Identity Incident Response Runbook

A starting template for a suspected identity compromise (account takeover, stolen session, privilege abuse). Adapt to your tools and severity tiers, and rehearse it before you need it.

1. Detect and triage

• Confirm the signal: anomalous login, impossible travel, MFA fatigue, new device, risky OAuth grant.
• Classify severity (single user vs privileged vs widespread).
• Open an incident and assign an owner and scribe.

2. Contain

• Revoke active sessions and tokens for the affected identity (not just reset the password).
• Disable or step up the account; require re-authentication with phishing-resistant MFA.
• Rotate any credentials or secrets the identity could access.
• Review and revoke suspicious OAuth app grants and new MFA enrollments.

3. Investigate

• Reconstruct the timeline from IdP, EDR, and SIEM logs.
• Determine entry vector (phishing, infostealer, help-desk social engineering, leaked credential).
• Identify lateral movement and what data or systems were reached.
• Check for persistence: added devices, app passwords, mail rules, new admin grants.

4. Recover

• Restore access through a verified, high-assurance path (not the channel that was abused).
• Remove attacker persistence and confirm clean state.
• Re-enable the account with hardened controls.

5. Learn

• Document root cause and the control that would have prevented or detected it sooner.
• Close the gap (MFA coverage, recovery hardening, session controls, detection rule).
• Update this runbook and rehearse the scenario.

See the breach teardowns for real examples of each entry vector.