattern.md
- "RA1407: Get ability to block process by executable path": ./Response_Actions/RA_1407_get_ability_to_block_process_by_executable_path.md
- "RA1408: Get ability to block process by executable metadata": ./Response_Actions/RA_1408_get_ability_to_block_process_by_executable_metadata.md
- "RA1409: Get ability to block process by executable hash": ./Response_Actions/RA_1409_get_ability_to_block_process_by_executable_hash.md
- "RA1410: Get ability to block process by executable format": ./Response_Actions/RA_1410_get_ability_to_block_process_by_executable_format.md
- "RA1411: Get ability to block process by executable content pattern": ./Response_Actions/RA_1411_get_ability_to_block_process_by_executable_content_pattern.md
- "RA1501: Manage remote computer management system policies": ./Response_Actions/RA_1501_manage_remote_computer_management_system_policies.md
- "RA1502: Get ability to list registry keys modified": ./Response_Actions/RA_1502_get_ability_to_list_registry_keys_modified.md
- "RA1503: Get ability to list registry keys deleted": ./Response_Actions/RA_1503_get_ability_to_list_registry_keys_deleted.md
- "RA1504: Get ability to list registry keys accessed": ./Response_Actions/RA_1504_get_ability_to_list_registry_keys_accessed.md
- "RA1505: Get ability to list registry keys created": ./Response_Actions/RA_1505_get_ability_to_list_registry_keys_created.md
- "RA1506: Get ability to list services created": ./Response_Actions/RA_1506_get_ability_to_list_services_created.md
- "RA1507: Get ability to list services modified": ./Response_Actions/RA_1507_get_ability_to_list_services_modified.md
- "RA1508: Get ability to list services deleted": ./Response_Actions/RA_1508_get_ability_to_list_services_deleted.md
- "RA1509: Get ability to remove registry key": ./Response_Actions/RA_1509_get_ability_to_remove_registry_key.md
- "RA1510: Get ability to remove service": ./Response_Actions/RA_1510_get_ability_to_remove_service.md
- "RA1511: Get ability to analyse registry key": ./Response_Actions/RA_1511_get_ability_to_analyse_registry_key.md
- "RA1601: Manage identity management system": ./Response_Actions/RA_1601_manage_identity_management_system.md
- "RA1602: Get ability to lock user account": ./Response_Actions/RA_1602_get_ability_to_lock_user_account.md
- "RA1603: Get ability to list users authenticated": ./Response_Actions/RA_1603_get_ability_to_list_users_authenticated.md
- "RA1604: Get ability to revoke authentication credentials": ./Response_Actions/RA_1604_get_ability_to_revoke_authentication_credentials.md
- "RA1605: Get ability to remove user account": ./Response_Actions/RA_1605_get_ability_to_remove_user_account.md
- "RA1606: Get ability to list user accounts": ./Response_Actions/RA_1606_get_ability_to_list_user_accounts.md
- Identification:
- "RA2001: List victims of security alert": ./Response_Actions/RA_2001_list_victims_of_security_alert.md
- "RA2002: List host vulnerabilities": ./Response_Actions/RA_2002_list_host_vulnerabilities.md
- "RA2003: Put compromised accounts on monitoring": ./Response_Actions/RA_2003_put_compromised_accounts_on_monitoring.md
- "RA2101: List hosts communicated with internal domain": ./Response_Actions/RA_2101_list_hosts_communicated_with_internal_domain.md
- "RA2102: List hosts communicated with internal IP": ./Response_Actions/RA_2102_list_hosts_communicated_with_internal_ip.md
- "RA2103: List hosts communicated with internal URL": ./Response_Actions/RA_2103_list_hosts_communicated_with_internal_url.md
- "RA2104: Analyse domain name": ./Response_Actions/RA_2104_analyse_domain_name.md
- "RA2105: Analyse IP": ./Response_Actions/RA_2105_analyse_ip.md
- "RA2106: Analyse uri": ./Response_Actions/RA_2106_analyse_uri.md
- "RA2107: List hosts communicated by port": ./Response_Actions/RA_2107_list_hosts_communicated_by_port.md
- "RA2108: List hosts connected to VPN": ./Response_Actions/RA_2108_list_hosts_connected_to_vpn.md
- "RA2109: List hosts connected to intranet": ./Response_Actions/RA_2109_list_hosts_connected_to_intranet.md
- "RA2110: List data transferred": ./Response_Actions/RA_2110_list_data_transferred.md
- "RA2111: Collect transferred data": ./Response_Actions/RA_2111_collect_transferred_data.md
- "RA2112: Identify transferred data": ./Response_Actions/RA_2112_identify_transferred_data.md
- "RA2113: List hosts communicated with external domain": ./Response_Actions/RA_2113_list_hosts_communicated_with_external_domain.md
- "RA2114: List hosts communicated with external IP": ./Response_Actions/RA_2114_list_hosts_communicated_with_external_ip.md
