MSP IT Services • Irvine • Orange County
Incident Response & Digital Forensics for Orange County Businesses
When a cybersecurity incident, ransomware alert, suspicious login, email compromise, firewall warning, or cloud security threat appears, your systems should alarm, notify the right IT administrators and managers, preserve evidence, and support a fast, organized response.
25+ YearsIT, security, cloud, network and audit experience
AI-AwareEDR, MDR, XDR, SIEM, SOAR and analytics guidance
Local FocusIrvine and Orange County business support
CertifiedCISSP, CCISO, MCSE, MCITP, CCNP experience
Security Event Detected
Endpoint Alert
Suspicious process behavior isolated for investigation.
Suspicious process behavior isolated for investigation.
Microsoft 365 Alert
Risky sign-in, mailbox rule, and audit log review initiated.
Risky sign-in, mailbox rule, and audit log review initiated.
Network Alert
Firewall, VPN, and outbound traffic indicators correlated.
Firewall, VPN, and outbound traffic indicators correlated.
Detect • Report • Assess • Respond • Resolve
Customer-Focused Incident Response
Cyber incidents require speed, evidence, and experienced decision-making.
A security incident may begin with a phishing message, compromised Microsoft 365 account, unusual VPN login, malicious endpoint process, suspicious firewall event, cloud alert, or backup anomaly. OC Security Audit helps businesses organize the response, review the evidence, and reduce the chance of repeated disruption.
Our work supports organizations that need practical SMB IT security services, enterprise business network security, and network security in Orange County without overwhelming internal teams.
AI-Powered Detection & Automated Response
Systems should alarm, notify, correlate, and escalate when threats appear.
Modern MSP IT services and internal IT teams need security technologies that can identify abnormal behavior, prioritize alerts, notify managers, and help administrators respond before the incident grows.
EDR, MDR & XDR
Endpoint, managed, and extended detection technologies help identify malware, ransomware, suspicious scripts, lateral movement, and active compromise.
Machine Learning Analytics
AI-assisted analytics can reduce noise, detect abnormal patterns, and help prioritize alerts across endpoints, cloud systems, identity, and network devices.
Firewalls & Network Devices
Firewall, router, switch, VPN, DNS, and network monitoring logs help reveal blocked traffic, suspicious access, and possible data movement.
Microsoft 365 & Azure
Cloud alerts can reveal risky sign-ins, unauthorized inbox rules, privileged changes, suspicious OAuth consent, and abnormal cloud resource access.
Backups & Disaster Recovery
Backup platforms should be reviewed for failed jobs, deletion attempts, encryption activity, retention changes, and clean restore points.
SIEM, Logging & SOAR
Centralized logging and automation help open tickets, notify teams, disable risky access, isolate systems, and document response activities.
Digital Forensic Investigation
What should happen after an incident is reported?
After a reported incident, the priority is not only cleanup. The organization must preserve useful evidence, identify affected accounts and systems, contain active risk, investigate the root cause, and document what must change. OC Security Audit helps review logs, alerts, systems, and security controls so business leaders and IT teams can make informed decisions.
Confirm the incident and business impact
Review the first alert, affected users, critical systems, current availability, and whether the threat is still active.
Preserve evidence before destructive changes
Collect firewall logs, VPN records, endpoint telemetry, Microsoft 365 audit logs, Azure sign-in logs, email headers, backup logs, and administrator activity records.
Contain the threat carefully
Disable compromised accounts, revoke sessions, isolate endpoints, remove malicious forwarding rules, block suspicious traffic, and protect backup systems.
Investigate root cause and scope
Determine whether the incident involved phishing, stolen credentials, malware, exposed remote access, misconfiguration, privilege misuse, or cloud account compromise.
Recover, validate, and improve
Restore clean services, validate security controls, monitor for repeat activity, and document a prioritized remediation plan.
Network & Cloud Categories
Organized investigation across the systems that run your business.
A strong incident response review categorizes the environment so no major evidence source is missed. This is especially important for MSP-supported businesses, healthcare offices, professional services, manufacturers, financial offices, and growing companies in Irvine and Orange County.
Perimeter & Network
- Firewalls, VPN, routers and switches
- Network segmentation and logical structure
- Internal Security Audit and External Security Audit
Cloud & Identity
- Microsoft 365, Office 365, Azure and Entra ID
- Risky users, sign-ins, permissions and audit logs
- Microsoft Office 365 Audit and Azure Cloud Security Audit
Endpoint & Email
- Servers, laptops, workstations, EDR and antivirus
- Email security, message trace and mailbox rules
- Account Control Audit
Recovery & Compliance
- Backups, disaster recovery, logs and reporting
- HIPAA, PCI-DSS, SOC 2, NIST, ISO and CMMC readiness
- Compliance Consulting
AI-assisted alert correlation across endpoints, networks, cloud and email
Services OC Security Audit Provides
Incident response support with audit, compliance, cloud, and MSP IT service experience.
Incident Response Planning
Create practical response procedures, escalation paths, evidence checklists, and notification workflows for IT teams and leadership.
Forensic Investigation Review
Review logs, alerts, accounts, systems, cloud activity, endpoint indicators, and timelines to understand what happened.
Logging & Monitoring Strategy
Improve SIEM readiness, alert routing, log retention, firewall monitoring, Microsoft 365 logging, Azure visibility, and administrator reporting.
Cloud Security Review
Review Microsoft 365, Office 365, Azure, identity, conditional access, privileged access, and cloud audit logs.
Firewall & Network Review
Analyze firewall rules, VPN access, network segmentation, router and switch configuration, and suspicious traffic indicators.
Post-Incident Remediation
Document findings, improve controls, harden systems, validate backups, strengthen account security, and prioritize risk reduction.
Local Orange County Service Area
MSP IT services, incident response, and digital forensics support near Irvine, California.
OC Security Audit provides incident response guidance, forensic investigation review, security audits, Microsoft 365 and Azure security support, firewall review, and monitoring advisory services for businesses throughout Orange County.
IrvineNewport BeachCosta MesaTustinSanta AnaOrangeAnaheimFullertonHuntington BeachFountain ValleyLake ForestMission ViejoLaguna HillsLaguna NiguelAliso ViejoDana PointSan ClementeYorba LindaBreaGarden GroveWestminsterCypressBuena ParkPlacentia
Related Services
Strengthen detection, response, audit readiness, and compliance.
Start the Conversation
Need incident response guidance for a cyber alert, email compromise, cloud warning, or suspicious network activity?
OC Security Audit helps organizations evaluate what happened, what evidence should be reviewed, what systems may be affected, and what steps are needed to contain, investigate, recover, and improve security.
Incident ResponseDigital ForensicsMicrosoft 365AzureFirewall LogsBackupsMSP IT Services
Incident Response Planning Cheat Sheet
A Practical Incident Checklist for IT Managers, Network Engineers, and Project Teams
Use this interactive incident response cheat sheet to quickly identify common IT and cybersecurity incidents, assign the right technician, preserve the right evidence, contain the issue, validate recovery, and document prevention improvements after the incident is closed.
What this cheat sheet helps your IT team do
This guide turns incident response planning into an operational worksheet. It helps administrators and managers move from “something is wrong” to a structured response: triage, assign, preserve evidence, contain risk, recover service, and improve controls.
- ✓Clarify first-response actions for security, cloud, endpoint, network, backup, and outage events.
- ✓Guide technician assignment for Microsoft 365, Azure, firewall, server, endpoint, and network teams.
- ✓Protect forensic value by identifying logs and evidence to preserve before cleanup.
- ✓Improve future readiness with lessons learned and prevention guidance for every incident.
Cheat sheet snapshot
100Incident scenarios
9Operational categories
54P1 immediate items
33P2 urgent items
Scroll horizontally to review the full incident response workflow.
Header row and first columns remain visible while reviewing long procedures.
