Build and Test an Investigation Playbook
Objective
Take PB-SOC-001 (AiTM credential phishing playbook) from Module 7 and adapt it from a generic template to a production playbook customised for your organisation. Then validate it through a tabletop exercise.
Required: Completed Modules 1, 7, and 8. No Sentinel workspace needed — this is a process lab.
Part 1: Customise the playbook (45 minutes)
Open PB-SOC-001 from Module 7, subsection 7.4.
1.1 Escalation contacts
Replace every generic reference with named contacts:
| Role | Generic | Your environment |
|---|---|---|
| SOC Manager | “SOC Manager” | [Name, phone, Teams handle] |
| CISO | “Security leadership” | [Name, phone, email] |
| IT Operations | “IT operations” | [Name/team, Teams channel] |
| Legal / Compliance | “Legal counsel” | [Name, phone, email] |
| HR | “HR” | [Name, phone] |
| MDR provider (if applicable) | “Managed SOC” | [Escalation process, portal URL] |
1.2 Containment approval matrix
Map generic approval levels to your authority structure:
| Action | Generic authority | Your authority | After-hours authority |
|---|---|---|---|
| Token revocation | T2 or SOC Manager | ||
| Account disablement | SOC Manager | ||
| Device isolation | SOC Manager | ||
| IP block (firewall) | SOC Manager + IT Ops | ||
| Email purge (org-wide) | SOC Manager |
If you operate with an MDR provider for after-hours coverage, define the handoff: what can the MDR execute autonomously, what requires your approval?
1.3 SLA timelines
Review each SLA against your team capacity:
| Phase | Playbook SLA | Achievable? | Your SLA |
|---|---|---|---|
| Triage start | 15 minutes | ||
| Triage decision | 30 minutes | ||
| Containment start | 60 minutes | ||
| Full scope assessment | 4 hours | ||
| Executive summary | 24 hours |
1.4 Communication templates
Adapt the user notification template with your specifics:
- Your security team contact email and phone
- Your IT helpdesk number for password reset support
- Your incident reference number format (e.g., INC-YYYY-MMDD-NNN)
- Any legal language your organisation requires
Part 2: Tabletop exercise (45-60 minutes)
Scenario
14:30 UTC: DET-SOC-008 fires for m.chen@[yourdomain]. An inbox forwarding rule was created sending to ext-data@protonmail.com. The preceding sign-in originated from IP 185.234.xx.xx (ASN 14061, DigitalOcean, Ukraine).
Work through PB-SOC-001 step by step. At each decision point, document your action and reasoning.
Additional information revealed as you progress:
- The user is at their desk and did not create the rule
- The user received unexpected MFA push notifications at ~14:15 but did not approve any
- MailItemsAccessed shows 220 emails accessed from the adversary IP (14:20–14:30)
- No outbound email sent by the adversary
- No OAuth consent grants during the window
- No mailbox delegation changes
- The adversary IP also appeared in a DET-SOC-001 alert for
j.morrison@[yourdomain]20 minutes later
Tabletop questions:
- What is your triage classification and severity?
- What containment actions do you execute, in what order, and who approves each?
- The second user (
j.morrison) changes the scope. How does this affect your response? - When and who do you notify?
- What evidence do you preserve for the incident record?
- Does this incident require regulatory notification under GDPR Article 33? Why or why not?
Debrief
- Did the playbook cover every situation in the scenario?
- Were the escalation contacts reachable? (Verify phone numbers are current)
- What modifications does the playbook need?
- Schedule the next tabletop: recommended quarterly
Verification checklist
- PB-SOC-001 customised with all environment-specific details
- Tabletop scenario completed — all phases exercised
- Scope expansion (second user) handled correctly
- Gaps documented as playbook updates
- Customised playbook saved in SOC documentation repository
- Next tabletop scheduled