- "RA2115: List hosts communicated with external URL": ./Response_Actions/RA_2115_list_hosts_communicated_with_external_url.md
- "RA2116: Find data transferred by content pattern": ./Response_Actions/RA_2116_find_data_transferred_by_content_pattern.md
- "RA2117: Analyse user-agent": ./Response_Actions/RA_2117_analyse_user-agent.md
- "RA2118: List Firewall rules": ./Response_Actions/RA_2118_list_firewall_rules.md
- "RA2201: List users opened email message": ./Response_Actions/RA_2201_list_users_opened_email_message.md
- "RA2202: Collect email message": ./Response_Actions/RA_2202_collect_email_message.md
- "RA2203: List email message receivers": ./Response_Actions/RA_2203_list_email_message_receivers.md
- "RA2204: Make sure email message is phishing": ./Response_Actions/RA_2204_make_sure_email_message_is_phishing.md
- "RA2205: Extract observables from email message": ./Response_Actions/RA_2205_extract_observables_from_email_message.md
- "RA2206: Analyse email address": ./Response_Actions/RA_2206_analyse_email_address.md
- "RA2301: List files created": ./Response_Actions/RA_2301_list_files_created.md
- "RA2302: List files modified": ./Response_Actions/RA_2302_list_files_modified.md
- "RA2303: List files deleted": ./Response_Actions/RA_2303_list_files_deleted.md
- "RA2304: List files downloaded": ./Response_Actions/RA_2304_list_files_downloaded.md
- "RA2305: List files with tampered timestamps": ./Response_Actions/RA_2305_list_files_with_tampered_timestamps.md
- "RA2306: Find file by path": ./Response_Actions/RA_2306_find_file_by_path.md
- "RA2307: Find file by metadata": ./Response_Actions/RA_2307_find_file_by_metadata.md
- "RA2308: Find file by hash": ./Response_Actions/RA_2308_find_file_by_hash.md
- "RA2309: Find file by format": ./Response_Actions/RA_2309_find_file_by_format.md
- "RA2310: Find file by content pattern": ./Response_Actions/RA_2310_find_file_by_content_pattern.md
- "RA2311: Collect file": ./Response_Actions/RA_2311_collect_file.md
- "RA2312: Analyse file hash": ./Response_Actions/RA_2312_analyse_file_hash.md
- "RA2313: Analyse Windows PE": ./Response_Actions/RA_2313_analyse_windows_pe.md
- "RA2314: Analyse macos macho": ./Response_Actions/RA_2314_analyse_macos_macho.md
- "RA2315: Analyse Unix ELF": ./Response_Actions/RA_2315_analyse_unix_elf.md
- "RA2316: Analyse MS office file": ./Response_Actions/RA_2316_analyse_ms_office_file.md
- "RA2317: Analyse PDF file": ./Response_Actions/RA_2317_analyse_pdf_file.md
- "RA2318: Analyse script": ./Response_Actions/RA_2318_analyse_script.md
- "RA2319: Analyse jar": ./Response_Actions/RA_2319_analyse_jar.md
- "RA2320: Analyse filename": ./Response_Actions/RA_2320_analyse_filename.md
- "RA2401: List processes executed": ./Response_Actions/RA_2401_list_processes_executed.md
- "RA2402: Find process by executable path": ./Response_Actions/RA_2402_find_process_by_executable_path.md
- "RA2403: Find process by executable metadata": ./Response_Actions/RA_2403_find_process_by_executable_metadata.md
- "RA2404: Find process by executable hash": ./Response_Actions/RA_2404_find_process_by_executable_hash.md
- "RA2405: Find process by executable format": ./Response_Actions/RA_2405_find_process_by_executable_format.md
- "RA2406: Find process by executable content pattern": ./Response_Actions/RA_2406_find_process_by_executable_content_pattern.md
- "RA2501: List registry keys modified": ./Response_Actions/RA_2501_list_registry_keys_modified.md
- "RA2502: List registry keys deleted": ./Response_Actions/RA_2502_list_registry_keys_deleted.md
- "RA2503: List registry keys accessed": ./Response_Actions/RA_2503_list_registry_keys_accessed.md
- "RA2504: List registry keys created": ./Response_Actions/RA_2504_list_registry_keys_created.md
- "RA2505: List services created": ./Response_Actions/RA_2505_list_services_created.md
- "RA2506: List services modified": ./Response_Actions/RA_2506_list_services_modified.md
- "RA2507: List services deleted": ./Response_Actions/RA_2507_list_services_deleted.md
- "RA2508: Analyse registry key": ./Response_Actions/RA_2508_analyse_registry_key.md
- "RA2601: List users authenticated": ./Response_Actions/RA_2601_list_users_authenticated.md
- "RA2602: List user accounts": ./Response_Actions/RA_2602_list_user_accounts.md
- Containment:
- "RA3001: Patch vulnerability": ./Response_Actions/RA_3001_patch_vulnerability.md
- "RA3101: Block external IP address": ./Response_Actions/RA_3101_block_external_ip_address.md
- "RA3102: Block internal IP address": ./Response_Actions/RA_3102_block_internal_ip_address.md
- "RA3103: Block external domain": ./Response_Actions/RA_3103_block_external_domain.md
