NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-4(1)Automated Incident Handling Processes

Support the incident handling process using {{ insert: param, ir-04.01_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis.

Practitioner Notes

This enhancement requires automated tools to support your incident handling process. Manual-only processes are too slow for modern threats, so you need automation to help with triage, correlation, and initial response actions.

Example 1: Deploy a SOAR (Security Orchestration, Automation, and Response) platform like Microsoft Sentinel with automated playbooks, Splunk SOAR, or Palo Alto XSOAR. Create playbooks that automatically enrich alerts with threat intelligence, check IOCs against VirusTotal, and assign severity levels.

Example 2: Use Microsoft Defender for Endpoint's automated investigation and remediation (AIR) capabilities. When Defender detects malware, it can automatically isolate the device, collect forensic artifacts, and remediate the threat — all without analyst intervention for known threat types.

More Incident Response Controls

IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(1) Simulated Events IR-2(2) Automated Training Environments