Civitas EPI Rail
Civitas Analytica — Engineered truth
trust_audit / dfir / acme / eng42

Trust Audit

Civitas Analytica — Engineered truth.

Executive Summary

Severity-weighted score0.0%
Total controls84
Met0
Partial0
Gap84

Key Gaps

Full Controls Table

control_idtitleobjectiveevidence expectationsstatusseverityevidence_count
DFIR-001Preparation readiness control 01Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.gap10
DFIR-002Preparation readiness control 02Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.gap20
DFIR-003Preparation readiness control 03Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.gap30
DFIR-004Preparation readiness control 04Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.gap40
DFIR-005Preparation readiness control 05Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.gap50
DFIR-006Preparation readiness control 06Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.gap10
DFIR-007Preparation readiness control 07Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.gap20
DFIR-008Preparation readiness control 08Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.gap30
DFIR-009Preparation readiness control 09Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.gap40
DFIR-010Preparation readiness control 10Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.gap50
DFIR-011Preparation readiness control 11Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.gap10
DFIR-012Preparation readiness control 12Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.gap20
DFIR-013Preparation readiness control 13Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.gap30
DFIR-014Preparation readiness control 14Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.gap40
DFIR-015DetectionAnalysis readiness control 01Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.gap10
DFIR-016DetectionAnalysis readiness control 02Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.gap20
DFIR-017DetectionAnalysis readiness control 03Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.gap30
DFIR-018DetectionAnalysis readiness control 04Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.gap40
DFIR-019DetectionAnalysis readiness control 05Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.gap50
DFIR-020DetectionAnalysis readiness control 06Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.gap10
DFIR-021DetectionAnalysis readiness control 07Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.gap20
DFIR-022DetectionAnalysis readiness control 08Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.gap30
DFIR-023DetectionAnalysis readiness control 09Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.gap40
DFIR-024DetectionAnalysis readiness control 10Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.gap50
DFIR-025DetectionAnalysis readiness control 11Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.gap10
DFIR-026DetectionAnalysis readiness control 12Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.gap20
DFIR-027DetectionAnalysis readiness control 13Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.gap30
DFIR-028DetectionAnalysis readiness control 14Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.gap40
DFIR-029Containment readiness control 01Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.gap10
DFIR-030Containment readiness control 02Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.gap20
DFIR-031Containment readiness control 03Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.gap30
DFIR-032Containment readiness control 04Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.gap40
DFIR-033Containment readiness control 05Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.gap50
DFIR-034Containment readiness control 06Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.gap10
DFIR-035Containment readiness control 07Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.gap20
DFIR-036Containment readiness control 08Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.gap30
DFIR-037Containment readiness control 09Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.gap40
DFIR-038Containment readiness control 10Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.gap50
DFIR-039Containment readiness control 11Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.gap10
DFIR-040Containment readiness control 12Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.gap20
DFIR-041Containment readiness control 13Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.gap30
DFIR-042Containment readiness control 14Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.gap40
DFIR-043Eradication readiness control 01Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.gap10
DFIR-044Eradication readiness control 02Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.gap20
DFIR-045Eradication readiness control 03Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.gap30
DFIR-046Eradication readiness control 04Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.gap40
DFIR-047Eradication readiness control 05Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.gap50
DFIR-048Eradication readiness control 06Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.gap10
DFIR-049Eradication readiness control 07Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.gap20
DFIR-050Eradication readiness control 08Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.gap30
DFIR-051Eradication readiness control 09Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.gap40
DFIR-052Eradication readiness control 10Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.gap50
DFIR-053Eradication readiness control 11Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.gap10
DFIR-054Eradication readiness control 12Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.gap20
DFIR-055Eradication readiness control 13Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.gap30
DFIR-056Eradication readiness control 14Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.gap40
DFIR-057Recovery readiness control 01Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.gap10
DFIR-058Recovery readiness control 02Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.gap20
DFIR-059Recovery readiness control 03Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.gap30
DFIR-060Recovery readiness control 04Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.gap40
DFIR-061Recovery readiness control 05Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.gap50
DFIR-062Recovery readiness control 06Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.gap10
DFIR-063Recovery readiness control 07Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.gap20
DFIR-064Recovery readiness control 08Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.gap30
DFIR-065Recovery readiness control 09Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.gap40
DFIR-066Recovery readiness control 10Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.gap50
DFIR-067Recovery readiness control 11Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.gap10
DFIR-068Recovery readiness control 12Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.gap20
DFIR-069Recovery readiness control 13Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.gap30
DFIR-070Recovery readiness control 14Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.gap40
DFIR-071PostIncident readiness control 01Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.gap10
DFIR-072PostIncident readiness control 02Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.gap20
DFIR-073PostIncident readiness control 03Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.gap30
DFIR-074PostIncident readiness control 04Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.gap40
DFIR-075PostIncident readiness control 05Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.gap50
DFIR-076PostIncident readiness control 06Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.gap10
DFIR-077PostIncident readiness control 07Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.gap20
DFIR-078PostIncident readiness control 08Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.gap30
DFIR-079PostIncident readiness control 09Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.gap40
DFIR-080PostIncident readiness control 10Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.gap50
DFIR-081PostIncident readiness control 11Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.gap10
DFIR-082PostIncident readiness control 12Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.gap20
DFIR-083PostIncident readiness control 13Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.gap30
DFIR-084PostIncident readiness control 14Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.gap40

