Acknowledge and preserve
Open the incident, record ID/time/severity/status, capture initial properties and alerts, preserve volatile evidence, start SLA and notification clocks, tag the case, and prevent premature closure or destructive cleanup.
Assign accountable ownership
Assign primary analyst and incident commander where required. Identify endpoint, identity, email, cloud app, data, Sentinel, business, legal/privacy, communications, vendor, and recovery owners. Confirm availability and escalation.
Validate active threat and severity
Review attack story, automation/disruption markers, newest alerts, high-value entities, sensitive data, privileged activity, lateral movement, persistence, exfiltration, and business impact. Update severity only with evidence.
Build the incident timeline
Normalize timestamps and document initial access, execution, persistence, credential access, discovery, movement, collection, exfiltration, impact, detections, automated actions, analyst actions, and communications.
Map affected entities and telemetry
Inventory impacted and related users, devices, mailboxes, apps, IPs, URLs, domains, files, cloud resources, messages, and data. Check onboarding, sensor, connector, audit, and service-health gaps that limit confidence.
Expand with hunting
Run approved entity and hypothesis queries over a time window before and after the known activity. Save KQL, results, exports, indicators, false matches, and linked records. Search for the same actor, technique, infrastructure, file, token, account, or behavior.
Authorize containment
Choose proportionate actions: isolate device, disable user, revoke sessions, reset credentials, suspend app, remove messages, block indicators, restrict cloud access, or segment systems. Obtain business/legal approval for high-impact actions and define rollback.
Review automation and Action Center
Inspect automated investigation verdicts, automatic attack disruption, pending remediation, completed/failed actions, approvals, rejections, and scope. Validate what changed on each entity; do not treat “completed” as proof that the incident is contained.
Eradicate and remediate root causes
Remove persistence, malicious artifacts, forwarding/rules, apps/consent, tokens, vulnerabilities, exposed credentials, misconfigurations, policy gaps, and compromised infrastructure. Track each task, owner, evidence, due time, exception, and verification.
Recover and monitor
Restore clean service, accounts, devices, mailboxes, apps, data, and configurations. Re-enable access in controlled stages. Validate security, business functionality, backup/restore evidence, user communications, and enhanced monitoring for recurrence.
Classify and close accurately
Set true alert/benign positive/false positive and determination using evidence. Resolve only after alerts/actions are reconciled, containment and remediation are validated, owners accept recovery, and every follow-up has a named owner/date.
Review and improve
Complete lessons learned, root cause, detection/tuning changes, control remediation, queue/process findings, evidence package, notifications, insurer/regulator/customer commitments, metrics, ownership, and leadership review.