Incident Response Playbooks

Step-by-step procedures for common security incidents

Playbook Overview

Incident response playbooks provide detailed, prescriptive guidance for responding to specific types of security incidents. These playbooks ensure consistent, rapid response and reduce decision-making burden during high-stress situations.

Using These Playbooks: Adapt these templates to your organization's specific environment, tools, and procedures. Regularly test and update playbooks through tabletop exercises and real incident learnings.

Playbook 1: Ransomware Response

Initial Detection

Indicators:

  • Mass file encryption or file extension changes
  • Ransom notes appearing on systems (.txt, .html files)
  • Shadow copy deletion events
  • Unusual process execution (PowerShell, wmic, vssadmin)
  • Alerts from Microsoft Defender for Endpoint or other EDR

Immediate Actions (First 15 Minutes)

  1. Activate Incident Response Team - Notify incident commander and key stakeholders immediately
  2. Document - Begin incident timeline, take screenshots of ransom notes and encryption alerts
  3. Isolate Affected Systems - Use Microsoft Defender to quarantine devices, or physically disconnect from network
  4. Identify Patient Zero - Determine initial infection point through EDR telemetry
  5. Disable Compromised Accounts - Reset passwords and revoke sessions in Azure AD/Active Directory

Containment (First Hour)

  • Identify all infected systems using Microsoft Sentinel or SIEM queries
  • Check backup integrity and offline backup availability
  • Segment network to prevent lateral spread
  • Block C2 domains and IPs at firewall and DNS levels
  • Identify ransomware variant (check ransom note, file extensions, encryption patterns)
  • Search ID Ransomware or No More Ransom for identification and potential decryptors
  • Preserve forensic evidence from affected systems

Eradication and Recovery

  • Remove ransomware from all infected systems
  • Search entire environment for indicators of compromise
  • Patch vulnerabilities used for initial access
  • Reset all privileged account credentials
  • Rebuild severely impacted systems from clean images
  • Restore data from backups after validating backup cleanliness
  • Test decryption tools if available (consult with ransomware experts)
  • Gradually restore systems with enhanced monitoring

Communication

  • Do NOT pay ransom without executive approval and legal consultation
  • Notify law enforcement (FBI Internet Crime Complaint Center)
  • Report to cyber insurance carrier
  • Consider engaging specialized ransomware response firm
  • Assess data breach notification requirements if data was exfiltrated
Critical Warning: Modern ransomware often includes data exfiltration before encryption. Investigate for data theft and assess notification obligations even if data is successfully restored.

Playbook 2: Data Breach Response

Initial Detection

Indicators:

  • Unusual data access or large data transfers
  • Alerts from Microsoft Defender for Cloud Apps or DLP systems
  • Reports from third parties about exposed data
  • Notification from compromised service provider
  • Discovery of publicly posted company data

Immediate Actions (First 30 Minutes)

  1. Validate Breach - Confirm data exposure and identify what data was accessed
  2. Assemble Response Team - Include legal counsel, privacy officer, communications
  3. Preserve Evidence - Collect logs, access records, and system snapshots
  4. Determine Scope - Identify affected individuals, data types, and timeframe
  5. Begin Documentation - Create detailed timeline and impact assessment

Investigation and Containment

  • Identify attack vector (phishing, credential compromise, application vulnerability, misconfiguration)
  • Determine what data was accessed, copied, or exfiltrated
  • Revoke access to compromised accounts and systems
  • Close vulnerabilities or misconfigurations that enabled breach
  • Review access logs to identify all affected records
  • Assess whether data was encrypted in transit and at rest
  • Determine if data has appeared on dark web or been publicly disclosed

Regulatory and Legal Actions

  • Assess notification requirements under applicable laws (GDPR, CCPA, HIPAA, etc.)
  • Calculate regulatory notification deadlines
  • Notify data protection authorities as required
  • Prepare breach notification letters for affected individuals
  • Consider offering credit monitoring or identity protection services
  • Work with legal counsel on potential litigation and liability
  • Document all breach response activities for regulatory inquiries

Communication Plan

Audience Timing Key Messages
Executive Leadership Within 2 hours Breach scope, business impact, response plan
Legal & Compliance Within 2 hours Data types, affected individuals, regulatory obligations
Regulators Per legal requirements Breach details, affected data subjects, remediation
Affected Individuals Per legal requirements What happened, data involved, protective actions
Media/Public As needed Transparent facts, remediation, customer protection

Playbook 3: Phishing Attack Response

Initial Detection

Indicators:

  • User reports of suspicious emails
  • Multiple failed login attempts after email campaign
  • Email security gateway alerts
  • Discovery of credential harvesting websites
  • Alerts from Microsoft Defender for Office 365

Immediate Actions (First 30 Minutes)

  1. Analyze Phishing Email - Review headers, links, attachments in isolated environment
  2. Identify Recipients - Query mail logs to find all recipients of phishing email
  3. Quarantine Emails - Use Microsoft Defender to remove phishing emails from all mailboxes
  4. Block Indicators - Add malicious URLs, domains, and sender addresses to block lists
  5. Alert Users - Notify organization about phishing campaign

Investigation

  • Identify users who clicked links or opened attachments
  • Check for credential submission on phishing sites
  • Review authentication logs for compromised accounts
  • Scan endpoints of users who interacted with phishing email
  • Search for similar emails that bypassed initial detection
  • Analyze malware if attachments were opened
  • Check for signs of account compromise or lateral movement