Gap Register

control_idtitlestatusseverityevidence_countmissing_evidenceevidence expectations
DFIR-001Preparation readiness control 01gap103Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.
DFIR-002Preparation readiness control 02gap203Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.
DFIR-003Preparation readiness control 03gap303Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.
DFIR-004Preparation readiness control 04gap403Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.
DFIR-005Preparation readiness control 05gap503Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.
DFIR-006Preparation readiness control 06gap103Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.
DFIR-007Preparation readiness control 07gap203Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.
DFIR-008Preparation readiness control 08gap303Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.
DFIR-009Preparation readiness control 09gap403Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.
DFIR-010Preparation readiness control 10gap503Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.
DFIR-011Preparation readiness control 11gap103Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.
DFIR-012Preparation readiness control 12gap203Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.
DFIR-013Preparation readiness control 13gap303Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.
DFIR-014Preparation readiness control 14gap403Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.
DFIR-015DetectionAnalysis readiness control 01gap103Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.
DFIR-016DetectionAnalysis readiness control 02gap203Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.
DFIR-017DetectionAnalysis readiness control 03gap303Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.
DFIR-018DetectionAnalysis readiness control 04gap403Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.
DFIR-019DetectionAnalysis readiness control 05gap503Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.
DFIR-020DetectionAnalysis readiness control 06gap103Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.
DFIR-021DetectionAnalysis readiness control 07gap203Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.
DFIR-022DetectionAnalysis readiness control 08gap303Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.
DFIR-023DetectionAnalysis readiness control 09gap403Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.
DFIR-024DetectionAnalysis readiness control 10gap503Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.
DFIR-025DetectionAnalysis readiness control 11gap103Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.
DFIR-026DetectionAnalysis readiness control 12gap203Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.
DFIR-027DetectionAnalysis readiness control 13gap303Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.
DFIR-028DetectionAnalysis readiness control 14gap403Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.
DFIR-029Containment readiness control 01gap103Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.
DFIR-030Containment readiness control 02gap203Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.
DFIR-031Containment readiness control 03gap303Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.
DFIR-032Containment readiness control 04gap403Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.
DFIR-033Containment readiness control 05gap503Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.
DFIR-034Containment readiness control 06gap103Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.
DFIR-035Containment readiness control 07gap203Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.
DFIR-036Containment readiness control 08gap303Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.
DFIR-037Containment readiness control 09gap403Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.
DFIR-038Containment readiness control 10gap503Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.
DFIR-039Containment readiness control 11gap103Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.
DFIR-040Containment readiness control 12gap203Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.
DFIR-041Containment readiness control 13gap303Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.
DFIR-042Containment readiness control 14gap403Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.
DFIR-043Eradication readiness control 01gap103Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.
DFIR-044Eradication readiness control 02gap203Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.
DFIR-045Eradication readiness control 03gap303Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.
DFIR-046Eradication readiness control 04gap403Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.
DFIR-047Eradication readiness control 05gap503Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.
DFIR-048Eradication readiness control 06gap103Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.
DFIR-049Eradication readiness control 07gap203Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.
DFIR-050Eradication readiness control 08gap303Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.
DFIR-051Eradication readiness control 09gap403Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.
DFIR-052Eradication readiness control 10gap503Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.
DFIR-053Eradication readiness control 11gap103Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.
DFIR-054Eradication readiness control 12gap203Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.
DFIR-055Eradication readiness control 13gap303Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.
DFIR-056Eradication readiness control 14gap403Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.
DFIR-057Recovery readiness control 01gap103Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.
DFIR-058Recovery readiness control 02gap203Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.
DFIR-059Recovery readiness control 03gap303Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.
DFIR-060Recovery readiness control 04gap403Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.
DFIR-061Recovery readiness control 05gap503Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.
DFIR-062Recovery readiness control 06gap103Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.
DFIR-063Recovery readiness control 07gap203Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.
DFIR-064Recovery readiness control 08gap303Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.
DFIR-065Recovery readiness control 09gap403Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.
DFIR-066Recovery readiness control 10gap503Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.
DFIR-067Recovery readiness control 11gap103Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.
DFIR-068Recovery readiness control 12gap203Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.
DFIR-069Recovery readiness control 13gap303Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.
DFIR-070Recovery readiness control 14gap403Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.
DFIR-071PostIncident readiness control 01gap103Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.
DFIR-072PostIncident readiness control 02gap203Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.
DFIR-073PostIncident readiness control 03gap303Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.
DFIR-074PostIncident readiness control 04gap403Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.
DFIR-075PostIncident readiness control 05gap503Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.
DFIR-076PostIncident readiness control 06gap103Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.
DFIR-077PostIncident readiness control 07gap203Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.
DFIR-078PostIncident readiness control 08gap303Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.
DFIR-079PostIncident readiness control 09gap403Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.
DFIR-080PostIncident readiness control 10gap503Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.
DFIR-081PostIncident readiness control 11gap103Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.
DFIR-082PostIncident readiness control 12gap203Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.
DFIR-083PostIncident readiness control 13gap303Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.
DFIR-084PostIncident readiness control 14gap403Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

Evidence Appendix

DFIR-001 - Preparation readiness control 01

gap | severity 1 | evidence_count 0

Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.

DFIR-Q-001 - incident response plan evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-005 - chain-of-custody template evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-006 - escalation matrix evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-007 - training exercise records evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-008 - tabletop outcomes evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-041 - post-incident review minutes evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-002 - Preparation readiness control 02

gap | severity 2 | evidence_count 0

Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.

DFIR-Q-001 - incident response plan evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-006 - escalation matrix evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-007 - training exercise records evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-008 - tabletop outcomes evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-041 - post-incident review minutes evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-042 - lessons learned register evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-003 - Preparation readiness control 03

gap | severity 3 | evidence_count 0

Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.

