Skip to content

Manual Test Runbook — K1: IR Runbook Library

Owner: Sagar  |  Time: ~2 min (offline)  |  Sandbox: None (offline doc)

Overview

K1 provides the Baseline-tier Incident Response (IR) runbook library. It consists of 5 standard markdown templates covering core incident scenarios.

The catalog test criterion: Confirm the 5 scenario files exist and contain appropriate response phases (Identification, Containment, Eradication, Recovery, Lessons Learned).

Part A — Offline Documentation Review (~2 min)

A1. File Existence

ls -l docs/runbooks/incident/
Confirm the following files exist: - compromise.md - ransomware.md - data-leak.md - ddos.md - vendor-breach.md

A2. Format Validation

Open each file and confirm it includes the following sections (or appropriate structural equivalents): 1. Identification 2. Containment 3. Eradication & Investigation 4. Recovery 5. Lessons Learned

Pass criteria

  • All 5 .md files exist in docs/runbooks/incident/
  • Each file follows the defined 5-phase IR structure
  • Content references relevant SnowOps capabilities (e.g., Log Analytics, Defender, F6 immutability)

Teardown

  • None (read-only verification).

Sign-off

  • Tester: _  |  Date: _  |  Result: PASS / FAIL / N/A
  • Notes: