ARTICLE

5 Critical Playbooks Every SOC Needs

Essential response procedures that make the difference between containment and catastrophe

Reading time: 12 minutes

When an incident occurs, speed and consistency matter. SOC analysts need documented, tested procedures they can execute under pressure. Here are the five playbooks that form the foundation of effective incident response.

Why Playbooks Matter

During a ransomware attack, you don't have time to research or debate. Playbooks provide:

  • Speed: Pre-approved actions reduce decision time
  • Consistency: Every analyst follows the same process
  • Training: New analysts ramp up faster
  • Audit Trail: Document what was done and when

Playbook #1: Ransomware Response

Trigger: Detection of ransomware indicators (file encryption, ransom note, suspicious process behavior)

Objective: Prevent spread, preserve evidence, minimize encrypted systems

Step-by-Step Procedure:

1. Immediate Containment (First 5 Minutes)

  • Isolate affected endpoints via EDR (CrowdStrike, Defender, SentinelOne)
    • Network isolation, not power-off (preserve RAM)
    • Document which systems were isolated and when
  • Disable compromised accounts
    • Check last authentication: likely lateral movement vector
    • Reset passwords, revoke active sessions
    • Force MFA re-enrollment if account used for privilege escalation
  • Block C2 infrastructure
    • Extract IOCs from endpoint telemetry
    • Block at firewall, DNS, and proxy

2. Scope Assessment (Minutes 5-20)

  • Identify patient zero: Which system was initially compromised?
  • Timeline reconstruction: Use EDR and SIEM to build attack timeline
    • Initial access method (phishing, RDP, exploit?)
    • Dwell time (how long were they in the network?)
    • Lateral movement path
  • Identify encrypted data: What's been lost?
    • Check backup integrity immediately
    • Verify backups are offline/immutable

3. Eradication (Minutes 20-60)

  • Kill malicious processes on all affected systems
  • Delete ransomware artifacts (binaries, scripts, scheduled tasks)
  • Remove persistence mechanisms:
    • Registry keys (Run, RunOnce)
    • Scheduled tasks
    • Services
    • WMI subscriptions
  • Validate eradication: Scan for remaining IOCs

4. Recovery (Hour 1+)

  • Restore from backups (if encryption occurred)
  • Reimage affected systems (recommended over cleaning)
  • Rebuild domain controllers if compromised (golden ticket risk)
  • Rotate all credentials (domain admins, service accounts, local admin)
  • Monitor for re-infection for 72 hours minimum

Critical Don'ts:

  • ❌ Don't power off systems (loses RAM artifacts)
  • ❌ Don't pay ransom without legal/executive approval
  • ❌ Don't restore backups until threat is eradicated
  • ❌ Don't assume encryption is complete (may still be spreading)

Playbook #2: Phishing Response

Trigger: User reports suspicious email OR automated detection of malicious link/attachment

Objective: Prevent credential theft and malware execution across organization

Step-by-Step Procedure:

1. Immediate Actions (First 2 Minutes)

  • Quarantine email across all mailboxes (M365/Google Workspace admin center)
  • Block sender domain/email in email gateway
  • Extract IOCs:
    • Malicious URLs
    • Attachment hashes
    • Sender infrastructure (IP, domain)

2. Impact Assessment (Minutes 2-10)

  • Identify who received the email: Search mailbox logs
  • Check for clicks:
    • Proxy logs for malicious URL access
    • SafeLinks/URL rewriting logs (M365)
  • Check for credential submission:
    • Failed login attempts to external sites
    • Unusual login locations
    • Password reset requests
  • Check for malware execution: EDR process creation logs

3. Remediation (Minutes 10-30)

  • For users who clicked but didn't submit credentials:
    • Security awareness reminder email
    • No immediate action required unless malware detected
  • For users who submitted credentials:
    • Immediate password reset
    • Revoke all active sessions
    • Force MFA re-enrollment
    • Monitor account for 48 hours
  • For users who executed malware:
    • Isolate endpoint
    • Run full EDR scan
    • Follow malware response playbook

Playbook #3: Compromised Credentials

Trigger: Detection of credential theft, password spray, or account takeover

Objective: Prevent unauthorized access and lateral movement

Key Actions:

  1. Disable compromised account immediately
    • Azure AD / Active Directory disable
    • Terminate all active sessions
  2. Review account activity (last 30 days):
    • Login locations and times
    • Resource access (files, emails, apps)
    • Permission changes
    • Email forwarding rules created
  3. Search for persistence mechanisms:
    • OAuth app consents
    • API keys created
    • Service principals added
    • Email rules (forward, delete)
  4. Reset password securely:
    • Verify identity through out-of-band communication
    • Force MFA re-enrollment
    • Revoke refresh tokens
  5. Monitor for 72 hours post-reset for re-compromise