DFIR-Q-001 - incident response plan evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-002 - communications playbook evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-006 - escalation matrix evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-007 - training exercise records evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-008 - tabletop outcomes evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-042 - lessons learned register evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-043 - corrective action tracker evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-004 - Preparation readiness control 04

gap | severity 4 | evidence_count 0

Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.

DFIR-Q-001 - incident response plan evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-002 - communications playbook evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-007 - training exercise records evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-008 - tabletop outcomes evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-043 - corrective action tracker evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-044 - policy update changelog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-005 - Preparation readiness control 05

gap | severity 5 | evidence_count 0

Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.

DFIR-Q-001 - incident response plan evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-002 - communications playbook evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-003 - stakeholder contact list evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-007 - training exercise records evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-008 - tabletop outcomes evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-044 - policy update changelog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-045 - control improvement backlog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-006 - Preparation readiness control 06

gap | severity 1 | evidence_count 0

Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.

DFIR-Q-001 - incident response plan evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-002 - communications playbook evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-003 - stakeholder contact list evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-008 - tabletop outcomes evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-045 - control improvement backlog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-046 - executive briefing records evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-007 - Preparation readiness control 07

gap | severity 2 | evidence_count 0

Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.

DFIR-Q-001 - incident response plan evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-002 - communications playbook evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-003 - stakeholder contact list evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-004 - evidence handling standards evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-008 - tabletop outcomes evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-046 - executive briefing records evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-047 - regulator/customer comms log evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-008 - Preparation readiness control 08

gap | severity 3 | evidence_count 0

Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.

DFIR-Q-002 - communications playbook evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-003 - stakeholder contact list evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-004 - evidence handling standards evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-047 - regulator/customer comms log evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-048 - evidence retention decisions evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-009 - Preparation readiness control 09

gap | severity 4 | evidence_count 0

Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.

DFIR-Q-002 - communications playbook evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-003 - stakeholder contact list evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-004 - evidence handling standards evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-005 - chain-of-custody template evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-048 - evidence retention decisions evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-010 - Preparation readiness control 10

gap | severity 5 | evidence_count 0

Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.

DFIR-Q-003 - stakeholder contact list evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-004 - evidence handling standards evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-005 - chain-of-custody template evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-011 - Preparation readiness control 11

gap | severity 1 | evidence_count 0

Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.

DFIR-Q-003 - stakeholder contact list evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-004 - evidence handling standards evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-005 - chain-of-custody template evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-006 - escalation matrix evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-012 - Preparation readiness control 12

gap | severity 2 | evidence_count 0

Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.

DFIR-Q-004 - evidence handling standards evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-005 - chain-of-custody template evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-006 - escalation matrix evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-013 - Preparation readiness control 13

gap | severity 3 | evidence_count 0

Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.

DFIR-Q-004 - evidence handling standards evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-005 - chain-of-custody template evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-006 - escalation matrix evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-007 - training exercise records evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-014 - Preparation readiness control 14

gap | severity 4 | evidence_count 0

Ensure Preparation procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Preparation.; Operational records (logs, tickets, reports, or runbooks) demonstrating Preparation execution.; Review evidence with remediation tracking for Preparation exceptions.

DFIR-Q-005 - chain-of-custody template evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-006 - escalation matrix evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-007 - training exercise records evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-015 - DetectionAnalysis readiness control 01

gap | severity 1 | evidence_count 0

Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.

DFIR-Q-001 - incident response plan evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-009 - edr telemetry evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-013 - ioc tracking artifacts evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-014 - time sync ntp evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, evidence, forensics, time_sync | hits: 0

No direct evidence hits for this query.

DFIR-Q-015 - logging retention policy evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-016 - admin account monitoring records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-016 - DetectionAnalysis readiness control 02

gap | severity 2 | evidence_count 0

Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.

DFIR-Q-001 - incident response plan evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-002 - communications playbook evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-009 - edr telemetry evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-014 - time sync ntp evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, evidence, forensics, time_sync | hits: 0

No direct evidence hits for this query.

DFIR-Q-015 - logging retention policy evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-016 - admin account monitoring records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-017 - DetectionAnalysis readiness control 03

gap | severity 3 | evidence_count 0

Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.

DFIR-Q-002 - communications playbook evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-003 - stakeholder contact list evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-009 - edr telemetry evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-010 - siem alert triage logs evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-014 - time sync ntp evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, evidence, forensics, time_sync | hits: 0

No direct evidence hits for this query.

DFIR-Q-015 - logging retention policy evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-016 - admin account monitoring records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-018 - DetectionAnalysis readiness control 04

gap | severity 4 | evidence_count 0

Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.

DFIR-Q-003 - stakeholder contact list evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-004 - evidence handling standards evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-009 - edr telemetry evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-010 - siem alert triage logs evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-015 - logging retention policy evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-016 - admin account monitoring records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-019 - DetectionAnalysis readiness control 05

gap | severity 5 | evidence_count 0

Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.

DFIR-Q-004 - evidence handling standards evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-005 - chain-of-custody template evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-009 - edr telemetry evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-010 - siem alert triage logs evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-011 - incident classification records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-015 - logging retention policy evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-016 - admin account monitoring records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-020 - DetectionAnalysis readiness control 06

gap | severity 1 | evidence_count 0

Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.

DFIR-Q-005 - chain-of-custody template evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-006 - escalation matrix evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-009 - edr telemetry evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-010 - siem alert triage logs evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-011 - incident classification records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-016 - admin account monitoring records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-021 - DetectionAnalysis readiness control 07

gap | severity 2 | evidence_count 0

Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.

