An investigation playbook contains a collection of repeatable investigation steps for specific scenarios. While some playbook standards exist, none are explicitly focused on interpretation by human analysts while also supporting integration into analyst-focused tools. That changes today with the release of the Human-Centered Investigation Playbook (HCIP) standard. In this post, I’ll describe some of the research behind the standard, how it manifests in practice, and an exciting new Security Onion feature that’ll leverage these playbooks.
Review the Human-Centered Investigation Playbook Standard Here
Background
I’ve spent most of my career performing research into the cognitive skills leveraged by expert analysts. Among other things, this research tells us that:
- In any given investigation, analysts ask investigative questions that they answer with data (evidence) to determine what happened and if malicious activity occurred.
- Analysts encounter common scenarios (cues) across diverse investigations based on the evidence they encounter and their forecasting of potentially related events.
- Many of the initial investigative questions analysts will ask in response to these cues can be predicted.
- If you can predict the questions analysts will ask in an investigation, providing the analyst with a list of those questions when they encounter the cue has significant performance benefits.
While playbooks should never be used to replace or restrict human analysts completely, they can augment analysts by helping them overcome the limitations of their memory, generate new ideas for specific investigation scenarios, minimize the limitations of their intuition, and consolidate individual knowledge. Furthermore, the development of investigation playbooks provides a mechanism for deliberately practicing and developing analysis skills.
I originally developed this standard a couple of years ago as part of my ongoing research into analyst cognition. Since then, it’s gone through multiple revisions, shaped by feedback from thousands of analysts who’ve encountered it in my Investigation Theory online course and leveraged elements of it in their own practice. The goal from the beginning has been simple: provide a structure for documenting investigative playbooks that is flexible, intuitive, and genuinely helpful to human analysts. That includes:
- Expression of playbooks that are easily interpreted by human analysts
- Providing meaningful investigative steps while allowing cognitive flexibility
- Allowing for the expression of investigation steps as questions to be answered
- Ability to point analysts toward evidence sources that could answer investigative questions.
- Structured in a manner reasonably parseable by software for integration into investigation tools.
- Linkability to related playbooks
- Linkability to publicly available detection signatures without replicating signature content
- Linkability to privately created detection signatures without exposing the signature content
- Playbooks that are easily created, modified, and shared
The Playbooks
Each playbook starts from a cue – an alert, artifact, malware family, or suspected technique – and guides the analyst toward the next step by predicting what they’ll want to know next. The standard supports five types of playbooks:
| Playbook Type | Investigation Input | |
 | Artifact | Input: Encountering a suspicious artifact. Examples: IP Address, Domain Name, File Name, File Hash |
 | Attack Technique | Input: Suspicion of the use of an attack technique Examples: Credential Theft, Web Shell, SQL Injection |
 | Attack Phase | Input: Suspicion of an attacker at an attack phase Examples: Persistence, Recon, Lateral Movement, Exfiltration |
 | Malware Family | Input: Encountering an indicator of malware family use Examples: Emotet, Rig EK, Cobalt Strike, Qbot, Bazar, Ryuk |
 | Detection Signature Linked | Input: An alert from a detection mechanism Examples: Suricata SID 4029184, YARA Rule ID 4821 |
At the heart of every good investigation is a set of questions that are relevant, specific, and answerable. This standard helps document and deliver those questions to analysts in a structured way that includes:
- Plain-language investigative questions describing the analyst’s goal
- Was Psexec executed on the system?
- Is this a location and user agent this user normally makes API calls from?
- Context explaining why the question matters
- Attackers often use psexec to execute code remotely on systems to facilitate lateral movement, since it works well and is often used for legitimate purposes.
- If the location and useragent are different from baseline, it may indicate a malicious disposition.
- Relevant data sources for answering the question
- windows_security
- windows_registry
- edr
- cloudtrail
- more
- Relative time ranges for evidence collection
- +1hr
- -1mo
- +/-5min
- Optional search queries tailored to the analyst’s tools
- seconion_hunt: winlog.channel:”Security” AND event.code:”4688″ AND process.name:”psexec.exe”
- splunk: sourcetype=aws:cloudtrail eventType=AwsApiCall userIdentity.username={username} | stats count by sourceIPAddress, useragent
All of these investigation-critical details are included in a playbook, along with additional metadata. The result is an easily human-readable YAML-formatted playbook, like this one:
name: Process Reconnaissance Via Wmic.EXE
id: 1200006
description: Investigative Playbook for detections that focus on the execution of "wmic" with the "process" flag, which adversaries might use to list processes running on the compromised host or list installed software hotfixes and patches.
type: detection
detection_id: '221b251a-357a-49a9-920a-271802777cc0'
detection_category: ''
detection_type: 'sigma'
contributors:
- 'SecurityOnionSolutions, Chris Sanders'
date: 2025-03-12
modified: 2025-03-13
questions:
- question: 'What was the full WMIC command used on the host?'
context: 'The full command line can provide insight into what specific activity was being performed.'
answer_sources:
- process_creation
query: |
aggregation: false
logsource:
category: process_creation
product: windows
detection:
selection:
ProcessGuid|expand: '%ProcessGuid%'
condition: selection
fields:
- User
- Image
- CurrentDirectory
- CommandLine
- question: 'Did WMIC execute any sub processes?'
context: 'WMIC can spawn additional processes which may further indicate malicious activity.'
range: +5m
answer_sources:
- process_creation
query: |
aggregation: false
logsource:
category: process_creation
product: windows
detection:
selection:
ParentProcessGuid|expand: '% ProcessGuid %'
condition: selection
fields:
- Image
- CommandLine
- question: 'What other WMIC commands were used on the host +/- 10 minutes around the time of the alert?'
