IT KORR Knowledge Center
Microsoft Security Operations Playbook
A playbook of specific response actions for common Microsoft 365 security incident scenarios.
Scenario: Compromised User Account
- Disable sign-in immediately.
- Revoke all active session tokens.
- Require password reset with identity verification.
- Review mailbox rules and forwarding for persistence mechanisms.
Scenario: Compromised Device
- Isolate the device via Defender for Endpoint.
- Review Defender XDR incident for related indicators on other devices.
- Preserve forensic state before remediation.
Scenario: Phishing Campaign in Progress
- Purge the malicious message across all reached mailboxes.
- Block the sender domain.
- Identify and remediate any users who interacted with the message.
Related Resources
- Microsoft 365 Incident Response — /knowledge-center/cloud-productivity/microsoft-365-security/microsoft-365-incident-response