DFIR-Q-006 - escalation matrix evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-007 - training exercise records evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-009 - edr telemetry evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-010 - siem alert triage logs evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-011 - incident classification records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-012 - forensic timeline notes evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-016 - admin account monitoring records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-022 - DetectionAnalysis readiness control 08

gap | severity 3 | evidence_count 0

Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.

DFIR-Q-007 - training exercise records evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-008 - tabletop outcomes evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-010 - siem alert triage logs evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-011 - incident classification records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-012 - forensic timeline notes evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-023 - DetectionAnalysis readiness control 09

gap | severity 4 | evidence_count 0

Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.

DFIR-Q-008 - tabletop outcomes evidence owner review log ticket runbook timeline

tags: preparation, planning, governance, readiness, incident_response, dfir | hits: 0

No direct evidence hits for this query.

DFIR-Q-010 - siem alert triage logs evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-011 - incident classification records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-012 - forensic timeline notes evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-013 - ioc tracking artifacts evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-024 - DetectionAnalysis readiness control 10

gap | severity 5 | evidence_count 0

Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.

DFIR-Q-011 - incident classification records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-012 - forensic timeline notes evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-013 - ioc tracking artifacts evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-025 - DetectionAnalysis readiness control 11

gap | severity 1 | evidence_count 0

Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.

DFIR-Q-011 - incident classification records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-012 - forensic timeline notes evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-013 - ioc tracking artifacts evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-014 - time sync ntp evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, evidence, forensics, time_sync | hits: 0

No direct evidence hits for this query.

DFIR-026 - DetectionAnalysis readiness control 12

gap | severity 2 | evidence_count 0

Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.

DFIR-Q-012 - forensic timeline notes evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-013 - ioc tracking artifacts evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-014 - time sync ntp evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, evidence, forensics, time_sync | hits: 0

No direct evidence hits for this query.

DFIR-027 - DetectionAnalysis readiness control 13

gap | severity 3 | evidence_count 0

Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.

DFIR-Q-012 - forensic timeline notes evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-013 - ioc tracking artifacts evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-014 - time sync ntp evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, evidence, forensics, time_sync | hits: 0

No direct evidence hits for this query.

DFIR-Q-015 - logging retention policy evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-028 - DetectionAnalysis readiness control 14

gap | severity 4 | evidence_count 0

Ensure DetectionAnalysis procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for DetectionAnalysis.; Operational records (logs, tickets, reports, or runbooks) demonstrating DetectionAnalysis execution.; Review evidence with remediation tracking for DetectionAnalysis exceptions.

DFIR-Q-013 - ioc tracking artifacts evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-014 - time sync ntp evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, evidence, forensics, time_sync | hits: 0

No direct evidence hits for this query.

DFIR-Q-015 - logging retention policy evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-029 - Containment readiness control 01

gap | severity 1 | evidence_count 0

Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.

DFIR-Q-009 - edr telemetry evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-017 - host isolation records evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-021 - privileged account disablement evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-Q-022 - endpoint quarantine actions evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-023 - containment approval trail evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-024 - containment verification checks evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-030 - Containment readiness control 02

gap | severity 2 | evidence_count 0

Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.

DFIR-Q-009 - edr telemetry evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-010 - siem alert triage logs evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-017 - host isolation records evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-022 - endpoint quarantine actions evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-023 - containment approval trail evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-024 - containment verification checks evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-031 - Containment readiness control 03

gap | severity 3 | evidence_count 0

Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.

DFIR-Q-010 - siem alert triage logs evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-011 - incident classification records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-017 - host isolation records evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-018 - network segmentation indicators evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-022 - endpoint quarantine actions evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-023 - containment approval trail evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-024 - containment verification checks evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-032 - Containment readiness control 04

gap | severity 4 | evidence_count 0

Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.

DFIR-Q-011 - incident classification records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-012 - forensic timeline notes evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-017 - host isolation records evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-018 - network segmentation indicators evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-023 - containment approval trail evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-024 - containment verification checks evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-033 - Containment readiness control 05

gap | severity 5 | evidence_count 0

Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.

DFIR-Q-012 - forensic timeline notes evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-013 - ioc tracking artifacts evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-017 - host isolation records evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-018 - network segmentation indicators evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-019 - access revocation logs evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-023 - containment approval trail evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-024 - containment verification checks evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-034 - Containment readiness control 06

gap | severity 1 | evidence_count 0

Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.

DFIR-Q-013 - ioc tracking artifacts evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-014 - time sync ntp evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, evidence, forensics, time_sync | hits: 0

No direct evidence hits for this query.

DFIR-Q-017 - host isolation records evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-018 - network segmentation indicators evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-019 - access revocation logs evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-024 - containment verification checks evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-035 - Containment readiness control 07

gap | severity 2 | evidence_count 0

Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.

DFIR-Q-014 - time sync ntp evidence evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, evidence, forensics, time_sync | hits: 0

No direct evidence hits for this query.

DFIR-Q-015 - logging retention policy evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-017 - host isolation records evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-018 - network segmentation indicators evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-019 - access revocation logs evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-020 - temporary firewall changes evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-024 - containment verification checks evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-036 - Containment readiness control 08

gap | severity 3 | evidence_count 0

Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.