| ID | Incident Name | Category | Subcategory | Severity | Priority | Impacted Area | Typical Trigger / Alert | Technician Assigned | Initial 5-10 Actions | Evidence / Logs to Preserve | Containment Steps | Recovery / Validation | Escalate / Notify | What We Learned | How to Prevent Recurrence | Target Response SLA | Service Reference URL | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Phishing email reported by user | Email & Phishing | Phishing | High | P2 – Urgent | Microsoft 365 / Email | User reports suspicious email or security gateway alert | Microsoft 365 Admin | 1 Preserve email and headers; 2 search tenant for similar messages; 3 block sender/domain/URL; 4 remove malicious mail; 5 reset affected passwords; 6 revoke sessions; 7 check mailbox rules; 8 alert users; 9 improve filters; 10 document indicators. | Message trace, email headers, mailbox audit logs, anti-phishing alerts, URLs/attachments, sender details. | Quarantine messages, block sender/domain/URL, disable forwarding, revoke sessions, reset credentials. | Confirm malicious messages removed, mailbox rules clean, passwords/MFA verified, no suspicious sends. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Users need a simple reporting path and rapid triage. | Implement phishing reporting, user awareness, DMARC/DKIM/SPF, stronger email filtering. | 30 minutes | Related service | New |
| 2 | Business email compromise suspected | Email & Phishing | BEC | Critical | P1 – Immediate | Executive mailbox / Finance | Unusual invoice request, forwarding rule, or suspicious sent items | Microsoft 365 Admin | 1 Preserve email and headers; 2 search tenant for similar messages; 3 block sender/domain/URL; 4 remove malicious mail; 5 reset affected passwords; 6 revoke sessions; 7 check mailbox rules; 8 alert users; 9 improve filters; 10 document indicators. | Message trace, email headers, mailbox audit logs, anti-phishing alerts, URLs/attachments, sender details. | Quarantine messages, block sender/domain/URL, disable forwarding, revoke sessions, reset credentials. | Confirm malicious messages removed, mailbox rules clean, passwords/MFA verified, no suspicious sends. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Payment workflows and mailbox controls need stronger verification. | Use MFA, conditional access, payment verification procedures, mailbox rule monitoring. | 15 minutes | Related service | New |
| 3 | Malicious attachment delivered | Email & Phishing | Malware email | High | P1 – Immediate | Email / Endpoints | Attachment sandbox alert or user opened file | SOC Analyst | 1 Preserve email and headers; 2 search tenant for similar messages; 3 block sender/domain/URL; 4 remove malicious mail; 5 reset affected passwords; 6 revoke sessions; 7 check mailbox rules; 8 alert users; 9 improve filters; 10 document indicators. | Message trace, email headers, mailbox audit logs, anti-phishing alerts, URLs/attachments, sender details. | Quarantine messages, block sender/domain/URL, disable forwarding, revoke sessions, reset credentials. | Confirm malicious messages removed, mailbox rules clean, passwords/MFA verified, no suspicious sends. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Attachment detonation and endpoint correlation are critical. | Block risky file types, sandbox attachments, improve EDR response and user training. | 15 minutes | Related service | New |
| 4 | Malicious link clicked | Email & Phishing | Credential phishing | High | P1 – Immediate | Email / Identity | URL click alert, suspicious login after click | SOC Analyst | 1 Preserve email and headers; 2 search tenant for similar messages; 3 block sender/domain/URL; 4 remove malicious mail; 5 reset affected passwords; 6 revoke sessions; 7 check mailbox rules; 8 alert users; 9 improve filters; 10 document indicators. | Message trace, email headers, mailbox audit logs, anti-phishing alerts, URLs/attachments, sender details. | Quarantine messages, block sender/domain/URL, disable forwarding, revoke sessions, reset credentials. | Confirm malicious messages removed, mailbox rules clean, passwords/MFA verified, no suspicious sends. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | URL protection must be paired with identity review. | Enable safe links, MFA, conditional access, risky sign-in monitoring. | 15 minutes | Related service | New |
| 5 | External email forwarding detected | Email & Phishing | Mailbox rule | High | P1 – Immediate | Microsoft 365 mailbox | New forwarding rule or external forwarding alert | Microsoft 365 Admin | 1 Preserve email and headers; 2 search tenant for similar messages; 3 block sender/domain/URL; 4 remove malicious mail; 5 reset affected passwords; 6 revoke sessions; 7 check mailbox rules; 8 alert users; 9 improve filters; 10 document indicators. | Message trace, email headers, mailbox audit logs, anti-phishing alerts, URLs/attachments, sender details. | Quarantine messages, block sender/domain/URL, disable forwarding, revoke sessions, reset credentials. | Confirm malicious messages removed, mailbox rules clean, passwords/MFA verified, no suspicious sends. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Attackers often use forwarding rules for persistence. | Disable external forwarding by default, alert on new rules, review mailbox delegates. | 30 minutes | Related service | New |
| 6 | Suspicious inbox rule created | Email & Phishing | Mailbox rule | High | P2 – Urgent | Microsoft 365 mailbox | Rule hides security emails or moves invoices | Microsoft 365 Admin | 1 Preserve email and headers; 2 search tenant for similar messages; 3 block sender/domain/URL; 4 remove malicious mail; 5 reset affected passwords; 6 revoke sessions; 7 check mailbox rules; 8 alert users; 9 improve filters; 10 document indicators. | Message trace, email headers, mailbox audit logs, anti-phishing alerts, URLs/attachments, sender details. | Quarantine messages, block sender/domain/URL, disable forwarding, revoke sessions, reset credentials. | Confirm malicious messages removed, mailbox rules clean, passwords/MFA verified, no suspicious sends. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Mailbox rules can hide evidence of compromise. | Alert on hidden/delete rules, audit mailbox changes, enable MFA. | 30 minutes | Related service | New |
| 7 | Mass spam sent from internal account | Email & Phishing | Outbound spam | High | P1 – Immediate | Email reputation / User account | Outbound spam alert or bounce storm | Microsoft 365 Admin | 1 Preserve email and headers; 2 search tenant for similar messages; 3 block sender/domain/URL; 4 remove malicious mail; 5 reset affected passwords; 6 revoke sessions; 7 check mailbox rules; 8 alert users; 9 improve filters; 10 document indicators. | Message trace, email headers, mailbox audit logs, anti-phishing alerts, URLs/attachments, sender details. | Quarantine messages, block sender/domain/URL, disable forwarding, revoke sessions, reset credentials. | Confirm malicious messages removed, mailbox rules clean, passwords/MFA verified, no suspicious sends. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Compromised accounts can damage domain reputation quickly. | Implement outbound spam alerts, MFA, password reset automation, conditional access. | 15 minutes | Related service | New |
| 8 | Domain spoofing detected | Email & Phishing | Spoofing | Medium | P3 – Normal | Email domain | Customers report spoofed messages | Microsoft 365 Admin | 1 Preserve email and headers; 2 search tenant for similar messages; 3 block sender/domain/URL; 4 remove malicious mail; 5 reset affected passwords; 6 revoke sessions; 7 check mailbox rules; 8 alert users; 9 improve filters; 10 document indicators. | Message trace, email headers, mailbox audit logs, anti-phishing alerts, URLs/attachments, sender details. | Quarantine messages, block sender/domain/URL, disable forwarding, revoke sessions, reset credentials. | Confirm malicious messages removed, mailbox rules clean, passwords/MFA verified, no suspicious sends. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Brand/domain protection requires DNS and monitoring. | Enforce DMARC, DKIM, SPF, monitor spoofing, publish reporting policy. | 4 hours | Related service | New |
| 9 | Email quarantine release mistake | Email & Phishing | Email operations | Medium | P3 – Normal | Email security gateway | Malicious mail released from quarantine | SOC Analyst | 1 Preserve email and headers; 2 search tenant for similar messages; 3 block sender/domain/URL; 4 remove malicious mail; 5 reset affected passwords; 6 revoke sessions; 7 check mailbox rules; 8 alert users; 9 improve filters; 10 document indicators. | Message trace, email headers, mailbox audit logs, anti-phishing alerts, URLs/attachments, sender details. | Quarantine messages, block sender/domain/URL, disable forwarding, revoke sessions, reset credentials. | Confirm malicious messages removed, mailbox rules clean, passwords/MFA verified, no suspicious sends. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Quarantine release requires approval workflow. | Restrict quarantine release, require security review for high-risk messages. | 4 hours | Related service | New |
| 10 | Shared mailbox compromise | Email & Phishing | Shared mailbox | High | P1 – Immediate | Shared mailbox | Unusual access or mailbox activity | Microsoft 365 Admin | 1 Preserve email and headers; 2 search tenant for similar messages; 3 block sender/domain/URL; 4 remove malicious mail; 5 reset affected passwords; 6 revoke sessions; 7 check mailbox rules; 8 alert users; 9 improve filters; 10 document indicators. | Message trace, email headers, mailbox audit logs, anti-phishing alerts, URLs/attachments, sender details. | Quarantine messages, block sender/domain/URL, disable forwarding, revoke sessions, reset credentials. | Confirm malicious messages removed, mailbox rules clean, passwords/MFA verified, no suspicious sends. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Shared accounts/mailboxes need ownership and access review. | Audit delegates, enforce MFA on users, remove stale access, monitor shared mailbox rules. | 30 minutes | Related service | New |
| 11 | OAuth consent phishing | Email & Phishing | OAuth app | Critical | P1 – Immediate | Microsoft 365 / Cloud apps | Suspicious app consent or abnormal graph access | Cloud/IAM Admin | 1 Review Azure/M365 alerts; 2 identify affected identities/resources; 3 revoke sessions; 4 lock down access; 5 export audit/sign-in logs; 6 inspect permissions/apps; 7 remediate config; 8 validate service; 9 monitor; 10 document. | Azure activity logs, Entra ID sign-in/audit logs, M365 audit logs, resource changes, app consent records. | Disable risky identity/app, revoke consent/session, restrict public access, lock down permissions. | Validate access policies, resource integrity, audit trail, app permissions, and ongoing cloud alerts. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | OAuth permissions can bypass password resets. | Restrict user consent, review app permissions, require admin approval, monitor consent grants. | 15 minutes | Related service | New |
