Overview
When an alert fires at 2 AM, your SOC analysts need to know exactly what to do without second-guessing the process. This playbook provides step-by-step procedures for the most common incident types, from initial detection through containment, eradication, and recovery. It is designed to be pulled up on a screen during an active incident and followed in real time, not read like a textbook.
Incident Categories Covered
- Ransomware and encryption-based attacks
- Business email compromise (BEC) and account takeover
- Data exfiltration and insider threat
- Distributed denial-of-service (DDoS) attacks
- Malware infection and lateral movement
- Unauthorized access and privilege escalation
- Phishing with credential harvesting
- Supply chain compromise
- Cloud infrastructure compromise
Incident Severity Matrix
| Severity | Criteria | Initial response time | Escalation |
|---|---|---|---|
| P1 Critical | Active data exfiltration, ransomware in execution, production outage | 15 minutes | CISO, Legal, Executive team |
| P2 High | Confirmed compromise, no active exfiltration, contained scope | 1 hour | SOC Manager, IR Lead |
| P3 Medium | Suspicious activity requiring investigation, potential indicator of compromise | 4 hours | SOC Lead, on-call analyst |
| P4 Low | Policy violation, informational alert, false positive requiring documentation | Next business day | SOC analyst |
Initial Triage Procedure
The first 15 minutes determine the trajectory of the entire incident. Validate the alert by correlating with additional log sources. Identify the affected systems, users, and data. Make an initial severity classification based on what you know. Engage the incident commander if severity is P1 or P2. Open the incident ticket and start the timeline log immediately. Resist the urge to start remediating before you understand the scope because premature action can tip off the attacker and destroy forensic evidence.
Containment Strategies
- Network isolation: disconnect affected systems from the network while preserving forensic state
- Account lockout: disable compromised accounts and force password resets across affected services
- Endpoint quarantine: use EDR to isolate endpoints while maintaining remote investigation access
- DNS sinkholing: redirect malicious domains to prevent command-and-control communication
- Firewall blocking: block attacker IP addresses and malicious network indicators
- Cloud workload isolation: restrict IAM permissions and network security groups around compromised resources
Post-Incident Activities
After the incident is contained and systems are restored, conduct a structured post-mortem within two weeks. Document the full timeline, root cause analysis, and corrective actions. Update detection rules based on the indicators and techniques observed. Revise the playbook if any procedures were found lacking during the response. Share anonymized findings with the broader team so everyone learns from each incident. Track corrective action completion and report status to leadership.
Frequently Asked Questions
How detailed should playbook procedures be?
Detailed enough that a junior analyst can follow them at 2 AM without calling for help. Include specific tool commands, screenshots where helpful, and decision trees for common branching scenarios.
How often should playbooks be updated?
After every significant incident and at least quarterly. Playbooks that do not reflect your current tools, processes, and threat landscape become dangerous because analysts follow outdated procedures.
Should we have separate playbooks for each incident type?
Yes. While a master playbook provides the overall framework, incident-specific playbooks for ransomware, BEC, DDoS, and other categories give analysts the specific steps and decision criteria they need.
How do we test playbooks without a real incident?
Run tabletop exercises quarterly using realistic scenarios. Conduct purple team exercises where the red team executes attack patterns and the SOC follows the playbook in response. Measure effectiveness and update based on gaps identified.
Who owns the incident response playbook?
The SOC Manager or IR Lead typically owns the playbook, with input from all SOC tiers, the CISO, and legal. Establish a formal review and approval process so changes are tracked and communicated to the whole team.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.