- "RA3104: Block internal domain": ./Response_Actions/RA_3104_block_internal_domain.md
- "RA3105: Block external URL": ./Response_Actions/RA_3105_block_external_url.md
- "RA3106: Block internal URL": ./Response_Actions/RA_3106_block_internal_url.md
- "RA3107: Block port external communication": ./Response_Actions/RA_3107_block_port_external_communication.md
- "RA3108: Block port internal communication": ./Response_Actions/RA_3108_block_port_internal_communication.md
- "RA3109: Block user external communication": ./Response_Actions/RA_3109_block_user_external_communication.md
- "RA3110: Block user internal communication": ./Response_Actions/RA_3110_block_user_internal_communication.md
- "RA3111: Block data transferring by content pattern": ./Response_Actions/RA_3111_block_data_transferring_by_content_pattern.md
- "RA3201: Block domain on email": ./Response_Actions/RA_3201_block_domain_on_email.md
- "RA3202: Block sender on email": ./Response_Actions/RA_3202_block_sender_on_email.md
- "RA3203: Quarantine email message": ./Response_Actions/RA_3203_quarantine_email_message.md
- "RA3301: Quarantine file by format": ./Response_Actions/RA_3301_quarantine_file_by_format.md
- "RA3302: Quarantine file by hash": ./Response_Actions/RA_3302_quarantine_file_by_hash.md
- "RA3303: Quarantine file by path": ./Response_Actions/RA_3303_quarantine_file_by_path.md
- "RA3304: Quarantine file by content pattern": ./Response_Actions/RA_3304_quarantine_file_by_content_pattern.md
- "RA3401: Block process by executable path": ./Response_Actions/RA_3401_block_process_by_executable_path.md
- "RA3402: Block process by executable metadata": ./Response_Actions/RA_3402_block_process_by_executable_metadata.md
- "RA3403: Block process by executable hash": ./Response_Actions/RA_3403_block_process_by_executable_hash.md
- "RA3404: Block process by executable format": ./Response_Actions/RA_3404_block_process_by_executable_format.md
- "RA3405: Block process by executable content pattern": ./Response_Actions/RA_3405_block_process_by_executable_content_pattern.md
- "RA3501: Disable system service": ./Response_Actions/RA_3501_disable_system_service.md
- "RA3601: Lock user account": ./Response_Actions/RA_3601_lock_user_account.md
- Eradication:
- "RA4001: Report incident to external companies": ./Response_Actions/RA_4001_report_incident_to_external_companies.md
- "RA4101: Remove rogue network device": ./Response_Actions/RA_4101_remove_rogue_network_device.md
- "RA4201: Delete email message": ./Response_Actions/RA_4201_delete_email_message.md
- "RA4301: Remove file": ./Response_Actions/RA_4301_remove_file.md
- "RA4501: Remove registry key": ./Response_Actions/RA_4501_remove_registry_key.md
- "RA4502: Remove service": ./Response_Actions/RA_4502_remove_service.md
- "RA4601: Revoke authentication credentials": ./Response_Actions/RA_4601_revoke_authentication_credentials.md
- "RA4602: Remove user account": ./Response_Actions/RA_4602_remove_user_account.md
- Recovery:
- "RA5001: Reinstall host from golden image": ./Response_Actions/RA_5001_reinstall_host_from_golden_image.md
- "RA5002: Restore data from backup": ./Response_Actions/RA_5002_restore_data_from_backup.md
- "RA5101: Unblock blocked IP": ./Response_Actions/RA_5101_unblock_blocked_ip.md
- "RA5102: Unblock blocked domain": ./Response_Actions/RA_5102_unblock_blocked_domain.md
- "RA5103: Unblock blocked URL": ./Response_Actions/RA_5103_unblock_blocked_url.md
- "RA5104: Unblock blocked port": ./Response_Actions/RA_5104_unblock_blocked_port.md
- "RA5105: Unblock blocked user": ./Response_Actions/RA_5105_unblock_blocked_user.md
- "RA5201: Unblock domain on email": ./Response_Actions/RA_5201_unblock_domain_on_email.md
- "RA5202: Unblock sender on email": ./Response_Actions/RA_5202_unblock_sender_on_email.md
- "RA5203: Restore quarantined email message": ./Response_Actions/RA_5203_restore_quarantined_email_message.md
- "RA5301: Restore quarantined file": ./Response_Actions/RA_5301_restore_quarantined_file.md
- "RA5401: Unblock blocked process": ./Response_Actions/RA_5401_unblock_blocked_process.md
- "RA5501: Enable disabled service": ./Response_Actions/RA_5501_enable_disabled_service.md
- "RA5601: Unlock locked user account": ./Response_Actions/RA_5601_unlock_locked_user_account.md
- Lessons learned:
- "RA6001: Develop incident report": ./Response_Actions/RA_6001_develop_incident_report.md
- "RA6002: Conduct lessons learned exercise": ./Response_Actions/RA_6002_conduct_lessons_learned_exercise.md
- Response Playbooks:
- "RP0001: Phishing email": ./Response_Playbooks/RP_0001_phishing_email.md