| 12 | CEO impersonation attempt | Email & Phishing | Social engineering | Medium | P2 – Urgent | Email / Finance | Executive impersonation email reported | Microsoft 365 Admin | 1 Preserve email and headers; 2 search tenant for similar messages; 3 block sender/domain/URL; 4 remove malicious mail; 5 reset affected passwords; 6 revoke sessions; 7 check mailbox rules; 8 alert users; 9 improve filters; 10 document indicators. | Message trace, email headers, mailbox audit logs, anti-phishing alerts, URLs/attachments, sender details. | Quarantine messages, block sender/domain/URL, disable forwarding, revoke sessions, reset credentials. | Confirm malicious messages removed, mailbox rules clean, passwords/MFA verified, no suspicious sends. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Business process controls reduce financial fraud risk. | Use warning banners, domain impersonation protection, finance approval workflow. | 1 hour | Related service | New |
| 13 | Data exfiltration through email | Email & Phishing | Data loss | Critical | P1 – Immediate | Email / Sensitive data | Large outbound attachment or DLP alert | Compliance/Privacy Lead | 1 Identify data involved; 2 preserve access logs; 3 restrict access; 4 notify privacy/compliance lead; 5 determine exposure; 6 collect evidence; 7 remediate permissions; 8 prepare reporting if required; 9 monitor; 10 lessons learned. | File access logs, DLP alerts, audit trails, object permissions, data classification, affected records. | Remove excessive access, stop sharing links, quarantine exposed data set, apply legal hold if required. | Validate permissions, confirm exposure scope, complete reporting, monitor access, verify DLP controls. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Sensitive data movement must be monitored and classified. | Implement DLP, encryption, least privilege, outbound monitoring, approved sharing. | 15 minutes | Related service | New |
| 14 | Email outage | Email & Phishing | Service outage | High | P1 – Immediate | Email service | Users cannot send/receive mail | Microsoft 365 Admin | 1 Preserve email and headers; 2 search tenant for similar messages; 3 block sender/domain/URL; 4 remove malicious mail; 5 reset affected passwords; 6 revoke sessions; 7 check mailbox rules; 8 alert users; 9 improve filters; 10 document indicators. | Message trace, email headers, mailbox audit logs, anti-phishing alerts, URLs/attachments, sender details. | Quarantine messages, block sender/domain/URL, disable forwarding, revoke sessions, reset credentials. | Confirm malicious messages removed, mailbox rules clean, passwords/MFA verified, no suspicious sends. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Service dependencies and communication channels must be documented. | Monitor service health, maintain alternate communications, test mail flow. | 15 minutes | Related service | New |
| 15 | Mail flow connector failure | Email & Phishing | Mail routing | High | P2 – Urgent | Email security gateway | Delayed/bounced email or connector alert | Microsoft 365 Admin | 1 Preserve email and headers; 2 search tenant for similar messages; 3 block sender/domain/URL; 4 remove malicious mail; 5 reset affected passwords; 6 revoke sessions; 7 check mailbox rules; 8 alert users; 9 improve filters; 10 document indicators. | Message trace, email headers, mailbox audit logs, anti-phishing alerts, URLs/attachments, sender details. | Quarantine messages, block sender/domain/URL, disable forwarding, revoke sessions, reset credentials. | Confirm malicious messages removed, mailbox rules clean, passwords/MFA verified, no suspicious sends. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Mail routing changes require change control and monitoring. | Document connectors, monitor queues, create rollback plan, test changes. | 30 minutes | Related service | New |
| 16 | Password revealed or posted online | Identity & Access | Credential exposure | Critical | P1 – Immediate | User account / Identity | Dark web, paste, or user report | Cloud/IAM Admin | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Credential exposure can quickly lead to lateral movement. | Use MFA, passwordless, breach monitoring, password reset procedures. | 15 minutes | Related service | New |
| 17 | Impossible travel sign-in | Identity & Access | Risky sign-in | High | P1 – Immediate | Microsoft Entra ID | Sign-in from unusual location | Cloud/IAM Admin | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Location anomalies require rapid session review. | Conditional access, MFA, geo-risk policies, impossible travel alerting. | 15 minutes | Related service | New |
| 18 | MFA fatigue attack | Identity & Access | MFA abuse | High | P1 – Immediate | User identity | Repeated MFA prompts or denied approvals | Cloud/IAM Admin | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Push MFA can be abused without number matching. | Enable number matching, phishing-resistant MFA, user reporting. | 15 minutes | Related service | New |
| 19 | Administrator account compromise | Identity & Access | Privileged access | Critical | P1 – Immediate | Admin identity | Admin sign-in anomaly or unauthorized changes | Incident Commander | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Privileged accounts require extra controls and monitoring. | Use PIM, dedicated admin accounts, conditional access, hardware MFA. | Immediate | Related service | New |
| 20 | Unauthorized privilege escalation | Identity & Access | Privilege change | Critical | P1 – Immediate | Active Directory / Entra ID | Group membership or role assignment alert | Cloud/IAM Admin | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Privilege changes must be logged and approved. | Alert on role/group changes, enforce least privilege, quarterly access reviews. | 15 minutes | Related service | New |
| 21 | Service account abuse | Identity & Access | Service account | High | P2 – Urgent | Servers / Applications | Abnormal login from service account | Server/Systems Admin | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Service accounts need ownership and restrictions. | Use managed identities, rotate secrets, limit interactive login, monitor usage. | 30 minutes | Related service | New |
| 22 | Account lockout storm | Identity & Access | Authentication issue | Medium | P3 – Normal | Active Directory | Many repeated account lockouts | Server/Systems Admin | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Lockouts may indicate attack or broken configuration. | Identify source, tune lockout policy, monitor brute force, update stored credentials. | 2 hours | Related service | New |
| 23 | Disabled employee account still active | Identity & Access | Joiner/mover/leaver | High | P2 – Urgent | Identity / HR process | Former employee account sign-in or access found | Cloud/IAM Admin | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Offboarding gaps create avoidable risk. | Automate offboarding, disable accounts, revoke sessions, remove group membership. | 1 hour | Related service | New |
| 24 | Suspicious VPN login | Identity & Access | Remote access | High | P1 – Immediate | VPN / Identity | VPN login from unexpected country/time | Network Engineer | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Remote access must be treated as high-risk. | Enforce MFA, geo-blocking, device compliance, VPN log monitoring. | 15 minutes | Related service | New |
| 25 | Password spray attack | Identity & Access | Credential attack | High | P1 – Immediate | Identity platform | Many failed sign-ins across users | Cloud/IAM Admin | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Attackers test common passwords at scale. | MFA, smart lockout, conditional access, passwordless rollout, alert tuning. | 15 minutes | Related service | New |
| 26 | Conditional access policy disabled | Identity & Access | Security policy | Critical | P1 – Immediate | Microsoft Entra ID | Policy change or gap detected | Cloud/IAM Admin | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Policy changes need approval and alerting. | Require change control, alert on policy changes, export policy backups. | 15 minutes | Related service | New |
| 27 | Break-glass account used | Identity & Access | Emergency access | Critical | P1 – Immediate | Identity platform | Emergency account sign-in alert | Incident Commander | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Emergency accounts must be monitored and rare. | Monitor break-glass use, store credentials securely, enforce post-use review. | Immediate | Related service | New |
| 28 | Ransomware encryption detected | Endpoint & Malware | Ransomware | Critical | P1 – Immediate | Workstations / Servers | EDR ransomware behavior or file encryption alert | Security Engineer | 1 Isolate endpoint; 2 preserve EDR alert and hostname; 3 collect user/process details; 4 scan for malware; 5 check lateral movement; 6 validate backups; 7 clean or rebuild; 8 patch; 9 monitor; 10 update controls. | EDR timeline, antivirus alerts, process tree, file hashes, user logon events, disk/memory notes if needed. | Network-isolate endpoint, stop malicious process, quarantine malware, block IOC, remove persistence. | Reimage or clean endpoint, patch, restore files, validate EDR health, run full scan and user testing. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Fast isolation and backup validation reduce damage. | EDR isolation, immutable backups, least privilege, application control, user training. | Immediate | Related service | New |
| 29 | Virus/malware infection | Endpoint & Malware | Malware | High | P1 – Immediate | Endpoint | Antivirus/EDR malware alert | Endpoint/Desktop Support | 1 Isolate endpoint; 2 preserve EDR alert and hostname; 3 collect user/process details; 4 scan for malware; 5 check lateral movement; 6 validate backups; 7 clean or rebuild; 8 patch; 9 monitor; 10 update controls. | EDR timeline, antivirus alerts, process tree, file hashes, user logon events, disk/memory notes if needed. | Network-isolate endpoint, stop malicious process, quarantine malware, block IOC, remove persistence. | Reimage or clean endpoint, patch, restore files, validate EDR health, run full scan and user testing. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Malware events need scope review beyond one device. | Keep EDR/AV updated, patch endpoints, restrict local admin rights. | 15 minutes | Related service | New |
| 30 | Trojan detected | Endpoint & Malware | Malware | High | P1 – Immediate | Endpoint | Trojan detection or command-and-control beacon | SOC Analyst | 1 Isolate endpoint; 2 preserve EDR alert and hostname; 3 collect user/process details; 4 scan for malware; 5 check lateral movement; 6 validate backups; 7 clean or rebuild; 8 patch; 9 monitor; 10 update controls. | EDR timeline, antivirus alerts, process tree, file hashes, user logon events, disk/memory notes if needed. | Network-isolate endpoint, stop malicious process, quarantine malware, block IOC, remove persistence. | Reimage or clean endpoint, patch, restore files, validate EDR health, run full scan and user testing. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Trojan infections may indicate credential theft. | EDR, DNS filtering, least privilege, credential rotation after infection. | 15 minutes | Related service | New |
