Playbook Overview
Incident response playbooks provide detailed, prescriptive guidance for responding to specific types of security incidents. These playbooks ensure consistent, rapid response and reduce decision-making burden during high-stress situations.
Using These Playbooks: Adapt these templates to your organization's specific environment, tools, and procedures. Regularly test and update playbooks through tabletop exercises and real incident learnings.
Playbook 1: Ransomware Response
Initial Detection
Indicators:
- Mass file encryption or file extension changes
- Ransom notes appearing on systems (.txt, .html files)
- Shadow copy deletion events
- Unusual process execution (PowerShell, wmic, vssadmin)
- Alerts from Microsoft Defender for Endpoint or other EDR
Immediate Actions (First 15 Minutes)
- Activate Incident Response Team - Notify incident commander and key stakeholders immediately
- Document - Begin incident timeline, take screenshots of ransom notes and encryption alerts
- Isolate Affected Systems - Use Microsoft Defender to quarantine devices, or physically disconnect from network
- Identify Patient Zero - Determine initial infection point through EDR telemetry
- Disable Compromised Accounts - Reset passwords and revoke sessions in Azure AD/Active Directory
Containment (First Hour)
- Identify all infected systems using Microsoft Sentinel or SIEM queries
- Check backup integrity and offline backup availability
- Segment network to prevent lateral spread
- Block C2 domains and IPs at firewall and DNS levels
- Identify ransomware variant (check ransom note, file extensions, encryption patterns)
- Search ID Ransomware or No More Ransom for identification and potential decryptors
- Preserve forensic evidence from affected systems
Eradication and Recovery
- Remove ransomware from all infected systems
- Search entire environment for indicators of compromise
- Patch vulnerabilities used for initial access
- Reset all privileged account credentials
- Rebuild severely impacted systems from clean images
- Restore data from backups after validating backup cleanliness
- Test decryption tools if available (consult with ransomware experts)
- Gradually restore systems with enhanced monitoring
Communication
- Do NOT pay ransom without executive approval and legal consultation
- Notify law enforcement (FBI Internet Crime Complaint Center)
- Report to cyber insurance carrier
- Consider engaging specialized ransomware response firm
- Assess data breach notification requirements if data was exfiltrated
Critical Warning: Modern ransomware often includes data exfiltration before encryption. Investigate for data theft and assess notification obligations even if data is successfully restored.
Playbook 2: Data Breach Response
Initial Detection
Indicators:
- Unusual data access or large data transfers
- Alerts from Microsoft Defender for Cloud Apps or DLP systems
- Reports from third parties about exposed data
- Notification from compromised service provider
- Discovery of publicly posted company data
Immediate Actions (First 30 Minutes)
- Validate Breach - Confirm data exposure and identify what data was accessed
- Assemble Response Team - Include legal counsel, privacy officer, communications
- Preserve Evidence - Collect logs, access records, and system snapshots
- Determine Scope - Identify affected individuals, data types, and timeframe
- Begin Documentation - Create detailed timeline and impact assessment
Investigation and Containment
- Identify attack vector (phishing, credential compromise, application vulnerability, misconfiguration)
- Determine what data was accessed, copied, or exfiltrated
- Revoke access to compromised accounts and systems
- Close vulnerabilities or misconfigurations that enabled breach
- Review access logs to identify all affected records
- Assess whether data was encrypted in transit and at rest
- Determine if data has appeared on dark web or been publicly disclosed
Regulatory and Legal Actions
- Assess notification requirements under applicable laws (GDPR, CCPA, HIPAA, etc.)
- Calculate regulatory notification deadlines
- Notify data protection authorities as required
- Prepare breach notification letters for affected individuals
- Consider offering credit monitoring or identity protection services
- Work with legal counsel on potential litigation and liability
- Document all breach response activities for regulatory inquiries
Communication Plan
| Audience | Timing | Key Messages |
|---|---|---|
| Executive Leadership | Within 2 hours | Breach scope, business impact, response plan |
| Legal & Compliance | Within 2 hours | Data types, affected individuals, regulatory obligations |
| Regulators | Per legal requirements | Breach details, affected data subjects, remediation |
| Affected Individuals | Per legal requirements | What happened, data involved, protective actions |
| Media/Public | As needed | Transparent facts, remediation, customer protection |
Playbook 3: Phishing Attack Response
Initial Detection
Indicators:
- User reports of suspicious emails
- Multiple failed login attempts after email campaign
- Email security gateway alerts
- Discovery of credential harvesting websites
- Alerts from Microsoft Defender for Office 365
Immediate Actions (First 30 Minutes)
- Analyze Phishing Email - Review headers, links, attachments in isolated environment
- Identify Recipients - Query mail logs to find all recipients of phishing email
- Quarantine Emails - Use Microsoft Defender to remove phishing emails from all mailboxes
- Block Indicators - Add malicious URLs, domains, and sender addresses to block lists
- Alert Users - Notify organization about phishing campaign
Investigation
- Identify users who clicked links or opened attachments
- Check for credential submission on phishing sites
- Review authentication logs for compromised accounts
- Scan endpoints of users who interacted with phishing email
- Search for similar emails that bypassed initial detection
- Analyze malware if attachments were opened
- Check for signs of account compromise or lateral movement
Remediation
- Force password resets for users who submitted credentials
- Revoke active sessions for compromised accounts
- Enable MFA for affected accounts if not already active