DFIR-Q-015 - logging retention policy evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring | hits: 0

No direct evidence hits for this query.

DFIR-Q-016 - admin account monitoring records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-Q-018 - network segmentation indicators evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-019 - access revocation logs evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-020 - temporary firewall changes evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-037 - Containment readiness control 09

gap | severity 4 | evidence_count 0

Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.

DFIR-Q-016 - admin account monitoring records evidence owner review log ticket runbook timeline

tags: detection, analysis, triage, telemetry, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-Q-018 - network segmentation indicators evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-019 - access revocation logs evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-020 - temporary firewall changes evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-021 - privileged account disablement evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-038 - Containment readiness control 10

gap | severity 5 | evidence_count 0

Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.

DFIR-Q-019 - access revocation logs evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-020 - temporary firewall changes evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-021 - privileged account disablement evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-039 - Containment readiness control 11

gap | severity 1 | evidence_count 0

Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.

DFIR-Q-019 - access revocation logs evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-020 - temporary firewall changes evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-021 - privileged account disablement evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-Q-022 - endpoint quarantine actions evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-040 - Containment readiness control 12

gap | severity 2 | evidence_count 0

Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.

DFIR-Q-020 - temporary firewall changes evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-021 - privileged account disablement evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-Q-022 - endpoint quarantine actions evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-041 - Containment readiness control 13

gap | severity 3 | evidence_count 0

Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.

DFIR-Q-020 - temporary firewall changes evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-021 - privileged account disablement evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-Q-022 - endpoint quarantine actions evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-023 - containment approval trail evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-042 - Containment readiness control 14

gap | severity 4 | evidence_count 0

Ensure Containment procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Containment.; Operational records (logs, tickets, reports, or runbooks) demonstrating Containment execution.; Review evidence with remediation tracking for Containment exceptions.

DFIR-Q-021 - privileged account disablement evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-Q-022 - endpoint quarantine actions evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-023 - containment approval trail evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-043 - Eradication readiness control 01

gap | severity 1 | evidence_count 0

Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.

DFIR-Q-017 - host isolation records evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-025 - malware removal evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-029 - vulnerability closure notes evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-030 - persistence hunting artifacts evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-031 - root cause remediation tickets evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-032 - change management records evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-044 - Eradication readiness control 02

gap | severity 2 | evidence_count 0

Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.

DFIR-Q-017 - host isolation records evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-018 - network segmentation indicators evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-025 - malware removal evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-030 - persistence hunting artifacts evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-031 - root cause remediation tickets evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-032 - change management records evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-045 - Eradication readiness control 03

gap | severity 3 | evidence_count 0

Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.

DFIR-Q-018 - network segmentation indicators evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-019 - access revocation logs evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-025 - malware removal evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-026 - credential reset evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-030 - persistence hunting artifacts evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-031 - root cause remediation tickets evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-032 - change management records evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-046 - Eradication readiness control 04

gap | severity 4 | evidence_count 0

Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.

DFIR-Q-019 - access revocation logs evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-020 - temporary firewall changes evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-025 - malware removal evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-026 - credential reset evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-031 - root cause remediation tickets evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-032 - change management records evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-047 - Eradication readiness control 05

gap | severity 5 | evidence_count 0

Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.

DFIR-Q-020 - temporary firewall changes evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-021 - privileged account disablement evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-Q-025 - malware removal evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-026 - credential reset evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-027 - patch deployment logs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-031 - root cause remediation tickets evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-032 - change management records evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-048 - Eradication readiness control 06

gap | severity 1 | evidence_count 0

Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.

DFIR-Q-021 - privileged account disablement evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness, privileged_access | hits: 0

No direct evidence hits for this query.

DFIR-Q-022 - endpoint quarantine actions evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-025 - malware removal evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-026 - credential reset evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-027 - patch deployment logs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-032 - change management records evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-049 - Eradication readiness control 07

gap | severity 2 | evidence_count 0

Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.

DFIR-Q-022 - endpoint quarantine actions evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-023 - containment approval trail evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-025 - malware removal evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-026 - credential reset evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-027 - patch deployment logs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-028 - hardening checklist outputs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-032 - change management records evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-050 - Eradication readiness control 08

gap | severity 3 | evidence_count 0

Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.

DFIR-Q-023 - containment approval trail evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-024 - containment verification checks evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-026 - credential reset evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-027 - patch deployment logs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-028 - hardening checklist outputs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-051 - Eradication readiness control 09

gap | severity 4 | evidence_count 0

Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.

DFIR-Q-024 - containment verification checks evidence owner review log ticket runbook timeline

tags: containment, isolation, segmentation, response, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-026 - credential reset evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-027 - patch deployment logs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-028 - hardening checklist outputs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-029 - vulnerability closure notes evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-052 - Eradication readiness control 10

gap | severity 5 | evidence_count 0

Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.

DFIR-Q-027 - patch deployment logs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-028 - hardening checklist outputs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-029 - vulnerability closure notes evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-053 - Eradication readiness control 11

gap | severity 1 | evidence_count 0

Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.

DFIR-Q-027 - patch deployment logs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-028 - hardening checklist outputs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-029 - vulnerability closure notes evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-030 - persistence hunting artifacts evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-054 - Eradication readiness control 12

gap | severity 2 | evidence_count 0

Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.