| 31 | Suspicious PowerShell activity | Endpoint & Malware | Script abuse | High | P1 – Immediate | Endpoint / Server | EDR detects encoded command or suspicious script | Security Engineer | 1 Isolate endpoint; 2 preserve EDR alert and hostname; 3 collect user/process details; 4 scan for malware; 5 check lateral movement; 6 validate backups; 7 clean or rebuild; 8 patch; 9 monitor; 10 update controls. | EDR timeline, antivirus alerts, process tree, file hashes, user logon events, disk/memory notes if needed. | Network-isolate endpoint, stop malicious process, quarantine malware, block IOC, remove persistence. | Reimage or clean endpoint, patch, restore files, validate EDR health, run full scan and user testing. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Administrative tools can be used maliciously. | Constrained language mode, script logging, PowerShell hardening, EDR rules. | 15 minutes | Related service | New |
| 32 | Unapproved remote access tool | Endpoint & Malware | Remote access | High | P1 – Immediate | Endpoint | AnyDesk/TeamViewer/RMM detected unexpectedly | Endpoint/Desktop Support | 1 Isolate endpoint; 2 preserve EDR alert and hostname; 3 collect user/process details; 4 scan for malware; 5 check lateral movement; 6 validate backups; 7 clean or rebuild; 8 patch; 9 monitor; 10 update controls. | EDR timeline, antivirus alerts, process tree, file hashes, user logon events, disk/memory notes if needed. | Network-isolate endpoint, stop malicious process, quarantine malware, block IOC, remove persistence. | Reimage or clean endpoint, patch, restore files, validate EDR health, run full scan and user testing. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Unauthorized remote tools create persistence. | Application control, approved software list, EDR alerting, vendor allowlist. | 30 minutes | Related service | New |
| 33 | Laptop stolen | Endpoint & Malware | Lost device | High | P2 – Urgent | Laptop / Data | User reports lost or stolen device | Endpoint/Desktop Support | 1 Isolate endpoint; 2 preserve EDR alert and hostname; 3 collect user/process details; 4 scan for malware; 5 check lateral movement; 6 validate backups; 7 clean or rebuild; 8 patch; 9 monitor; 10 update controls. | EDR timeline, antivirus alerts, process tree, file hashes, user logon events, disk/memory notes if needed. | Network-isolate endpoint, stop malicious process, quarantine malware, block IOC, remove persistence. | Reimage or clean endpoint, patch, restore files, validate EDR health, run full scan and user testing. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Device encryption and remote wipe readiness are essential. | Full disk encryption, MDM, remote wipe, asset inventory, user reporting process. | 1 hour | Related service | New |
| 34 | USB malware risk | Endpoint & Malware | Removable media | Medium | P3 – Normal | Endpoint | USB insertion and malware alert | Endpoint/Desktop Support | 1 Isolate endpoint; 2 preserve EDR alert and hostname; 3 collect user/process details; 4 scan for malware; 5 check lateral movement; 6 validate backups; 7 clean or rebuild; 8 patch; 9 monitor; 10 update controls. | EDR timeline, antivirus alerts, process tree, file hashes, user logon events, disk/memory notes if needed. | Network-isolate endpoint, stop malicious process, quarantine malware, block IOC, remove persistence. | Reimage or clean endpoint, patch, restore files, validate EDR health, run full scan and user testing. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Removable media controls reduce infection paths. | Disable autorun, restrict USB, scan removable media, user training. | 2 hours | Related service | New |
| 35 | Endpoint EDR agent offline | Endpoint & Malware | Monitoring gap | Medium | P3 – Normal | Endpoint security | EDR console shows offline agent | Endpoint/Desktop Support | 1 Isolate endpoint; 2 preserve EDR alert and hostname; 3 collect user/process details; 4 scan for malware; 5 check lateral movement; 6 validate backups; 7 clean or rebuild; 8 patch; 9 monitor; 10 update controls. | EDR timeline, antivirus alerts, process tree, file hashes, user logon events, disk/memory notes if needed. | Network-isolate endpoint, stop malicious process, quarantine malware, block IOC, remove persistence. | Reimage or clean endpoint, patch, restore files, validate EDR health, run full scan and user testing. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Unmonitored endpoints create blind spots. | Automated health checks, enforce agent install, alert on offline endpoints. | 4 hours | Related service | New |
| 36 | Unauthorized software installed | Endpoint & Malware | Policy violation | Medium | P3 – Normal | Endpoint | Software inventory or EDR alert | Endpoint/Desktop Support | 1 Isolate endpoint; 2 preserve EDR alert and hostname; 3 collect user/process details; 4 scan for malware; 5 check lateral movement; 6 validate backups; 7 clean or rebuild; 8 patch; 9 monitor; 10 update controls. | EDR timeline, antivirus alerts, process tree, file hashes, user logon events, disk/memory notes if needed. | Network-isolate endpoint, stop malicious process, quarantine malware, block IOC, remove persistence. | Reimage or clean endpoint, patch, restore files, validate EDR health, run full scan and user testing. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Software sprawl increases attack surface. | Application allowlisting, least privilege, asset inventory, software approval. | 4 hours | Related service | New |
| 37 | Local admin misuse | Endpoint & Malware | Privilege misuse | High | P2 – Urgent | Endpoint | Local admin action or unexpected tool install | Endpoint/Desktop Support | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Local admin rights are high-risk. | Remove local admin, use PAM/LAPS, monitor privileged actions. | 1 hour | Related service | New |
| 38 | Suspicious browser extension | Endpoint & Malware | Browser threat | Medium | P3 – Normal | Endpoint / Browser | Extension requests excessive permissions | Endpoint/Desktop Support | 1 Isolate endpoint; 2 preserve EDR alert and hostname; 3 collect user/process details; 4 scan for malware; 5 check lateral movement; 6 validate backups; 7 clean or rebuild; 8 patch; 9 monitor; 10 update controls. | EDR timeline, antivirus alerts, process tree, file hashes, user logon events, disk/memory notes if needed. | Network-isolate endpoint, stop malicious process, quarantine malware, block IOC, remove persistence. | Reimage or clean endpoint, patch, restore files, validate EDR health, run full scan and user testing. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Browser extensions can exfiltrate data. | Managed browser policies, extension allowlist, user training. | 4 hours | Related service | New |
| 39 | Endpoint disk full outage | Endpoint & Malware | Endpoint outage | Low | P4 – Scheduled | Endpoint | User cannot work due to disk space | Endpoint/Desktop Support | 1 Isolate endpoint; 2 preserve EDR alert and hostname; 3 collect user/process details; 4 scan for malware; 5 check lateral movement; 6 validate backups; 7 clean or rebuild; 8 patch; 9 monitor; 10 update controls. | EDR timeline, antivirus alerts, process tree, file hashes, user logon events, disk/memory notes if needed. | Network-isolate endpoint, stop malicious process, quarantine malware, block IOC, remove persistence. | Reimage or clean endpoint, patch, restore files, validate EDR health, run full scan and user testing. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Capacity monitoring avoids avoidable outages. | Disk health monitoring, cleanup policies, OneDrive controls. | 1 business day | Related service | New |
| 40 | Lost mobile device with company email | Endpoint & Malware | Mobile device | High | P2 – Urgent | Mobile / Email | User reports phone lost | Microsoft 365 Admin | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Mobile access needs MDM and wipe controls. | MDM enrollment, PIN/encryption, remote wipe, conditional access. | 1 hour | Related service | New |
| 41 | Fileless malware behavior | Endpoint & Malware | Advanced malware | Critical | P1 – Immediate | Endpoint | Memory/process anomaly without file artifact | Security Engineer | 1 Isolate endpoint; 2 preserve EDR alert and hostname; 3 collect user/process details; 4 scan for malware; 5 check lateral movement; 6 validate backups; 7 clean or rebuild; 8 patch; 9 monitor; 10 update controls. | EDR timeline, antivirus alerts, process tree, file hashes, user logon events, disk/memory notes if needed. | Network-isolate endpoint, stop malicious process, quarantine malware, block IOC, remove persistence. | Reimage or clean endpoint, patch, restore files, validate EDR health, run full scan and user testing. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Advanced attacks require EDR telemetry and skilled review. | Behavioral EDR, script controls, threat hunting, memory collection process. | Immediate | Related service | New |
| 42 | Endpoint patch failure on critical CVE | Endpoint & Malware | Patch management | High | P2 – Urgent | Endpoint fleet | Patch compliance report shows missed critical patch | Endpoint/Desktop Support | 1 Isolate endpoint; 2 preserve EDR alert and hostname; 3 collect user/process details; 4 scan for malware; 5 check lateral movement; 6 validate backups; 7 clean or rebuild; 8 patch; 9 monitor; 10 update controls. | EDR timeline, antivirus alerts, process tree, file hashes, user logon events, disk/memory notes if needed. | Network-isolate endpoint, stop malicious process, quarantine malware, block IOC, remove persistence. | Reimage or clean endpoint, patch, restore files, validate EDR health, run full scan and user testing. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Patch failures need exception tracking. | Patch management, maintenance windows, reboot enforcement, vulnerability scans. | 4 hours | Related service | New |
| 43 | DDoS attack | Network & Perimeter | DDoS | Critical | P1 – Immediate | Internet edge | Traffic spike, service unavailable, ISP alert | Network Engineer | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | DDoS response depends on upstream coordination. | DDoS protection, ISP escalation contacts, traffic baselines, WAF/CDN. | Immediate | Related service | New |
| 44 | Internet down | Network & Perimeter | Connectivity outage | High | P1 – Immediate | Internet WAN | Users report no internet or monitoring alert | Vendor/ISP Coordinator | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Redundancy and ISP escalation reduce downtime. | Dual ISP, SD-WAN/failover, monitoring, documented ISP contacts. | 15 minutes | Related service | New |
