Incident Response Runbooks with AI

The Scenario

Ransomware is detected on a workstation in VLAN 30. The clock is ticking. Your team needs to isolate the threat, contain the spread, and preserve evidence — and not everyone knows the exact steps. You need an IR runbook generated for your specific environment.

---

The Prompt

Generate an incident response runbook for ransomware detection in my network. Specific to my environment:

- Network: Cisco switches (Catalyst 9300), Palo Alto firewall, Active Directory
- Affected segment: VLAN 30 (Engineering, 10.1.30.0/24)
- The infected host is 10.1.30.45
- Monitoring: Graylog for syslog, CrowdStrike for endpoint

Include these phases:
1. IDENTIFICATION: How to confirm it is ransomware
2. CONTAINMENT: Exact commands to isolate the host and VLAN
3. ERADICATION: Steps to remove the threat
4. RECOVERY: How to bring systems back safely
5. LESSONS LEARNED: What to document

For the containment section, give me exact CLI commands for the Cisco switch and Palo Alto firewall.

---

What AI Gives You

A complete, actionable runbook with:

• Switch commands to shut the port or move to a quarantine VLAN
• Firewall rules to block lateral movement from the subnet
• Evidence preservation steps before reimaging
• Communication templates for management notification

---

Review and Validate

• Test the isolation commands in a lab — shutting the wrong port in production is worse than the ransomware
• Customize for your org — AI does not know your escalation chain or backup procedures
• Keep the runbook updated — review quarterly

---

Try It Yourself

Generate runbooks for your top 3 scenarios: ransomware, data exfiltration, DDoS. Customize with your actual device IPs and commands.