Playbook

DFIR: First 60 minutes (lean teams)

When an incident hits, speed matters — but evidence matters more. This playbook helps lean teams preserve evidence, contain safely, and keep leadership in control.

Request incident support Browse playbooks Forensic readiness
  • Control
  • Traceability
  • Defensible actions
  • Calm under pressure

At a glance

  • Preserve first, then contain
  • Stop the spread without destroying evidence
  • Executive comms + decision log
  • Minimal data collection checklist

Designed for real life.

When to use this

Use this playbook when you suspect compromise and need to act fast without making the situation worse.

Trigger

Run this when you see

  • Suspicious sign-ins, privilege changes, or MFA resets
  • Email forwarding rules, mailbox delegation, or BEC indicators
  • Endpoint malware detection, EDR alerts, or unusual processes
  • Ransom note, encryption activity, or sudden service outages

Principle

Most teams lose the investigation in the first hour. The fix is simple: preserve first, then contain.

Do

Preserve evidence before heavy changes

Your first moves should improve visibility — not erase it.

Avoid

“Panic fixes” that destroy timelines

Rebuilding servers, wiping endpoints, or changing everything at once often removes the story you need to prove what happened.

Step-by-step: first 60 minutes

Lean, executable, and defensible.

0–10 minutes

Stabilize and appoint control

  • Name an Incident Lead and an Ops Lead (two people, minimum).
  • Start a Decision Log: time, action, who approved, why.
  • Create a dedicated incident channel (internal) and a single executive update thread.
  • Do not “fix everything” yet. First, confirm what you’re seeing.

Template

Decision Log template (copy/paste)

  • Timestamp (UTC): what time the decision/action happened
  • Decision / action: what was approved (exact change)
  • Owner: who executed it (name/role)
  • Approver: who authorized it (Incident Lead / Exec)
  • Reason + expected impact: why we did it + what we expect to happen

Tip: attach evidence references (log export ID, screenshot, ticket link) whenever possible.

10–25 minutes

Preserve the timeline

  • Confirm time sync (NTP) and capture current time references.
  • Export high-signal logs: identity, admin/audit, email, endpoint alerts.
  • Snapshot key accounts: recent sign-ins, MFA status, role assignments.
  • Record affected assets: user IDs, hostnames, IPs, mailbox, tenant, timestamps.

25–45 minutes

Contain without destroying evidence

  • Isolate affected endpoints (network isolation preferred over wipe/reimage).
  • Disable suspicious sessions/tokens; force re-authentication where needed.
  • Remove malicious email forwarding rules and mailbox delegates (capture before removing).
  • Limit privilege escalation: temporary lock on role changes until control is restored.

45–60 minutes

Executive posture and next moves

  • Produce a one-page situation report: what we know, what we don’t, what we did, what’s next.
  • Assign owners for: investigation, containment, communications, and business continuity.
  • Decide: internal-only response vs external IR support and legal/compliance involvement.

Minimum evidence checklist

Collect only what you can reliably preserve and explain.

Checklist

Capture these before major changes

  • Identity/auth logs (sign-ins, MFA changes, risky sign-ins)
  • Admin/audit logs (role changes, policy edits, logging changes)
  • Email artifacts (forwarding rules, mailbox access, suspicious messages)
  • Endpoint detections (EDR events, malware, suspicious processes)
  • Affected asset list + time window + user list
  • Decision Log (actions and approvals)

Want the baseline that makes this easier? Minimum viable logging →

Back to playbooks Back to insights Back to top