Playbook #4: Malicious Insider / Lateral Movement

Trigger: Detection of unusual internal activity suggesting compromised insider or lateral movement

Detection Indicators:

  • SMB shares accessed outside normal pattern
  • Remote PowerShell sessions to multiple systems
  • Credential dumping tools (Mimikatz, LaZagne)
  • Service account used from unexpected location
  • Mass file access or exfiltration

Response Steps:

  1. Isolate source system via EDR (prevent further movement)
  2. Identify scope: Which systems did the account touch?
  3. Disable account and force re-authentication everywhere
  4. Review privileged access: Did they escalate privileges?
  5. Check for data exfiltration:
    • Large file transfers to external IPs
    • Cloud storage uploads (OneDrive, Dropbox)
    • Email with large attachments
  6. Forensic imaging of affected systems (before reimaging)
  7. Rotate service account credentials potentially exposed

Playbook #5: Data Exfiltration

Trigger: Detection of unusual data transfer volumes or unauthorized data access

Immediate Actions:

  1. Block outbound connection if still active:
    • Firewall rule for destination IP/domain
    • Terminate network connection on source endpoint
  2. Identify what was accessed:
    • File access logs (SharePoint, file servers)
    • Database query logs
    • Email export logs
  3. Quantify exfiltrated data:
    • How much data? (GB transferred)
    • What type? (PII, PHI, financial, IP)
    • Regulatory implications? (GDPR, HIPAA breach notification)
  4. Preserve evidence:
    • Network packet captures
    • Firewall logs
    • Endpoint forensic artifacts
  5. Engage legal/compliance if PII/PHI involved
  6. Disable compromised account used for exfiltration
  7. Monitor for additional exfiltration attempts

Building Your Own Playbooks

These five playbooks cover 80% of incidents, but every SOC should customize them. Here's how:

1. Document Your Tools

Include specific commands for YOUR environment:

  • EDR: "CrowdStrike: containment via Falcon console → Hosts → Network Containment"
  • Email: "M365: compliance.microsoft.com → Threat Management → Search & Purge"
  • Identity: "Azure AD: portal.azure.com → Users → Revoke Sessions"

2. Define Escalation Paths

When does L1 analyst escalate to L2? When do you wake up the CISO?

3. Test Through Tabletops

Run through playbooks quarterly:

  • Does the EDR isolation button work?
  • Can analysts find the email quarantine UI?
  • Do we have permissions we think we have?

4. Measure and Improve

After every incident, conduct a retrospective:

  • What worked well?
  • What took longer than expected?
  • What step was confusing?
  • Update playbook accordingly

Common Playbook Mistakes

Avoid These Pitfalls:

  • Too generic: "Isolate affected system" without tool-specific instructions
  • Too complex: 50-page document no one reads under pressure
  • Never tested: Assumes permissions and tools work (they often don't)
  • No updates: Written in 2019, tools have changed
  • Missing context: No explanation of WHY each step matters

The BabarTech Playbook Library

All BabarTech MDR clients receive access to our playbook library covering 20+ incident types. Our playbooks include:

  • ✅ Tool-specific instructions (CrowdStrike, Defender, SentinelOne, M365, etc.)
  • ✅ Estimated time for each phase
  • ✅ Decision trees (if X, then Y)
  • ✅ Evidence collection checklists
  • ✅ Communication templates (for legal, executives, customers)
  • ✅ Regulatory considerations (GDPR, HIPAA, etc.)

Even better: our analysts execute these playbooks FOR you during incidents. You get the benefit of tested procedures without needing to train your team.

Conclusion

Playbooks transform chaos into process. During a ransomware attack, you don't have time to think—you need muscle memory. The five playbooks covered here (ransomware, phishing, compromised credentials, lateral movement, and data exfiltration) form the foundation of effective incident response.

Key Takeaways:

  • Document specific tools and commands, not generic advice
  • Test playbooks through tabletops and drills
  • Update after every incident
  • Keep them concise—1-2 pages maximum
  • Include decision points and escalation criteria

Want expert playbook execution?

Our SOC analysts follow these playbooks 24/7 to detect and respond to threats in minutes.

Learn More About MDR

Related Resources

GUIDE

MDR vs MSSP: What's the Difference?

Understanding the key differences between detection & response and traditional security services.

CASE STUDY

Ransomware Detection Case Study

Real-world example of detecting and containing ransomware in 8 minutes.

GUIDE

How Our MDR Works

Learn about our detection process, SLAs, and onboarding timeline.