Device Compromise Response Playbook

What This Playbook Covers

Device compromise incidents can lead to unauthorized access, data exposure, and lateral movement across systems. This playbook outlines how to identify, isolate, investigate, remediate, and recover from compromised endpoint devices within Microsoft 365 environments.

Important: A compromised device can be used as a foothold into your environment. Immediate containment and structured response is critical to limiting impact.

When This Playbook Is Used

Malware Or Endpoint Alerts

Security tools detect malware, suspicious processes, or exploit activity on a device.

Unusual Device Behavior

The device exhibits abnormal performance, unexpected network activity, or unauthorized system changes.

Confirmed Or Suspected Compromise

A device is believed to be compromised through phishing, credential theft, or unauthorized access.

Execution Steps

01

Identify The Compromised Device

Confirm alerts, validate the threat, and determine the affected device, user, and scope of impact.

02

Isolate The Device

Disconnect the device from the network or apply isolation controls to prevent further communication or spread.

03

Preserve Evidence

Capture logs, system state, and security data to support investigation and forensic analysis.

04

Investigate The Compromise

Determine how the device was compromised, what actions were taken, and whether lateral movement occurred.

05

Remediate The Threat

Remove malicious files, reimage the device if necessary, reset credentials, and restore secure configurations.

06

Restore And Monitor

Return the device to production use and monitor closely for recurrence or additional suspicious activity.

Operational Requirements

Endpoint Detection And Response

Devices must be protected with EDR capabilities to detect, isolate, and respond to threats.

Centralized Logging

Device activity must be logged and accessible for investigation and correlation with other systems.

Device Management Controls

Organizations must be able to isolate, wipe, or reconfigure devices through centralized management tools.

Expected Outcome

  • The compromised device is quickly identified and isolated
  • Threat activity is contained and removed
  • Root cause of compromise is understood
  • The device is safely restored to a trusted state