| 45 | VPN down | Network & Perimeter | Remote access outage | High | P1 – Immediate | VPN / Firewall | Remote users cannot connect | Network Engineer | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Remote access availability affects business continuity. | HA VPN, capacity monitoring, certificate tracking, tested failover. | 15 minutes | Related service | New |
| 46 | Firewall blocked critical application | Network & Perimeter | Firewall policy | Medium | P2 – Urgent | Firewall / Application | Application fails after firewall rule change | Network Engineer | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Firewall changes need testing and rollback. | Change control, rule documentation, pre/post testing, application owner approval. | 1 hour | Related service | New |
| 47 | Firewall compromise suspected | Network & Perimeter | Firewall security | Critical | P1 – Immediate | Firewall | Unauthorized config change or admin login | Security Engineer | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Security devices are high-value targets. | Admin MFA, restricted management, config backups, firmware updates, alerting. | Immediate | Related service | New |
| 48 | Router failure | Network & Perimeter | Network outage | High | P1 – Immediate | WAN/LAN routing | Monitoring alert or routing loss | Network Engineer | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Routing devices need redundancy and config backups. | HA routers, tested config backups, monitoring, spare hardware. | 15 minutes | Related service | New |
| 49 | Core switch failure | Network & Perimeter | Network outage | Critical | P1 – Immediate | LAN core | Multiple VLANs/services offline | Network Engineer | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Core network devices are critical infrastructure. | Redundant core, UPS, config backups, lifecycle management. | Immediate | Related service | New |
| 50 | Rogue DHCP server | Network & Perimeter | Network misconfiguration | High | P2 – Urgent | LAN | Users receive wrong gateway/DNS | Network Engineer | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Rogue services can disrupt or intercept traffic. | DHCP snooping, network access control, switch port security. | 30 minutes | Related service | New |
| 51 | DNS outage | Network & Perimeter | Name resolution | High | P1 – Immediate | DNS / AD / Internet | Users cannot resolve names | Server/Systems Admin | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | DNS is a dependency for nearly everything. | Redundant DNS, monitoring, conditional forwarder documentation, change control. | 15 minutes | Related service | New |
| 52 | Network loop / broadcast storm | Network & Perimeter | LAN outage | High | P1 – Immediate | Switching | High broadcast traffic, slow LAN | Network Engineer | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Layer 2 controls prevent widespread disruption. | STP, loop guard, BPDU guard, port documentation, monitoring. | 15 minutes | Related service | New |
| 53 | IDS/IPS detects exploit attempt | Network & Perimeter | Intrusion attempt | High | P2 – Urgent | Firewall / Servers | IPS alert against public service | SOC Analyst | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Internet-facing services need active monitoring. | Patch exposed services, WAF/IPS, vulnerability scanning, minimize exposure. | 30 minutes | Related service | New |
| 54 | Wireless network compromise suspected | Network & Perimeter | Wi-Fi security | High | P2 – Urgent | Wireless LAN | Unknown AP/client or unusual traffic | Network Engineer | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Wireless access must be segmented and monitored. | WPA3/enterprise auth, rogue AP detection, guest segmentation. | 1 hour | Related service | New |
| 55 | Unauthorized device on network | Network & Perimeter | Rogue device | Medium | P2 – Urgent | LAN | Unknown MAC/device detected | Network Engineer | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Asset visibility is foundational. | NAC, device inventory, switch port authentication, segmentation. | 1 hour | Related service | New |
| 56 | ISP packet loss / degraded service | Network & Perimeter | Performance outage | Medium | P2 – Urgent | Internet WAN | Packet loss/latency monitoring alert | Vendor/ISP Coordinator | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Performance issues require objective monitoring data. | WAN monitoring, SLA tracking, secondary circuit, SD-WAN. | 1 hour | Related service | New |
| 57 | Firewall license expired | Network & Perimeter | Security service gap | High | P2 – Urgent | Firewall services | Threat protection/license alert | Network Engineer | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Licenses are operational controls. | License lifecycle tracking, renewal reminders, vendor management. | 4 hours | Related service | New |
| 58 | Azure VM compromise suspected | Cloud & Microsoft 365 | Cloud workload | Critical | P1 – Immediate | Azure VM | Security alert or abnormal outbound traffic | Cloud/IAM Admin | 1 Review Azure/M365 alerts; 2 identify affected identities/resources; 3 revoke sessions; 4 lock down access; 5 export audit/sign-in logs; 6 inspect permissions/apps; 7 remediate config; 8 validate service; 9 monitor; 10 document. | Azure activity logs, Entra ID sign-in/audit logs, M365 audit logs, resource changes, app consent records. | Disable risky identity/app, revoke consent/session, restrict public access, lock down permissions. | Validate access policies, resource integrity, audit trail, app permissions, and ongoing cloud alerts. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Cloud workloads need logging and segmentation. | Defender for Cloud, NSG hardening, patching, just-in-time access. | Immediate | Related service | New |
| 59 | Azure storage public exposure | Cloud & Microsoft 365 | Cloud storage | Critical | P1 – Immediate | Azure Storage | Public access detected or data exposure alert | Cloud/IAM Admin | 1 Review Azure/M365 alerts; 2 identify affected identities/resources; 3 revoke sessions; 4 lock down access; 5 export audit/sign-in logs; 6 inspect permissions/apps; 7 remediate config; 8 validate service; 9 monitor; 10 document. | Azure activity logs, Entra ID sign-in/audit logs, M365 audit logs, resource changes, app consent records. | Disable risky identity/app, revoke consent/session, restrict public access, lock down permissions. | Validate access policies, resource integrity, audit trail, app permissions, and ongoing cloud alerts. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Cloud storage defaults and permissions must be controlled. | Disable public access, private endpoints, storage firewall, access review. | 15 minutes | Related service | New |
| 60 | Suspicious Azure resource creation | Cloud & Microsoft 365 | Cloud abuse | High | P1 – Immediate | Azure subscription | Unexpected VM/resource or cost spike | Cloud/IAM Admin | 1 Review Azure/M365 alerts; 2 identify affected identities/resources; 3 revoke sessions; 4 lock down access; 5 export audit/sign-in logs; 6 inspect permissions/apps; 7 remediate config; 8 validate service; 9 monitor; 10 document. | Azure activity logs, Entra ID sign-in/audit logs, M365 audit logs, resource changes, app consent records. | Disable risky identity/app, revoke consent/session, restrict public access, lock down permissions. | Validate access policies, resource integrity, audit trail, app permissions, and ongoing cloud alerts. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Compromised accounts may create cloud resources. | Budget alerts, role review, PIM, policy restrictions, activity log alerting. | 15 minutes | Related service | New |
| 61 | Microsoft 365 tenant admin change | Cloud & Microsoft 365 | Tenant security | Critical | P1 – Immediate | M365 admin center | Unauthorized admin role or tenant setting change | Microsoft 365 Admin | 1 Review Azure/M365 alerts; 2 identify affected identities/resources; 3 revoke sessions; 4 lock down access; 5 export audit/sign-in logs; 6 inspect permissions/apps; 7 remediate config; 8 validate service; 9 monitor; 10 document. | Azure activity logs, Entra ID sign-in/audit logs, M365 audit logs, resource changes, app consent records. | Disable risky identity/app, revoke consent/session, restrict public access, lock down permissions. | Validate access policies, resource integrity, audit trail, app permissions, and ongoing cloud alerts. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Tenant-wide changes can create lasting exposure. | Admin role alerting, PIM, change control, audit log retention. | Immediate | Related service | New |
| 62 | SharePoint external sharing exposure | Cloud & Microsoft 365 | Cloud data sharing | High | P2 – Urgent | SharePoint/OneDrive | Sensitive file shared externally | Compliance/Privacy Lead | 1 Identify data involved; 2 preserve access logs; 3 restrict access; 4 notify privacy/compliance lead; 5 determine exposure; 6 collect evidence; 7 remediate permissions; 8 prepare reporting if required; 9 monitor; 10 lessons learned. | File access logs, DLP alerts, audit trails, object permissions, data classification, affected records. | Remove excessive access, stop sharing links, quarantine exposed data set, apply legal hold if required. | Validate permissions, confirm exposure scope, complete reporting, monitor access, verify DLP controls. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Collaboration tools need data governance. | DLP, sensitivity labels, external sharing controls, access reviews. | 1 hour | Related service | New |
| 63 | OneDrive mass file deletion | Cloud & Microsoft 365 | Cloud data loss | High | P1 – Immediate | OneDrive | Mass delete alert or user reports missing files | Microsoft 365 Admin | 1 Review Azure/M365 alerts; 2 identify affected identities/resources; 3 revoke sessions; 4 lock down access; 5 export audit/sign-in logs; 6 inspect permissions/apps; 7 remediate config; 8 validate service; 9 monitor; 10 document. | Azure activity logs, Entra ID sign-in/audit logs, M365 audit logs, resource changes, app consent records. | Disable risky identity/app, revoke consent/session, restrict public access, lock down permissions. | Validate access policies, resource integrity, audit trail, app permissions, and ongoing cloud alerts. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Cloud recycle/recovery windows must be understood. | Retention policies, alert on mass deletion, user training, backup for M365. | 15 minutes | Related service | New |
| 64 | Suspicious Teams guest access | Cloud & Microsoft 365 | Collaboration risk | Medium | P3 – Normal | Microsoft Teams | Unknown external guest added | Microsoft 365 Admin | 1 Review Azure/M365 alerts; 2 identify affected identities/resources; 3 revoke sessions; 4 lock down access; 5 export audit/sign-in logs; 6 inspect permissions/apps; 7 remediate config; 8 validate service; 9 monitor; 10 document. | Azure activity logs, Entra ID sign-in/audit logs, M365 audit logs, resource changes, app consent records. | Disable risky identity/app, revoke consent/session, restrict public access, lock down permissions. | Validate access policies, resource integrity, audit trail, app permissions, and ongoing cloud alerts. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Guest access needs ownership and expiration. | Guest access review, sensitivity labels, team lifecycle policies. | 4 hours | Related service | New |