DFIR-Q-028 - hardening checklist outputs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-029 - vulnerability closure notes evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-030 - persistence hunting artifacts evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-055 - Eradication readiness control 13

gap | severity 3 | evidence_count 0

Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.

DFIR-Q-028 - hardening checklist outputs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-029 - vulnerability closure notes evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-030 - persistence hunting artifacts evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-031 - root cause remediation tickets evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-056 - Eradication readiness control 14

gap | severity 4 | evidence_count 0

Ensure Eradication procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Eradication.; Operational records (logs, tickets, reports, or runbooks) demonstrating Eradication execution.; Review evidence with remediation tracking for Eradication exceptions.

DFIR-Q-029 - vulnerability closure notes evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-030 - persistence hunting artifacts evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-031 - root cause remediation tickets evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-057 - Recovery readiness control 01

gap | severity 1 | evidence_count 0

Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.

DFIR-Q-025 - malware removal evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-033 - backup status evidence evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-037 - recovery communications evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-038 - recovery validation metrics evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-039 - post-recovery monitoring evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-040 - customer impact closure notes evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-058 - Recovery readiness control 02

gap | severity 2 | evidence_count 0

Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.

DFIR-Q-025 - malware removal evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-026 - credential reset evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-033 - backup status evidence evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-038 - recovery validation metrics evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-039 - post-recovery monitoring evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-040 - customer impact closure notes evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-059 - Recovery readiness control 03

gap | severity 3 | evidence_count 0

Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.

DFIR-Q-026 - credential reset evidence evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-027 - patch deployment logs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-033 - backup status evidence evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-034 - restore test reports evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-038 - recovery validation metrics evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-039 - post-recovery monitoring evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-040 - customer impact closure notes evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-060 - Recovery readiness control 04

gap | severity 4 | evidence_count 0

Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.

DFIR-Q-027 - patch deployment logs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-028 - hardening checklist outputs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-033 - backup status evidence evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-034 - restore test reports evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-039 - post-recovery monitoring evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-040 - customer impact closure notes evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-061 - Recovery readiness control 05

gap | severity 5 | evidence_count 0

Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.

DFIR-Q-028 - hardening checklist outputs evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-029 - vulnerability closure notes evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-033 - backup status evidence evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-034 - restore test reports evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-035 - service restoration runbooks evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-039 - post-recovery monitoring evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-040 - customer impact closure notes evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-062 - Recovery readiness control 06

gap | severity 1 | evidence_count 0

Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.

DFIR-Q-029 - vulnerability closure notes evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-030 - persistence hunting artifacts evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-033 - backup status evidence evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-034 - restore test reports evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-035 - service restoration runbooks evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-040 - customer impact closure notes evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-063 - Recovery readiness control 07

gap | severity 2 | evidence_count 0

Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.

DFIR-Q-030 - persistence hunting artifacts evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-031 - root cause remediation tickets evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-033 - backup status evidence evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-034 - restore test reports evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-035 - service restoration runbooks evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-036 - business continuity checkpoints evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-040 - customer impact closure notes evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-064 - Recovery readiness control 08

gap | severity 3 | evidence_count 0

Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.

DFIR-Q-031 - root cause remediation tickets evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-032 - change management records evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-034 - restore test reports evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-035 - service restoration runbooks evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-036 - business continuity checkpoints evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-065 - Recovery readiness control 09

gap | severity 4 | evidence_count 0

Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.

DFIR-Q-032 - change management records evidence owner review log ticket runbook timeline

tags: eradication, remediation, patching, hardening, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-034 - restore test reports evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-035 - service restoration runbooks evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-036 - business continuity checkpoints evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-037 - recovery communications evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-066 - Recovery readiness control 10

gap | severity 5 | evidence_count 0

Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.

DFIR-Q-035 - service restoration runbooks evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-036 - business continuity checkpoints evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-037 - recovery communications evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-067 - Recovery readiness control 11

gap | severity 1 | evidence_count 0

Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.

DFIR-Q-035 - service restoration runbooks evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-036 - business continuity checkpoints evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-037 - recovery communications evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-038 - recovery validation metrics evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-068 - Recovery readiness control 12

gap | severity 2 | evidence_count 0

Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.

DFIR-Q-036 - business continuity checkpoints evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-037 - recovery communications evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-038 - recovery validation metrics evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-069 - Recovery readiness control 13

gap | severity 3 | evidence_count 0

Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.

DFIR-Q-036 - business continuity checkpoints evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-037 - recovery communications evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-038 - recovery validation metrics evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-039 - post-recovery monitoring evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-070 - Recovery readiness control 14

gap | severity 4 | evidence_count 0

Ensure Recovery procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for Recovery.; Operational records (logs, tickets, reports, or runbooks) demonstrating Recovery execution.; Review evidence with remediation tracking for Recovery exceptions.