- Remove malware from infected systems
- Update email security rules to block similar attacks
- Report phishing infrastructure to hosting providers and domain registrars
- Submit samples to Microsoft, Google Safe Browsing, PhishTank
User Education
- Send organization-wide awareness message about the attack
- Provide examples of the phishing email for training
- Remind users how to report suspicious emails
- Conduct targeted training for users who fell for phishing
- Consider simulation exercises to improve awareness
Playbook 4: Compromised Account
Initial Detection
Indicators:
- Impossible travel alerts (Azure AD Identity Protection)
- Login from suspicious locations or devices
- Unusual user activity or data access patterns
- User reports they cannot access their account
- Automated password reset or MFA changes
Immediate Containment (First 15 Minutes)
- Disable Account - Immediately disable the compromised account in Azure AD
- Revoke Sessions - Terminate all active sessions and refresh tokens
- Reset Credentials - Force password reset and review security questions
- Contact User - Verify suspicious activity with legitimate user through alternative channel
- Begin Investigation - Review account activity logs and access patterns
Investigation
- Review Azure AD sign-in logs for unauthorized access
- Check email rules, forwarding, and mailbox delegates
- Examine sent items for phishing or spam from compromised account
- Review file access logs in SharePoint and OneDrive
- Check for data exfiltration to external accounts
- Identify how account was compromised (phishing, password spray, breach)
- Look for lateral movement using compromised credentials
- Review privilege escalation attempts
Recovery
- Remove unauthorized email rules and delegates
- Delete phishing or spam emails sent from account
- Re-enable account with new strong password
- Enforce MFA registration if not already enabled
- Register trusted devices and locations
- Review and adjust account permissions
- Monitor account closely for several weeks
Preventive Measures
- Implement Azure AD Conditional Access policies
- Enable Azure AD Identity Protection risk-based policies
- Require MFA for all users, especially privileged accounts
- Deploy passwordless authentication where possible
- Implement suspicious activity alerts
- Conduct regular access reviews
- User training on password hygiene and phishing awareness
Playbook 5: Insider Threat Response
Initial Detection
Indicators:
- Unusual data access or downloads by privileged user
- Access to resources outside normal job function
- After-hours access patterns
- Large file transfers to personal accounts or external storage
- Reports of policy violations or suspicious behavior
Initial Response (First Hour)
- Notify Management - Alert HR, legal, and executive leadership immediately
- Preserve Evidence - Collect logs, emails, file access records before alerting subject
- Assess Risk - Determine potential damage and ongoing threat
- Legal Consultation - Involve legal counsel before taking action against employee
- Secure Environment - Prepare to disable access if threat is confirmed
Investigation (Coordinated with HR and Legal)
- Review comprehensive activity logs for suspicious user
- Examine file access, downloads, and uploads
- Check email for data transmission to personal accounts
- Review removable media usage and print logs
- Analyze network traffic for data exfiltration
- Interview colleagues and managers
- Review recent performance issues or disciplinary actions
- Check for access to systems beyond job requirements
Containment (If Threat Confirmed)
- Coordinate with HR and legal on timing of access removal
- Disable network accounts and revoke VPN access
- Disable badge access to facilities
- Retrieve company devices, credentials, and access tokens
- Change passwords for shared accounts they accessed
- Document all actions taken for potential legal proceedings
Legal Considerations: Insider threat investigations involve significant legal and privacy concerns. Always coordinate with HR and legal counsel before surveillance, evidence collection, or employment actions.
Prevention
- Implement User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel
- Deploy Microsoft Purview Data Loss Prevention policies
- Enforce principle of least privilege for all accounts
- Regular access reviews and privilege recertification
- Monitor privileged account activity
- Implement separation of duties for critical functions
- Employee awareness training on acceptable use policies
Playbook 6: Malware Outbreak
Initial Detection
Indicators:
- Antivirus or EDR alerts across multiple systems
- Unusual process execution or system behavior
- Network traffic to suspicious destinations
- System performance degradation
- Microsoft Defender for Endpoint outbreak detection
Immediate Actions (First 30 Minutes)
- Identify Malware Type - Determine if it's ransomware, wiper, trojan, or other malware
- Assess Spread - Query Microsoft Sentinel or SIEM to identify all infected systems
- Isolate Infections - Quarantine infected devices using Microsoft Defender
- Block IOCs - Add malware hashes, C2 IPs, and domains to block lists
- Preserve Samples - Collect malware samples for analysis
Analysis
- Analyze malware behavior in isolated sandbox
- Identify capabilities (data theft, encryption, backdoor, etc.)
- Determine infection vector (email, drive-by download, removable media)
- Identify persistence mechanisms
- Check threat intelligence for known malware family
- Review network connections and exfiltration attempts
Containment and Eradication
- Deploy updated antimalware signatures across environment
- Run full scans on all potentially affected systems
- Remove malware and associated artifacts
- Close infection vector (patch vulnerability, block malicious sites)
- Search for additional compromised systems using IOCs
- Reset credentials if credential theft suspected
- Rebuild heavily infected systems
Recovery and Prevention
- Restore systems to normal operation with monitoring
- Update Microsoft Defender detection rules
- Implement additional endpoint protections
- Review and strengthen email security controls
- Deploy attack surface reduction rules
- User awareness training on malware risks