KKeensafeKeen Assistant

soc_runbook.txt

Keensafe SOC Runbook (LAB DOC, FAKE)

L1 -> L2 escalation criteria
  * any auth event from outside EU/Türkiye for an admin account
  * any AWS metadata access from a workload with no business need
  * any SQL error spike on online.keensafeglobalbank.com

Hot tools
  * SIEM: https://elastic.internal.keensafeglobalbank.com
  * EDR : https://crowdstrike.cloud (lab N/A)
  * IRP : Slack #soc-irp