context: 'What else has been queried on the host via WMIC? - this can give further context to the activity.'
range: +/-10m
answer_sources:
- process_creation
query: |
aggregation: false
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: 'WMIC.exe'
- OriginalFileName: 'wmic.exe'
filter:
hostname|expand: '%hostname%'
condition: selection and filter
fields:
- User
- ParentImage
- CurrentDirectory
- CommandLine
- question: 'What other processes executed on the host +/- 10 minutes around the time of the alert?'
context: 'Understanding the broader process execution context can help identify related suspicious activity or normal system behavior'
range: +/-10m
answer_sources:
- process_creation
query: |
aggregation: true
logsource:
category: process_creation
product: windows
detection:
selection:
hostname|expand: '%hostname%'
condition: selection
fields:
- User
- ParentImage
- Image
- CommandLine
- question: 'What is the functional role of the host and is this behavior consistent with that role?'
context: 'Understanding the hosts expected behavior based on its role helps identify if the wmic queries are anomalous.'
range: ''
answer_sources:
- asset_inventory
query: ''
- question: 'With what frequency has this host run WMIC previously?'
context: 'Historical WMIC usage patterns can help establish baseline behavior and identify unusual activity'
range: -90d
answer_sources:
- process_creation
query: |
aggregation: false
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: 'WMIC.exe'
- OriginalFileName: 'wmic.exe'
filter:
hostname|expand: '%hostname%'
condition: selection and filter
fields:
- User
- ParentImage
- Image
- CurrentDirectory
- question: 'What other hosts on the network have run WMIC in the past 24 hours?'
context: 'Network-wide WMIC usage can indicate normal usage or potential broader malicious activity.'
range: -24h
answer_sources:
- process_creation
query: |
aggregation: true
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: 'WMIC.exe'
- OriginalFileName: 'wmic.exe'
filter:
hostname|expand: '%hostname%'
condition: selection and not filter
fields:
- hostname
- User
- ParentImage
- question: 'What other hosts on the network have run WMIC in the past 90 days?'
context: 'Long-term analysis of WMIC usage across the network helps establish normal patterns and identify anomalous behavior.'
range: -90d
answer_sources:
- process_creation
query: |
aggregation: true
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: 'WMIC.exe'
- OriginalFileName: 'wmic.exe'
filter:
hostname|expand: '%hostname%'
condition: selection and not filter
fields:
- hostname
- User
- ParentImageYou can see more examples of these playbooks here.
From Theory to Practice: Security Onion Integration
This standard isn’t just theory—it’s being put into practice at scale.
In conjunction with this announcement, Security Onion is releasing their new guided investigation playbooks feature today, which was built using this standard.
Their release includes 20 initial hand-written playbooks that function at the detection engine and category level. The Security Onion team has also used AI to generate individual detection-linked playbooks. The initial release includes 58,000 playbooks for the Suricata ETOpen ruleset. Complete coverage for the Sigma ruleset will be forthcoming in a future release. Using this strategy, every alert in Security Onion will always be accompanied by an investigative playbook. While AI-generated playbooks are inherently limited due to the nature of current generation engines, they do provide some helpful initial pathways for investigation. As this feature develops and analysts can create and share their own playbooks, I suspect these will get refined for more value.
Overall, these efforts make Human-Centered Investigation Playbooks immediately actionable for anyone using Security Onion in their SOC.
Learn more about Security Onion Playbooks here:
Security Onion Detection-Linked Playbooks
Security Onion Playbooks in Github
A Tool for Investigations and Learning
These playbooks aren’t just helpful during active investigations—they’re also a powerful tool for training and knowledge transfer. They make tacit expertise explicit, helping junior analysts grow, and seasoned analysts scale their knowledge across teams.
Analysts who use human-centric playbooks during investigations benefit from structured prompts that guide their thinking, helping them spot gaps, consider alternate angles, and avoid the trap of premature conclusions. Rather than relying solely on intuition or institutional knowledge, they gain access to the kinds of questions experienced investigators would ask – right when they need them. This provides a form of cognitive scaffolding that helps less experienced analysts punch above their weight and learn faster through doing.
Just as powerful is what happens when analysts create their own playbooks. Whether they’re building them for production use or crafting them as an exercise to compare against expert-authored examples, this act forces deliberate reflection on investigative reasoning. Creating a playbook compels analysts to consider why each question matters, what evidence would answer it, and how it fits into the broader investigative picture. That reflective practice fosters both divergent thinking, the ability to consider multiple investigative paths and possibilities, and convergent thinking, the ability to synthesize evidence and draw conclusions. These are the mental muscles of a strong investigator. Encouraging analysts to both use and author playbooks creates a shared investigative vocabulary and a scalable way to capture institutional expertise.
This standard isn’t just a framework for guiding analysis, it’s a tool for building better analysts.
Summary
The Human-Centered Investigation Playbook Standard is a structured format for documenting investigation workflows in a way that supports how analysts think—through questions, not just actions. Developed over several years with input from practicing analysts and taught in the Investigation Theory course, the standard helps investigators respond to cues by presenting them with meaningful questions, context, evidence sources, and queries. This human-centered approach is designed to be flexible and easy to interpret by humans, while still allowing integration into security operation tools. It’s already being adopted by platforms like Security Onion to power guided investigations based on real-world detection signatures.
If you’re building tools, running a SOC, or mentoring new investigators, I invite you to give the standard a look. It’s free to use, easy to implement, and designed with real human analysts in mind. When you use the standard in your workplace or tool, drop me a line and let me know how it’s going.