DFIR-Q-037 - recovery communications evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-038 - recovery validation metrics evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-039 - post-recovery monitoring evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-071 - PostIncident readiness control 01

gap | severity 1 | evidence_count 0

Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

DFIR-Q-033 - backup status evidence evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-041 - post-incident review minutes evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-045 - control improvement backlog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-046 - executive briefing records evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-047 - regulator/customer comms log evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-048 - evidence retention decisions evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-072 - PostIncident readiness control 02

gap | severity 2 | evidence_count 0

Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

DFIR-Q-033 - backup status evidence evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-Q-034 - restore test reports evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-041 - post-incident review minutes evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-046 - executive briefing records evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-047 - regulator/customer comms log evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-048 - evidence retention decisions evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-073 - PostIncident readiness control 03

gap | severity 3 | evidence_count 0

Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

DFIR-Q-034 - restore test reports evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-035 - service restoration runbooks evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-041 - post-incident review minutes evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-042 - lessons learned register evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-046 - executive briefing records evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-047 - regulator/customer comms log evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-048 - evidence retention decisions evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-074 - PostIncident readiness control 04

gap | severity 4 | evidence_count 0

Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

DFIR-Q-035 - service restoration runbooks evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-036 - business continuity checkpoints evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-041 - post-incident review minutes evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-042 - lessons learned register evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-047 - regulator/customer comms log evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-048 - evidence retention decisions evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-075 - PostIncident readiness control 05

gap | severity 5 | evidence_count 0

Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

DFIR-Q-036 - business continuity checkpoints evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-037 - recovery communications evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-041 - post-incident review minutes evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-042 - lessons learned register evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-043 - corrective action tracker evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-047 - regulator/customer comms log evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-048 - evidence retention decisions evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-076 - PostIncident readiness control 06

gap | severity 1 | evidence_count 0

Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

DFIR-Q-037 - recovery communications evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-038 - recovery validation metrics evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-041 - post-incident review minutes evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-042 - lessons learned register evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-043 - corrective action tracker evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-048 - evidence retention decisions evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-077 - PostIncident readiness control 07

gap | severity 2 | evidence_count 0

Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

DFIR-Q-038 - recovery validation metrics evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-039 - post-recovery monitoring evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-041 - post-incident review minutes evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-042 - lessons learned register evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-043 - corrective action tracker evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-044 - policy update changelog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-048 - evidence retention decisions evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, evidence, forensics | hits: 0

No direct evidence hits for this query.

DFIR-078 - PostIncident readiness control 08

gap | severity 3 | evidence_count 0

Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

DFIR-Q-039 - post-recovery monitoring evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-040 - customer impact closure notes evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-042 - lessons learned register evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-043 - corrective action tracker evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-044 - policy update changelog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-079 - PostIncident readiness control 09

gap | severity 4 | evidence_count 0

Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

DFIR-Q-040 - customer impact closure notes evidence owner review log ticket runbook timeline

tags: recovery, backup, restore, continuity, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-Q-042 - lessons learned register evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-043 - corrective action tracker evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-044 - policy update changelog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-045 - control improvement backlog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-080 - PostIncident readiness control 10

gap | severity 5 | evidence_count 0

Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

DFIR-Q-043 - corrective action tracker evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-044 - policy update changelog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-045 - control improvement backlog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-081 - PostIncident readiness control 11

gap | severity 1 | evidence_count 0

Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

DFIR-Q-043 - corrective action tracker evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-044 - policy update changelog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-045 - control improvement backlog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-046 - executive briefing records evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-082 - PostIncident readiness control 12

gap | severity 2 | evidence_count 0

Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

DFIR-Q-044 - policy update changelog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-045 - control improvement backlog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-046 - executive briefing records evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-083 - PostIncident readiness control 13

gap | severity 3 | evidence_count 0

Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

DFIR-Q-044 - policy update changelog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, change_management | hits: 0

No direct evidence hits for this query.

DFIR-Q-045 - control improvement backlog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-046 - executive briefing records evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-047 - regulator/customer comms log evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

DFIR-084 - PostIncident readiness control 14

gap | severity 4 | evidence_count 0

Ensure PostIncident procedures are documented, exercised, and reproducible for incident response readiness.

Expected evidence: Policy/procedure artifact showing ownership and cadence for PostIncident.; Operational records (logs, tickets, reports, or runbooks) demonstrating PostIncident execution.; Review evidence with remediation tracking for PostIncident exceptions.

DFIR-Q-045 - control improvement backlog evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-046 - executive briefing records evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness | hits: 0

No direct evidence hits for this query.

DFIR-Q-047 - regulator/customer comms log evidence owner review log ticket runbook timeline

tags: postincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, communications | hits: 0

No direct evidence hits for this query.

