Incident Response SOP Template

Action:

• Identify the potential incident through one of these channels:
  • SIEM/monitoring alerts
  • EDR/antivirus detection
  • User-reported suspicious activity
  • Third-party notification (vendor, CERT, law enforcement)
• Perform initial triage:
  • Is this a true positive or a false alarm?
  • What systems, data, or users are affected?
  • Is the incident still active or has it been contained?
• Assign a severity level:
  • Critical: Active data breach, ransomware, or compromise of production systems
  • High: Confirmed malware, unauthorized access, or potential data exposure
  • Medium: Suspicious activity requiring investigation (phishing, policy violation)
  • Low: Minor policy violation, informational alert
• Create an incident ticket with all known details

⚠️ Important: For Critical and High severity incidents, immediately activate the incident response team and begin containment. Do not wait for a complete investigation before acting.

Expected Outcome: Incident detected, triaged, severity assigned, and incident ticket created

Action:

• Notify the incident response team based on severity:
  • Critical/High: IR Lead, Security Engineer, System Admin, Legal, Communications, Management
  • Medium: IR Lead, Security Engineer
  • Low: Assigned security analyst
• Open a dedicated communication channel (Slack channel, Teams room, or bridge call)
• Assign roles:
  • Incident Commander: Coordinates the response, makes decisions
  • Technical Lead: Directs investigation and containment
  • Scribe: Documents all actions, findings, and decisions with timestamps
  • Communications Lead: Manages internal and external communication
• Begin an incident timeline log — every action and finding must be timestamped

Expected Outcome: IR team assembled, roles assigned, communication channel open, and timeline logging started

Action:

• Implement short-term containment to stop the spread:
  • Isolate affected systems from the network (disable network ports, quarantine VMs)
  • Disable compromised user accounts
  • Block malicious IPs, domains, or email addresses at the firewall/proxy
  • Revoke compromised API keys or tokens
• Preserve evidence before making changes:
  • Take memory dumps and disk images of affected systems
  • Export relevant SIEM logs and firewall logs
  • Screenshot any active indicators of compromise
  • Store evidence in a secure, access-controlled location
• Implement long-term containment:
  • Patch the exploited vulnerability
  • Strengthen firewall rules
  • Force password resets for affected accounts

⚠️ Note: Document every containment action taken — what, when, who, and why. This is critical for the post-incident report and potential legal proceedings.

Expected Outcome: Incident contained, evidence preserved, and affected systems isolated

Action:

• Identify and remove all traces of the threat:
  • Remove malware, backdoors, and unauthorized accounts
  • Clean or reimage affected systems
  • Patch all systems with the exploited vulnerability
  • Scan the environment for additional indicators of compromise (IOCs)
• Verify eradication:
  • Run EDR scans on all potentially affected systems
  • Review logs for any remaining suspicious activity
  • Confirm all compromised credentials have been reset
  • Validate that the attack vector has been closed

Expected Outcome: All traces of the threat removed and verified, attack vector closed

Action:

• Restore affected systems to normal operations:
  • Restore from verified clean backups if systems were reimaged
  • Reconnect isolated systems to the network in a controlled manner
  • Re-enable disabled user accounts with new credentials
  • Verify all services and applications are functioning correctly
• Implement enhanced monitoring:
  • Increase logging on previously affected systems
  • Add detection rules for the specific IOCs observed
  • Monitor for any signs of re-compromise for at least 30 days
• Communicate recovery status to stakeholders

Expected Outcome: All systems restored, enhanced monitoring in place, and stakeholders informed

Action:

• Conduct a post-incident review meeting within 5 business days:
  • What happened? (timeline of events)
  • How was it detected? (and could we detect it faster?)
  • What was the impact? (systems, data, users, business)
  • What went well in the response?
  • What could be improved?
• Complete the incident report:
  • Executive summary
  • Detailed timeline
  • Root cause analysis
  • Impact assessment
  • Remediation actions taken and planned
  • Recommendations to prevent recurrence
• Handle compliance notifications if required (GDPR 72-hour notification, HIPAA breach notification, etc.)
• Update detection rules, playbooks, and this SOP based on lessons learned

Expected Outcome: Post-incident review complete, report filed, compliance notifications sent, and processes improved