| 65 | Azure conditional access misconfiguration | Cloud & Microsoft 365 | Access control | High | P2 – Urgent | Microsoft Entra ID | Unexpected access allowed or blocked | Cloud/IAM Admin | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Access policies need testing and emergency access planning. | Policy templates, test groups, change control, report-only testing. | 1 hour | Related service | New |
| 66 | Cloud backup job failure | Cloud & Microsoft 365 | Cloud backup | High | P2 – Urgent | Cloud backup | Backup alert for failed job | Backup/DR Admin | 1 Protect backup repository; 2 check last good backup; 3 verify immutability; 4 review admin changes; 5 test restore; 6 isolate affected backups; 7 coordinate recovery; 8 monitor jobs; 9 adjust retention; 10 document. | Backup job logs, repository access logs, retention settings, immutability status, restore test results. | Lock repository access, disable suspicious admin account, stop destructive jobs, preserve clean restore points. | Restore test selected data, validate clean recovery point, confirm schedules and immutable retention. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Backup failures are incident indicators. | Monitor backup jobs, test restores, alert on failure, capacity planning. | 2 hours | Related service | New |
| 67 | Suspicious OAuth application in Azure | Cloud & Microsoft 365 | Application permission | Critical | P1 – Immediate | Entra ID apps | High-privilege app consent detected | Cloud/IAM Admin | 1 Review Azure/M365 alerts; 2 identify affected identities/resources; 3 revoke sessions; 4 lock down access; 5 export audit/sign-in logs; 6 inspect permissions/apps; 7 remediate config; 8 validate service; 9 monitor; 10 document. | Azure activity logs, Entra ID sign-in/audit logs, M365 audit logs, resource changes, app consent records. | Disable risky identity/app, revoke consent/session, restrict public access, lock down permissions. | Validate access policies, resource integrity, audit trail, app permissions, and ongoing cloud alerts. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Application permissions can be equivalent to account compromise. | Admin consent workflow, app permission review, disable user consent. | 15 minutes | Related service | New |
| 68 | Cloud security alert ignored | Cloud & Microsoft 365 | Monitoring gap | Medium | P3 – Normal | Cloud security tools | Aged unresolved cloud alert | SOC Analyst | 1 Review Azure/M365 alerts; 2 identify affected identities/resources; 3 revoke sessions; 4 lock down access; 5 export audit/sign-in logs; 6 inspect permissions/apps; 7 remediate config; 8 validate service; 9 monitor; 10 document. | Azure activity logs, Entra ID sign-in/audit logs, M365 audit logs, resource changes, app consent records. | Disable risky identity/app, revoke consent/session, restrict public access, lock down permissions. | Validate access policies, resource integrity, audit trail, app permissions, and ongoing cloud alerts. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Alert fatigue can hide real incidents. | Alert tuning, ownership, triage SLAs, dashboard reporting. | 4 hours | Related service | New |
| 69 | M365 service health outage | Cloud & Microsoft 365 | Cloud service outage | High | P2 – Urgent | Microsoft 365 | Microsoft service health alert or user reports outage | Microsoft 365 Admin | 1 Review Azure/M365 alerts; 2 identify affected identities/resources; 3 revoke sessions; 4 lock down access; 5 export audit/sign-in logs; 6 inspect permissions/apps; 7 remediate config; 8 validate service; 9 monitor; 10 document. | Azure activity logs, Entra ID sign-in/audit logs, M365 audit logs, resource changes, app consent records. | Disable risky identity/app, revoke consent/session, restrict public access, lock down permissions. | Validate access policies, resource integrity, audit trail, app permissions, and ongoing cloud alerts. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Cloud outages need communication playbooks. | Monitor service health, status templates, alternate communication plans. | 30 minutes | Related service | New |
| 70 | Server outage | Server & Infrastructure | Server availability | High | P1 – Immediate | Server / Application | Monitoring alert or user reports outage | Server/Systems Admin | 1 Confirm outage or compromise; 2 preserve system/event logs; 3 check resource health; 4 isolate if malicious; 5 validate dependencies; 6 restore service; 7 patch or rebuild; 8 verify apps; 9 monitor; 10 document. | Windows/Linux event logs, application logs, performance counters, uptime monitors, change records. | Isolate server if compromised, stop affected service, block access path, snapshot/preserve before rebuild. | Restore services, verify application health, patch, validate authentication, monitor CPU/disk/network. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Server health monitoring and dependencies matter. | Redundancy, monitoring, patching, capacity planning, runbooks. | 15 minutes | Related service | New |
| 71 | Domain controller outage | Server & Infrastructure | Identity infrastructure | Critical | P1 – Immediate | Active Directory | Authentication failures or DC down alert | Server/Systems Admin | 1 Confirm outage or compromise; 2 preserve system/event logs; 3 check resource health; 4 isolate if malicious; 5 validate dependencies; 6 restore service; 7 patch or rebuild; 8 verify apps; 9 monitor; 10 document. | Windows/Linux event logs, application logs, performance counters, uptime monitors, change records. | Isolate server if compromised, stop affected service, block access path, snapshot/preserve before rebuild. | Restore services, verify application health, patch, validate authentication, monitor CPU/disk/network. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Identity services require redundancy. | Multiple DCs, DNS health checks, backups, replication monitoring. | Immediate | Related service | New |
| 72 | File server unavailable | Server & Infrastructure | File services | High | P1 – Immediate | File server | Users cannot access shares | Server/Systems Admin | 1 Confirm outage or compromise; 2 preserve system/event logs; 3 check resource health; 4 isolate if malicious; 5 validate dependencies; 6 restore service; 7 patch or rebuild; 8 verify apps; 9 monitor; 10 document. | Windows/Linux event logs, application logs, performance counters, uptime monitors, change records. | Isolate server if compromised, stop affected service, block access path, snapshot/preserve before rebuild. | Restore services, verify application health, patch, validate authentication, monitor CPU/disk/network. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | File services need backup and access monitoring. | Cluster/replication, backup testing, storage monitoring, permissions review. | 15 minutes | Related service | New |
| 73 | Database server performance incident | Server & Infrastructure | Database | High | P2 – Urgent | Database server | High CPU/locks/slowness alerts | Server/Systems Admin | 1 Confirm outage or compromise; 2 preserve system/event logs; 3 check resource health; 4 isolate if malicious; 5 validate dependencies; 6 restore service; 7 patch or rebuild; 8 verify apps; 9 monitor; 10 document. | Windows/Linux event logs, application logs, performance counters, uptime monitors, change records. | Isolate server if compromised, stop affected service, block access path, snapshot/preserve before rebuild. | Restore services, verify application health, patch, validate authentication, monitor CPU/disk/network. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Performance incidents require baselines. | Capacity monitoring, query optimization, maintenance plans, backup validation. | 1 hour | Related service | New |
| 74 | Certificate expired | Server & Infrastructure | Certificate management | High | P2 – Urgent | Web/VPN/Email service | Certificate warning or service failure | Server/Systems Admin | 1 Confirm outage or compromise; 2 preserve system/event logs; 3 check resource health; 4 isolate if malicious; 5 validate dependencies; 6 restore service; 7 patch or rebuild; 8 verify apps; 9 monitor; 10 document. | Windows/Linux event logs, application logs, performance counters, uptime monitors, change records. | Isolate server if compromised, stop affected service, block access path, snapshot/preserve before rebuild. | Restore services, verify application health, patch, validate authentication, monitor CPU/disk/network. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Certificate lifecycle tracking is essential. | Certificate inventory, renewal alerts, automation, owner assignment. | 1 hour | Related service | New |
| 75 | Critical disk failure | Server & Infrastructure | Storage | High | P1 – Immediate | Server / Storage | RAID/disk alert | Server/Systems Admin | 1 Confirm outage or compromise; 2 preserve system/event logs; 3 check resource health; 4 isolate if malicious; 5 validate dependencies; 6 restore service; 7 patch or rebuild; 8 verify apps; 9 monitor; 10 document. | Windows/Linux event logs, application logs, performance counters, uptime monitors, change records. | Isolate server if compromised, stop affected service, block access path, snapshot/preserve before rebuild. | Restore services, verify application health, patch, validate authentication, monitor CPU/disk/network. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Hardware events need proactive replacement. | RAID monitoring, spare disks, lifecycle management, tested backups. | 30 minutes | Related service | New |
| 76 | Server patch causes outage | Server & Infrastructure | Change incident | High | P2 – Urgent | Server / Application | Outage after patch/reboot | Server/Systems Admin | 1 Confirm outage or compromise; 2 preserve system/event logs; 3 check resource health; 4 isolate if malicious; 5 validate dependencies; 6 restore service; 7 patch or rebuild; 8 verify apps; 9 monitor; 10 document. | Windows/Linux event logs, application logs, performance counters, uptime monitors, change records. | Isolate server if compromised, stop affected service, block access path, snapshot/preserve before rebuild. | Restore services, verify application health, patch, validate authentication, monitor CPU/disk/network. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Patching needs testing and rollback planning. | Maintenance windows, snapshots/backups, test environment, change approvals. | 1 hour | Related service | New |
