# Incident Lifecycle The **Incident Response Lifecycle** defines the phases for managing a security incident from preparation through to post-incident review. It provides a consistent, repeatable process to ensure incidents are contained, eradicated, and recovered from effectively, while also capturing lessons to improve future response capability. *** ### 1. Preparation Preparation establishes the readiness of both ThreatDefence and the Customer to respond effectively to incidents. **Customer Responsibilities**: * Deploy the required ThreatDefence tools to provide visibility across the environment. * Ensure all contact details (phone numbers, email addresses, roles) are accurate and up to date. * Ensure nominated personnel are familiar with their responsibilities during an escalation. * Provide ThreatDefence with explicit authorization to perform endpoint and/or user isolation if required. *** ### 2. Detection and Analysis ThreatDefence continuously analyzes telemetry from multiple sources, including anomalous behavior, suspicious activity, endpoint detections, threat hunting findings, automated alerts, and customer-reported issues. **Triage Process**: * **Automated Analysis**: AI Assistant applies correlation, pattern recognition, and reasoning to reduce noise. * **Contextual Review**: SOC analysts validate detections, checking whether the activity is expected or suspicious. * **Correlation**: Detections are compared against related telemetry and threat intelligence to determine scope. * **Severity Confirmation**: Initial severity may be adjusted. Critical detections are escalated immediately. * **Decision**: SOC determines whether the detection should be closed, noted, or escalated. **Possible Outcomes**: * **Alert Closure** – benign activity, false positive, or expected behavior. * **SOC Notification** – informational, low-severity notification sent to the customer. * **Incident Declaration** – malicious or credible threat requiring immediate response. *** ### 3. Incident Declaration and Escalation An **Incident Declaration** is made when activity is assessed as a credible threat requiring immediate response. * If confirmed as malicious, a major incident is declared, and all stakeholders from ThreatDefence and the Customer are notified per the escalation matrix. * ThreatDefence declares an incident if there is reasonable suspicion of compromise. * Customers can also trigger Incident Response directly by contacting the SOC phone line or requesting escalation during an investigation. *** ### 4. Threat Containment The SOC team acts to minimize impact and stop the threat. **ThreatDefence Actions**: * Isolate affected endpoints (via agent). * Disable compromised accounts in Entra ID (Microsoft 365). **Customer IT Actions (with SOC guidance)**: * Rotate credentials for affected accounts. * Block identified indicators of compromise (files, processes, registry keys). * Shut down affected systems to prevent further spread. * Block or restrict specific network traffic. *** ### 5. Eradication and Recovery Once contained, the SOC and Customer teams focus on removing malicious artifacts and restoring systems. * **Root Cause Analysis**: Confirm the attack vector and identify persistence mechanisms. * **Artifact Removal**: Eliminate malware, scripts, or unauthorized accounts. * **Credential Actions**: Reset or disable compromised accounts. * **System Rebuilds**: Re-image affected systems if required. **Recovery Phase**: * Verify endpoints and services are clean. * Validate security controls are functioning. * Reconnect systems to the production network under SOC supervision. *** ### 6. Post-Incident Activities After resolution, a structured post-incident review may be conducted to capture lessons and strengthen processes. **Lessons Learned**: * Review attack vector, detection timelines, and response effectiveness. * Identify weaknesses in processes, tools, or communications. * Ensure all parties contribute to a complete picture of the incident. **Improvements**: * Provide recommendations to improve endpoint protection, policies, or access controls. * Update incident response playbooks with findings. * Strengthen security posture to improve efficiency in future incidents. *** The Incident Response Lifecycle ensures that both ThreatDefence and Customers have a **repeatable, well-defined process** for managing incidents, minimizing risk, and continuously improving operational resilience.