As you are working through the incident response process, restoring a computer to a known good state, or reimaging, is a common remediation step. The diagram below highlights a workflow concept that allows the security team to send a simple chat ops message to start the process.
The single action of sending a message through something like Microsoft Teams, or Slack with the username and hostname impacted by a security incident kicks off an orchestrated workflow that performs the following:
- Send a notification to the impacted associate that a ticket request to reimage their
device has been created
- Create and assign a ticket to your helpdesk team requesting the asset be reimaged
- Notify the user the ticket was successfully (or unsuccessfully) created
- Add hostname and user info to a global artifact for record keeping