| 77 | Unauthorized server login | Server & Infrastructure | Security event | Critical | P1 – Immediate | Server | Unexpected admin login or RDP/SSH activity | Security Engineer | 1 Confirm outage or compromise; 2 preserve system/event logs; 3 check resource health; 4 isolate if malicious; 5 validate dependencies; 6 restore service; 7 patch or rebuild; 8 verify apps; 9 monitor; 10 document. | Windows/Linux event logs, application logs, performance counters, uptime monitors, change records. | Isolate server if compromised, stop affected service, block access path, snapshot/preserve before rebuild. | Restore services, verify application health, patch, validate authentication, monitor CPU/disk/network. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Server access must be tightly controlled. | MFA/PAM, restricted RDP/SSH, jump boxes, log monitoring. | Immediate | Related service | New |
| 78 | Application service crash | Server & Infrastructure | Application outage | Medium | P2 – Urgent | Application server | Service stopped alert | Server/Systems Admin | 1 Confirm outage or compromise; 2 preserve system/event logs; 3 check resource health; 4 isolate if malicious; 5 validate dependencies; 6 restore service; 7 patch or rebuild; 8 verify apps; 9 monitor; 10 document. | Windows/Linux event logs, application logs, performance counters, uptime monitors, change records. | Isolate server if compromised, stop affected service, block access path, snapshot/preserve before rebuild. | Restore services, verify application health, patch, validate authentication, monitor CPU/disk/network. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Application dependencies need monitoring. | Service monitors, auto-restart rules, capacity baselines, vendor support. | 1 hour | Related service | New |
| 79 | Time synchronization failure | Server & Infrastructure | Infrastructure dependency | Medium | P3 – Normal | AD / Servers / Logs | Kerberos/log timestamp issues | Server/Systems Admin | 1 Confirm outage or compromise; 2 preserve system/event logs; 3 check resource health; 4 isolate if malicious; 5 validate dependencies; 6 restore service; 7 patch or rebuild; 8 verify apps; 9 monitor; 10 document. | Windows/Linux event logs, application logs, performance counters, uptime monitors, change records. | Isolate server if compromised, stop affected service, block access path, snapshot/preserve before rebuild. | Restore services, verify application health, patch, validate authentication, monitor CPU/disk/network. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Time drift breaks auth and forensics. | Reliable NTP, domain time hierarchy, monitoring, documentation. | 4 hours | Related service | New |
| 80 | Backup repository encrypted by ransomware | Backup & Disaster Recovery | Backup compromise | Critical | P1 – Immediate | Backup platform | Backup files encrypted or repository inaccessible | Backup/DR Admin | 1 Protect backup repository; 2 check last good backup; 3 verify immutability; 4 review admin changes; 5 test restore; 6 isolate affected backups; 7 coordinate recovery; 8 monitor jobs; 9 adjust retention; 10 document. | Backup job logs, repository access logs, retention settings, immutability status, restore test results. | Lock repository access, disable suspicious admin account, stop destructive jobs, preserve clean restore points. | Restore test selected data, validate clean recovery point, confirm schedules and immutable retention. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Backups must be isolated from production credentials. | Immutable/offline backups, separate admin accounts, repository MFA, segmentation. | Immediate | Related service | New |
| 81 | Backup job failed for critical server | Backup & Disaster Recovery | Backup failure | High | P2 – Urgent | Backup system | Failed backup alert | Backup/DR Admin | 1 Protect backup repository; 2 check last good backup; 3 verify immutability; 4 review admin changes; 5 test restore; 6 isolate affected backups; 7 coordinate recovery; 8 monitor jobs; 9 adjust retention; 10 document. | Backup job logs, repository access logs, retention settings, immutability status, restore test results. | Lock repository access, disable suspicious admin account, stop destructive jobs, preserve clean restore points. | Restore test selected data, validate clean recovery point, confirm schedules and immutable retention. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Backup monitoring must be actionable. | Daily backup review, alert escalation, capacity checks, test restores. | 2 hours | Related service | New |
| 82 | Restore test fails | Backup & Disaster Recovery | Recovery failure | High | P2 – Urgent | Backup/DR | Restore validation fails | Backup/DR Admin | 1 Protect backup repository; 2 check last good backup; 3 verify immutability; 4 review admin changes; 5 test restore; 6 isolate affected backups; 7 coordinate recovery; 8 monitor jobs; 9 adjust retention; 10 document. | Backup job logs, repository access logs, retention settings, immutability status, restore test results. | Lock repository access, disable suspicious admin account, stop destructive jobs, preserve clean restore points. | Restore test selected data, validate clean recovery point, confirm schedules and immutable retention. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Backups are only useful if restorable. | Scheduled restore testing, documented RTO/RPO, vendor review. | 4 hours | Related service | New |
| 83 | Retention policy changed unexpectedly | Backup & Disaster Recovery | Backup policy | High | P1 – Immediate | Backup platform | Retention reduced or changed | Backup/DR Admin | 1 Protect backup repository; 2 check last good backup; 3 verify immutability; 4 review admin changes; 5 test restore; 6 isolate affected backups; 7 coordinate recovery; 8 monitor jobs; 9 adjust retention; 10 document. | Backup job logs, repository access logs, retention settings, immutability status, restore test results. | Lock repository access, disable suspicious admin account, stop destructive jobs, preserve clean restore points. | Restore test selected data, validate clean recovery point, confirm schedules and immutable retention. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Attackers may reduce retention before ransomware. | Alert on retention changes, role separation, approval workflow. | 30 minutes | Related service | New |
| 84 | Immutable backup not enabled | Backup & Disaster Recovery | Backup gap | Medium | P3 – Normal | Backup platform | Audit finds no immutable copy | Backup/DR Admin | 1 Protect backup repository; 2 check last good backup; 3 verify immutability; 4 review admin changes; 5 test restore; 6 isolate affected backups; 7 coordinate recovery; 8 monitor jobs; 9 adjust retention; 10 document. | Backup job logs, repository access logs, retention settings, immutability status, restore test results. | Lock repository access, disable suspicious admin account, stop destructive jobs, preserve clean restore points. | Restore test selected data, validate clean recovery point, confirm schedules and immutable retention. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Immutability is key against ransomware. | Enable immutability, 3-2-1 strategy, offsite/offline copy. | 1 business day | Related service | New |
| 85 | Backup storage full | Backup & Disaster Recovery | Capacity | Medium | P3 – Normal | Backup storage | Repository capacity alert | Backup/DR Admin | 1 Protect backup repository; 2 check last good backup; 3 verify immutability; 4 review admin changes; 5 test restore; 6 isolate affected backups; 7 coordinate recovery; 8 monitor jobs; 9 adjust retention; 10 document. | Backup job logs, repository access logs, retention settings, immutability status, restore test results. | Lock repository access, disable suspicious admin account, stop destructive jobs, preserve clean restore points. | Restore test selected data, validate clean recovery point, confirm schedules and immutable retention. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Capacity issues can silently break recovery. | Capacity forecasting, retention tuning, alerts, storage expansion plan. | 4 hours | Related service | New |
| 86 | Cloud backup account compromised | Backup & Disaster Recovery | Backup identity | Critical | P1 – Immediate | Cloud backup | Suspicious admin login to backup portal | Backup/DR Admin | 1 Disable or restrict risky account; 2 revoke sessions/tokens; 3 reset password; 4 verify MFA; 5 review sign-ins and admin changes; 6 check mailbox/cloud activity; 7 remove unauthorized access; 8 notify owner; 9 monitor; 10 update access controls. | Sign-in logs, MFA logs, audit logs, session/token events, admin role changes, conditional access results. | Disable/restrict account, revoke tokens, reset password, remove unauthorized privileges, enforce MFA. | Validate sign-ins normalized, MFA enforced, privileges correct, risky sessions closed, monitoring active. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Backup portals need strong identity controls. | MFA, IP restrictions, admin role review, separate credentials, alerting. | Immediate | Related service | New |
| 87 | Disaster recovery failover required | Backup & Disaster Recovery | DR activation | Critical | P1 – Immediate | DR environment | Primary site/service unavailable | Incident Commander | 1 Protect backup repository; 2 check last good backup; 3 verify immutability; 4 review admin changes; 5 test restore; 6 isolate affected backups; 7 coordinate recovery; 8 monitor jobs; 9 adjust retention; 10 document. | Backup job logs, repository access logs, retention settings, immutability status, restore test results. | Lock repository access, disable suspicious admin account, stop destructive jobs, preserve clean restore points. | Restore test selected data, validate clean recovery point, confirm schedules and immutable retention. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | DR plans must be tested before crisis. | DR runbooks, annual tests, RTO/RPO alignment, failover communications. | Immediate | Related service | New |
| 88 | Power outage | Physical / Facilities | Power | Critical | P1 – Immediate | Office / Server room | Utility outage or UPS alert | Facilities/Power Coordinator | 1 Confirm safety and scope; 2 notify facilities/ISP/vendor; 3 check UPS/generator; 4 protect systems from improper shutdown; 5 document downtime; 6 restore power/connectivity; 7 validate services; 8 communicate status; 9 review redundancy; 10 document. | UPS/generator logs, circuit/ISP status, environmental alerts, outage timeline, vendor tickets. | Shift to UPS/generator/failover, shut down gracefully, reroute connectivity, protect critical equipment. | Verify power/cooling/connectivity stable, systems online, monitoring green, users notified. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Power events need IT and facilities coordination. | UPS/generator testing, graceful shutdown plan, redundant power, monitoring. | Immediate | Related service | New |