Remediation

  • Force password resets for users who submitted credentials
  • Revoke active sessions for compromised accounts
  • Enable MFA for affected accounts if not already active
  • Remove malware from infected systems
  • Update email security rules to block similar attacks
  • Report phishing infrastructure to hosting providers and domain registrars
  • Submit samples to Microsoft, Google Safe Browsing, PhishTank

User Education

  • Send organization-wide awareness message about the attack
  • Provide examples of the phishing email for training
  • Remind users how to report suspicious emails
  • Conduct targeted training for users who fell for phishing
  • Consider simulation exercises to improve awareness

Playbook 4: Compromised Account

Initial Detection

Indicators:

  • Impossible travel alerts (Azure AD Identity Protection)
  • Login from suspicious locations or devices
  • Unusual user activity or data access patterns
  • User reports they cannot access their account
  • Automated password reset or MFA changes

Immediate Containment (First 15 Minutes)

  1. Disable Account - Immediately disable the compromised account in Azure AD
  2. Revoke Sessions - Terminate all active sessions and refresh tokens
  3. Reset Credentials - Force password reset and review security questions
  4. Contact User - Verify suspicious activity with legitimate user through alternative channel
  5. Begin Investigation - Review account activity logs and access patterns

Investigation

  • Review Azure AD sign-in logs for unauthorized access
  • Check email rules, forwarding, and mailbox delegates
  • Examine sent items for phishing or spam from compromised account
  • Review file access logs in SharePoint and OneDrive
  • Check for data exfiltration to external accounts
  • Identify how account was compromised (phishing, password spray, breach)
  • Look for lateral movement using compromised credentials
  • Review privilege escalation attempts

Recovery

  • Remove unauthorized email rules and delegates
  • Delete phishing or spam emails sent from account
  • Re-enable account with new strong password
  • Enforce MFA registration if not already enabled
  • Register trusted devices and locations
  • Review and adjust account permissions
  • Monitor account closely for several weeks

Preventive Measures

  • Implement Azure AD Conditional Access policies
  • Enable Azure AD Identity Protection risk-based policies
  • Require MFA for all users, especially privileged accounts
  • Deploy passwordless authentication where possible
  • Implement suspicious activity alerts
  • Conduct regular access reviews
  • User training on password hygiene and phishing awareness

Playbook 5: Insider Threat Response

Initial Detection

Indicators:

  • Unusual data access or downloads by privileged user
  • Access to resources outside normal job function
  • After-hours access patterns
  • Large file transfers to personal accounts or external storage
  • Reports of policy violations or suspicious behavior

Initial Response (First Hour)

  1. Notify Management - Alert HR, legal, and executive leadership immediately
  2. Preserve Evidence - Collect logs, emails, file access records before alerting subject
  3. Assess Risk - Determine potential damage and ongoing threat
  4. Legal Consultation - Involve legal counsel before taking action against employee
  5. Secure Environment - Prepare to disable access if threat is confirmed

Investigation (Coordinated with HR and Legal)

  • Review comprehensive activity logs for suspicious user
  • Examine file access, downloads, and uploads
  • Check email for data transmission to personal accounts
  • Review removable media usage and print logs
  • Analyze network traffic for data exfiltration
  • Interview colleagues and managers
  • Review recent performance issues or disciplinary actions
  • Check for access to systems beyond job requirements

Containment (If Threat Confirmed)

  • Coordinate with HR and legal on timing of access removal
  • Disable network accounts and revoke VPN access
  • Disable badge access to facilities
  • Retrieve company devices, credentials, and access tokens
  • Change passwords for shared accounts they accessed
  • Document all actions taken for potential legal proceedings
Legal Considerations: Insider threat investigations involve significant legal and privacy concerns. Always coordinate with HR and legal counsel before surveillance, evidence collection, or employment actions.

Prevention

  • Implement User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel
  • Deploy Microsoft Purview Data Loss Prevention policies
  • Enforce principle of least privilege for all accounts
  • Regular access reviews and privilege recertification
  • Monitor privileged account activity
  • Implement separation of duties for critical functions
  • Employee awareness training on acceptable use policies

Playbook 6: Malware Outbreak

Initial Detection

Indicators:

  • Antivirus or EDR alerts across multiple systems
  • Unusual process execution or system behavior
  • Network traffic to suspicious destinations
  • System performance degradation
  • Microsoft Defender for Endpoint outbreak detection

Immediate Actions (First 30 Minutes)

  1. Identify Malware Type - Determine if it's ransomware, wiper, trojan, or other malware
  2. Assess Spread - Query Microsoft Sentinel or SIEM to identify all infected systems
  3. Isolate Infections - Quarantine infected devices using Microsoft Defender
  4. Block IOCs - Add malware hashes, C2 IPs, and domains to block lists
  5. Preserve Samples - Collect malware samples for analysis

Analysis

  • Analyze malware behavior in isolated sandbox
  • Identify capabilities (data theft, encryption, backdoor, etc.)
  • Determine infection vector (email, drive-by download, removable media)
  • Identify persistence mechanisms
  • Check threat intelligence for known malware family
  • Review network connections and exfiltration attempts

Containment and Eradication

  • Deploy updated antimalware signatures across environment
  • Run full scans on all potentially affected systems
  • Remove malware and associated artifacts
  • Close infection vector (patch vulnerability, block malicious sites)
  • Search for additional compromised systems using IOCs
  • Reset credentials if credential theft suspected
  • Rebuild heavily infected systems

Recovery and Prevention

  • Restore systems to normal operation with monitoring
  • Update Microsoft Defender detection rules
  • Implement additional endpoint protections
  • Review and strengthen email security controls
  • Deploy attack surface reduction rules
  • User awareness training on malware risks