IR 2.0 Framework · v0.1.0
DOCUMENT 05 / 05 · THE PLAYBOOKS

Top 5
Playbooks.

Templates to ship first — for maximum impact across the most common incident types.

These five playbooks cover the highest-volume, highest-impact incidents your program will face. Each template provides a frame you can adapt to your tools and tenants. Start with Playbook 01 — it gives you a fighting chance against both ransomware and credential theft on day one.

SeriesIR 2.0
Document05 of 05
Version0.1.0 · 2026
LicenseCC BY 4.0
05 / Playbooks
Index

Five playbooks. One pattern. Different muscles.

Each follows the same anatomy — Severity, Trigger, RS level, Owner, Immediate Actions, Investigation, Recovery — so the team builds one mental model and applies it everywhere.

# Playbook Use case Severity RS
01 Endpoint Quarantine + Identity Revoke Ransomware · Stolen Credentials P1 / Critical RS-2
02 Phishing Burst Response Mass phishing campaign P2 / High RS-1
03 SaaS Consent Kill Risky OAuth app consent P2 / High RS-2
04 Stolen Credential Response Compromised account P2 / High RS-2
05 Data Exfiltration Suspect Unusual data transfer P1–P2 RS-3
RS-1

Easily reversible

Auto-execute. Quarantined emails restorable, blocklists revertible.

RS-2

Reversible with effort

Auto-execute by default. Isolation lifts, tokens reissue, accounts re-enable.

RS-3

Approval required

Human gate. Egress blocks, deletions, business-impacting actions.

IR 2.0 · Top 5 Playbooks v0.1.0 · © 2026 Deretti Cyber Labs · CC BY 4.0 02
05 / Playbook 01
01

Endpoint Quarantine + Identity Revoke

Use case: Ransomware response · Stolen credentials
P1 / Critical RS-2 · Reversible with effort Trigger: EDR alert — mass file encryption, suspicious process execution, known ransomware behavior

Immediate actions — first 15 minutes

  1. Isolate. Use EDR to network-isolate the host. Stops lateral movement.
  2. Identify. Determine which user was logged in and what credentials may be compromised.
  3. Revoke. In the IdP (Entra ID, Okta, etc.), revoke all active sessions for the user.
  4. Disable. Temporarily disable the account to prevent re-authentication.
  5. Notify. Alert the Incident Commander and create the incident ticket.

Investigation

  • Collect a memory image from the isolated endpoint, if possible.
  • Review the EDR timeline for initial access vector.
  • Check SIEM for lateral-movement indicators.
  • Determine scope — how many endpoints, how many users.
  • Verify backup integrity. Are they intact?

Recovery

  • Rebuild the affected endpoint from a known-good image.
  • Reset the user password with a strong, unique credential.
  • Re-enable the account with MFA verification.
  • Restore files from immutable backup if needed.
  • Monitor 48 – 72 hours for re-infection indicators.
02

Phishing Burst Response

Use case: Mass phishing campaign — auto-notify and mailbox sweep
P2 / High RS-1 · Easily reversible Trigger: Multiple users report the same email · email gateway campaign alert

Immediate actions

  1. Identify. Phishing indicators — sender, subject, URLs, attachment hashes.
  2. Search. Use eDiscovery / Content Search to locate every instance.
  3. Quarantine. Remove all instances from user mailboxes.
  4. Block. Add sender / domain to the email gateway blocklist.
  5. Notify. Send a company-wide alert about the campaign.

Assess impact

  • Check email logs — who received it, opened it, clicked.
  • If credentials entered → execute Playbook 04.
  • If malware downloaded → execute Playbook 01.
  • Contact users who clicked for additional investigation.
IR 2.0 · Top 5 Playbooks v0.1.0 · © 2026 Deretti Cyber Labs · CC BY 4.0 03
05 / Playbooks 03 – 04
03

SaaS Consent Kill

Use case: Risky OAuth app consent · unusual scopes granted
P2 / High RS-2 · Reversible with effort Trigger: Alert for OAuth consent to unknown / risky application

Immediate actions

  1. Identify. App name, publisher, permissions requested (SPNs / scopes).
  2. Enumerate. How many users granted consent to this app.
  3. Revoke. Remove app permissions for all affected users.
  4. Rotate. If enterprise app, rotate any secrets or certificates.
  5. Block. Add the application to the IdP blocklist.
  6. Notify. Alert data owners whose data may have been accessed.

Investigation

  • Review app activity logs — what data was accessed.
  • Check for data-exfiltration indicators.
  • If consent was granted via phishing → execute Playbook 02.
04

Stolen Credential Response

Use case: Compromised account — step-up auth, reset workflow
P2 / High RS-2 · Reversible with effort Trigger: User report · impossible-travel alert · dark-web exposure

Immediate actions

  1. Revoke. Terminate all active sessions for the user.
  2. Reset. Force a new password on next login.
  3. Step up. Force MFA re-enrollment or verification.
  4. Review. Check sign-in logs for suspicious access.
  5. Persist? Look for new MFA devices, app passwords, forwarding rules.

If a privileged account

  • Disable the account immediately.
  • Audit all actions taken with privileged access.
  • Check for new admin accounts created.
  • Review changes to security configurations.
  • Consider rotating service-account credentials.
IR 2.0 · Top 5 Playbooks v0.1.0 · © 2026 Deretti Cyber Labs · CC BY 4.0 04
05 / Playbook 05
05

Data Exfiltration Suspect

Use case: Egress block, owner review — sensitive data on the move
P1 – P2 · Critical / High RS-3 · Approval required Trigger: DLP alert · unusual egress · large transfers to external destinations

Immediate actions

  1. Identify. Source system, destination, user, volume, data type.
  2. Assess. Is this authorized? Check with the data owner.
  3. Block. If unauthorized, block destination IP / domain at the firewall.
  4. Preserve. Capture network logs, DLP alerts, user activity.
  5. Notify. Alert owner of affected data and systems.
  6. Engage. Legal / HR if insider threat is suspected.

Investigation questions

  • What data was transferred? (Classification level)
  • How much? (Volume and record count)
  • Where did it go? (External destination analysis)
  • Is this a breach? (Regulatory notification requirements)
  • Was this malicious or accidental?

Customize these templates. Add tool-specific commands, name owners, run them under fire — and only then trust them.

Where this connects

These playbooks operationalize the Act step of the Calm Loop (Doc 01) and become reflexes inside the Walk phase (Doc 02). The 30/60/90 plan (Doc 04) ships them in this order — start with 01.

Get the framework
deretticyberlabs.com/ir2
IR 2.0 · Top 5 Playbooks v0.1.0 · © 2026 Deretti Cyber Labs · CC BY 4.0 05