| 89 | UPS battery failure | Physical / Facilities | Power protection | High | P2 – Urgent | Server room / Network closet | UPS battery alarm | Facilities/Power Coordinator | 1 Confirm safety and scope; 2 notify facilities/ISP/vendor; 3 check UPS/generator; 4 protect systems from improper shutdown; 5 document downtime; 6 restore power/connectivity; 7 validate services; 8 communicate status; 9 review redundancy; 10 document. | UPS/generator logs, circuit/ISP status, environmental alerts, outage timeline, vendor tickets. | Shift to UPS/generator/failover, shut down gracefully, reroute connectivity, protect critical equipment. | Verify power/cooling/connectivity stable, systems online, monitoring green, users notified. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | UPS health must be tested regularly. | Battery replacement schedule, UPS monitoring, load testing. | 1 hour | Related service | New |
| 90 | Cooling failure in server room | Physical / Facilities | Environmental | Critical | P1 – Immediate | Server room | High temperature alert | Facilities/Power Coordinator | 1 Confirm safety and scope; 2 notify facilities/ISP/vendor; 3 check UPS/generator; 4 protect systems from improper shutdown; 5 document downtime; 6 restore power/connectivity; 7 validate services; 8 communicate status; 9 review redundancy; 10 document. | UPS/generator logs, circuit/ISP status, environmental alerts, outage timeline, vendor tickets. | Shift to UPS/generator/failover, shut down gracefully, reroute connectivity, protect critical equipment. | Verify power/cooling/connectivity stable, systems online, monitoring green, users notified. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Environmental monitoring prevents equipment damage. | Temperature sensors, HVAC maintenance, emergency cooling plan. | Immediate | Related service | New |
| 91 | Physical break-in at network closet | Physical / Facilities | Physical security | Critical | P1 – Immediate | Network closet | Door alert or evidence of tampering | Incident Commander | 1 Confirm safety and scope; 2 notify facilities/ISP/vendor; 3 check UPS/generator; 4 protect systems from improper shutdown; 5 document downtime; 6 restore power/connectivity; 7 validate services; 8 communicate status; 9 review redundancy; 10 document. | UPS/generator logs, circuit/ISP status, environmental alerts, outage timeline, vendor tickets. | Shift to UPS/generator/failover, shut down gracefully, reroute connectivity, protect critical equipment. | Verify power/cooling/connectivity stable, systems online, monitoring green, users notified. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Physical access can lead to cyber compromise. | Badge/access controls, cameras, locked racks, visitor logs. | Immediate | Related service | New |
| 92 | Lost backup drive | Physical / Facilities | Physical data loss | High | P2 – Urgent | Backup media | Backup media missing | Compliance/Privacy Lead | 1 Identify data involved; 2 preserve access logs; 3 restrict access; 4 notify privacy/compliance lead; 5 determine exposure; 6 collect evidence; 7 remediate permissions; 8 prepare reporting if required; 9 monitor; 10 lessons learned. | File access logs, DLP alerts, audit trails, object permissions, data classification, affected records. | Remove excessive access, stop sharing links, quarantine exposed data set, apply legal hold if required. | Validate permissions, confirm exposure scope, complete reporting, monitor access, verify DLP controls. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Physical media requires encryption and chain of custody. | Encrypt removable media, inventory, check-in/out logs, secure storage. | 1 hour | Related service | New |
| 93 | Office internet circuit cut | Physical / Facilities | Connectivity | High | P1 – Immediate | WAN / Building | ISP/facility reports cable cut | Vendor/ISP Coordinator | 1 Confirm scope and affected segments; 2 capture firewall/VPN/router logs; 3 block malicious traffic; 4 check device configs; 5 validate routing/DNS; 6 notify ISP/vendor if needed; 7 restore service; 8 monitor flows; 9 harden; 10 report. | Firewall logs, VPN logs, router/switch configs, NetFlow, DNS logs, IDS/IPS events, ISP tickets. | Block IP/domain/port, disable risky VPN account, roll back bad config, segment affected network. | Validate routing/VPN/firewall policies, test connectivity, review logs for repeat traffic, monitor bandwidth. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Physical cable paths and redundancy matter. | Secondary ISP, LTE/5G failover, documented carrier contacts. | 15 minutes | Related service | New |
| 94 | Building access system outage | Physical / Facilities | Physical access | Medium | P2 – Urgent | Office facility | Badge/access system offline | Facilities/Power Coordinator | 1 Confirm safety and scope; 2 notify facilities/ISP/vendor; 3 check UPS/generator; 4 protect systems from improper shutdown; 5 document downtime; 6 restore power/connectivity; 7 validate services; 8 communicate status; 9 review redundancy; 10 document. | UPS/generator logs, circuit/ISP status, environmental alerts, outage timeline, vendor tickets. | Shift to UPS/generator/failover, shut down gracefully, reroute connectivity, protect critical equipment. | Verify power/cooling/connectivity stable, systems online, monitoring green, users notified. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Physical and IT access systems are linked. | Backup access procedures, vendor support, battery backup, audit logs. | 1 hour | Related service | New |
| 95 | Emergency evacuation affects IT operations | Physical / Facilities | Business continuity | High | P2 – Urgent | Office operations | Fire alarm/emergency closure | Incident Commander | 1 Confirm safety and scope; 2 notify facilities/ISP/vendor; 3 check UPS/generator; 4 protect systems from improper shutdown; 5 document downtime; 6 restore power/connectivity; 7 validate services; 8 communicate status; 9 review redundancy; 10 document. | UPS/generator logs, circuit/ISP status, environmental alerts, outage timeline, vendor tickets. | Shift to UPS/generator/failover, shut down gracefully, reroute connectivity, protect critical equipment. | Verify power/cooling/connectivity stable, systems online, monitoring green, users notified. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | BCP must include people and access constraints. | Remote work readiness, cloud access, alternate site plan, communication tree. | 30 minutes | Related service | New |
| 96 | Sensitive data exposed publicly | Compliance & Data Protection | Data exposure | Critical | P1 – Immediate | File share / Cloud storage | Public link or exposed repository found | Compliance/Privacy Lead | 1 Identify data involved; 2 preserve access logs; 3 restrict access; 4 notify privacy/compliance lead; 5 determine exposure; 6 collect evidence; 7 remediate permissions; 8 prepare reporting if required; 9 monitor; 10 lessons learned. | File access logs, DLP alerts, audit trails, object permissions, data classification, affected records. | Remove excessive access, stop sharing links, quarantine exposed data set, apply legal hold if required. | Validate permissions, confirm exposure scope, complete reporting, monitor access, verify DLP controls. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Data exposure requires fast scope and reporting review. | Data classification, DLP, access reviews, public sharing restrictions. | Immediate | Related service | New |
| 97 | HIPAA ePHI access concern | Compliance & Data Protection | Regulated data | Critical | P1 – Immediate | Healthcare data systems | Unusual PHI access or disclosure report | Compliance/Privacy Lead | 1 Identify data involved; 2 preserve access logs; 3 restrict access; 4 notify privacy/compliance lead; 5 determine exposure; 6 collect evidence; 7 remediate permissions; 8 prepare reporting if required; 9 monitor; 10 lessons learned. | File access logs, DLP alerts, audit trails, object permissions, data classification, affected records. | Remove excessive access, stop sharing links, quarantine exposed data set, apply legal hold if required. | Validate permissions, confirm exposure scope, complete reporting, monitor access, verify DLP controls. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Regulated data incidents require documented investigation. | HIPAA risk assessment, minimum necessary access, audit logs, workforce training. | Immediate | Related service | New |
| 98 | PCI cardholder data mishandled | Compliance & Data Protection | Regulated data | Critical | P1 – Immediate | Payment systems | Card data stored/shared improperly | Compliance/Privacy Lead | 1 Identify data involved; 2 preserve access logs; 3 restrict access; 4 notify privacy/compliance lead; 5 determine exposure; 6 collect evidence; 7 remediate permissions; 8 prepare reporting if required; 9 monitor; 10 lessons learned. | File access logs, DLP alerts, audit trails, object permissions, data classification, affected records. | Remove excessive access, stop sharing links, quarantine exposed data set, apply legal hold if required. | Validate permissions, confirm exposure scope, complete reporting, monitor access, verify DLP controls. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Payment data must remain in controlled systems. | PCI scope reduction, tokenization, DLP, access control, vendor validation. | Immediate | Related service | New |
| 99 | Audit log retention gap | Compliance & Data Protection | Logging gap | High | P2 – Urgent | SIEM / Logs | Logs missing or retention too short | SOC Analyst | 1 Identify data involved; 2 preserve access logs; 3 restrict access; 4 notify privacy/compliance lead; 5 determine exposure; 6 collect evidence; 7 remediate permissions; 8 prepare reporting if required; 9 monitor; 10 lessons learned. | File access logs, DLP alerts, audit trails, object permissions, data classification, affected records. | Remove excessive access, stop sharing links, quarantine exposed data set, apply legal hold if required. | Validate permissions, confirm exposure scope, complete reporting, monitor access, verify DLP controls. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Investigations fail without logs. | Centralized logging, retention policy, time sync, alert on log source failure. | 4 hours | Related service | New |
| 100 | Unauthorized access to confidential folder | Compliance & Data Protection | Access violation | High | P2 – Urgent | File server / SharePoint | User accesses restricted folder unexpectedly | Compliance/Privacy Lead | 1 Identify data involved; 2 preserve access logs; 3 restrict access; 4 notify privacy/compliance lead; 5 determine exposure; 6 collect evidence; 7 remediate permissions; 8 prepare reporting if required; 9 monitor; 10 lessons learned. | File access logs, DLP alerts, audit trails, object permissions, data classification, affected records. | Remove excessive access, stop sharing links, quarantine exposed data set, apply legal hold if required. | Validate permissions, confirm exposure scope, complete reporting, monitor access, verify DLP controls. | IT Manager, affected business owner, security lead; add legal/privacy/insurance if regulated data may be involved. | Permissions drift over time without review. | Least privilege, access recertification, sensitivity labels, DLP alerts. | 1 hour | Related service | New |