Query Log

query_idquery_texttagshits
DFIR-Q-001incident response plan evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir0
DFIR-Q-002communications playbook evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir, communications0
DFIR-Q-003stakeholder contact list evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir0
DFIR-Q-004evidence handling standards evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir, evidence, forensics0
DFIR-Q-005chain-of-custody template evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir, evidence, forensics0
DFIR-Q-006escalation matrix evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir0
DFIR-Q-007training exercise records evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir0
DFIR-Q-008tabletop outcomes evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir0
DFIR-Q-009edr telemetry evidence evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring, evidence, forensics0
DFIR-Q-010siem alert triage logs evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring0
DFIR-Q-011incident classification records evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness0
DFIR-Q-012forensic timeline notes evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness0
DFIR-Q-013ioc tracking artifacts evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness0
DFIR-Q-014time sync ntp evidence evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness, evidence, forensics, time_sync0
DFIR-Q-015logging retention policy evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring0
DFIR-Q-016admin account monitoring records evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness, privileged_access0
DFIR-Q-017host isolation records evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness0
DFIR-Q-018network segmentation indicators evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness0
DFIR-Q-019access revocation logs evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness0
DFIR-Q-020temporary firewall changes evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness, change_management0
DFIR-Q-021privileged account disablement evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness, privileged_access0
DFIR-Q-022endpoint quarantine actions evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness0
DFIR-Q-023containment approval trail evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness0
DFIR-Q-024containment verification checks evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness0
DFIR-Q-025malware removal evidence evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics0
DFIR-Q-026credential reset evidence evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics0
DFIR-Q-027patch deployment logs evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness0
DFIR-Q-028hardening checklist outputs evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness0
DFIR-Q-029vulnerability closure notes evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness0
DFIR-Q-030persistence hunting artifacts evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness0
DFIR-Q-031root cause remediation tickets evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness0
DFIR-Q-032change management records evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness, change_management0
DFIR-Q-033backup status evidence evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness, evidence, forensics0
DFIR-Q-034restore test reports evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness0
DFIR-Q-035service restoration runbooks evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness0
DFIR-Q-036business continuity checkpoints evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness0
DFIR-Q-037recovery communications evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness, communications0
DFIR-Q-038recovery validation metrics evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness0
DFIR-Q-039post-recovery monitoring evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness0
DFIR-Q-040customer impact closure notes evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness, communications0
DFIR-Q-041post-incident review minutes evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness0
DFIR-Q-042lessons learned register evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness0
DFIR-Q-043corrective action tracker evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness0
DFIR-Q-044policy update changelog evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, change_management0
DFIR-Q-045control improvement backlog evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness0
DFIR-Q-046executive briefing records evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness0
DFIR-Q-047regulator/customer comms log evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, communications0
DFIR-Q-048evidence retention decisions evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, evidence, forensics0

Query Log

query_idquery_texttagshits
DFIR-Q-001incident response plan evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir0
DFIR-Q-002communications playbook evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir, communications0
DFIR-Q-003stakeholder contact list evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir0
DFIR-Q-004evidence handling standards evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir, evidence, forensics0
DFIR-Q-005chain-of-custody template evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir, evidence, forensics0
DFIR-Q-006escalation matrix evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir0
DFIR-Q-007training exercise records evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir0
DFIR-Q-008tabletop outcomes evidence owner review log ticket runbook timelinepreparation, planning, governance, readiness, incident_response, dfir0
DFIR-Q-009edr telemetry evidence evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring, evidence, forensics0
DFIR-Q-010siem alert triage logs evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring0
DFIR-Q-011incident classification records evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness0
DFIR-Q-012forensic timeline notes evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness0
DFIR-Q-013ioc tracking artifacts evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness0
DFIR-Q-014time sync ntp evidence evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness, evidence, forensics, time_sync0
DFIR-Q-015logging retention policy evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness, logging, monitoring0
DFIR-Q-016admin account monitoring records evidence owner review log ticket runbook timelinedetection, analysis, triage, telemetry, incident_response, dfir, readiness, privileged_access0
DFIR-Q-017host isolation records evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness0
DFIR-Q-018network segmentation indicators evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness0
DFIR-Q-019access revocation logs evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness0
DFIR-Q-020temporary firewall changes evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness, change_management0
DFIR-Q-021privileged account disablement evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness, privileged_access0
DFIR-Q-022endpoint quarantine actions evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness0
DFIR-Q-023containment approval trail evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness0
DFIR-Q-024containment verification checks evidence owner review log ticket runbook timelinecontainment, isolation, segmentation, response, incident_response, dfir, readiness0
DFIR-Q-025malware removal evidence evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics0
DFIR-Q-026credential reset evidence evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness, evidence, forensics0
DFIR-Q-027patch deployment logs evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness0
DFIR-Q-028hardening checklist outputs evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness0
DFIR-Q-029vulnerability closure notes evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness0
DFIR-Q-030persistence hunting artifacts evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness0
DFIR-Q-031root cause remediation tickets evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness0
DFIR-Q-032change management records evidence owner review log ticket runbook timelineeradication, remediation, patching, hardening, incident_response, dfir, readiness, change_management0
DFIR-Q-033backup status evidence evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness, evidence, forensics0
DFIR-Q-034restore test reports evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness0
DFIR-Q-035service restoration runbooks evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness0
DFIR-Q-036business continuity checkpoints evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness0
DFIR-Q-037recovery communications evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness, communications0
DFIR-Q-038recovery validation metrics evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness0
DFIR-Q-039post-recovery monitoring evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness0
DFIR-Q-040customer impact closure notes evidence owner review log ticket runbook timelinerecovery, backup, restore, continuity, incident_response, dfir, readiness, communications0
DFIR-Q-041post-incident review minutes evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness0
DFIR-Q-042lessons learned register evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness0
DFIR-Q-043corrective action tracker evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness0
DFIR-Q-044policy update changelog evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, change_management0
DFIR-Q-045control improvement backlog evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness0
DFIR-Q-046executive briefing records evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness0
DFIR-Q-047regulator/customer comms log evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, communications0
DFIR-Q-048evidence retention decisions evidence owner review log ticket runbook timelinepostincident, lessons_learned, improvement, governance, incident_response, dfir, readiness, evidence, forensics0