Sign In
In this module

AD5.10 When to Escalate

5-6 hours · Module 5 · Free
Operational Objective
Not every security incident can be handled by an IT administrator alone. Some incidents require expertise you don't have (forensic analysis, malware reverse engineering), authority you don't hold (legal decisions, regulatory notifications), or capacity you lack (multi-user compromise requiring simultaneous investigation of 20 accounts). Knowing when to escalate — and to whom — is as important as knowing how to investigate. This subsection defines the escalation criteria, the escalation targets (managed SOC, management, legal, external IR), and the information you need to provide when you escalate. The goal: escalate early enough to contain the incident, not so early that you waste external resources on a false positive.
Deliverable: An escalation decision tree with specific criteria for each escalation target, and the information template you provide when escalating — ensuring the responder has everything they need from your initial investigation.
Estimated completion: 25 minutes
ESCALATION DECISION TREE INCIDENT CONFIRMED (TP) How many users affected? How severe is the compromise? 1 USER, BLOCKED ATTACK Handle yourself: AD1.9 procedure Reset password, check MFA, close NO ESCALATION NEEDED 1-3 USERS, SUCCESSFUL Handle + escalate to management Respond per AD1.9, notify manager ESCALATE TO MANAGEMENT 4+ USERS / DATA BREACH Escalate to managed SOC + legal Contain what you can, hand off ESCALATE IMMEDIATELY

Figure AD5.10 — The escalation decision tree. Single user, blocked attack: handle yourself. 1-3 users, successful compromise: handle and notify management. 4+ users or data breach: escalate to managed SOC and legal immediately. The decision is based on scope and severity, not on your confidence level.

Escalation criteria by target

Handle yourself (no escalation): Single user credential compromise blocked by CA003. Single phishing email caught by Safe Links. Single DLP match with appropriate override. These are the routine incidents your Monday review catches and your AD1-AD4 procedures resolve. Response time: during the Monday review or within 24 hours if flagged by notification.

Escalate to your manager: Confirmed credential compromise with successful sign-in (the attacker got in, even briefly). Multiple users affected by the same phishing campaign. DLP match indicating bulk data exfiltration. Secure Score drop caused by another admin's configuration change. Your manager needs awareness for two reasons: the incident may affect business operations, and the response actions (password resets, account lockouts) may generate user complaints that your manager should be prepared for.

Escalate to managed SOC (if available): Any high-severity incident you're not confident handling alone. Multi-user compromise. Indicators of ransomware (bulk file encryption, VSS deletion, unusual service creation). After-hours high-severity alerts. Your managed SOC has analysts with deeper investigation skills and 24/7 coverage. Provide them with: the incident ID in the Defender portal, the affected user(s), the timeline of events, and the actions you've already taken.

Escalate to legal / senior management: Any incident involving confirmed personal data exposure (GDPR 72-hour notification clock starts). Any incident involving executive accounts (CEO, CFO — potential for financial fraud). Any incident where the attacker had access long enough to potentially exfiltrate data. Legal needs to assess notification obligations. Senior management needs to assess business impact and communication.

Escalate to external IR provider: Ransomware confirmed on any system. Evidence of persistent access by a sophisticated attacker. Any incident beyond your technical capability or the managed SOC's scope. External IR providers bring forensic tools, legal experience, and insurance claim support that internal teams typically lack.

The escalation handoff template

When you escalate, provide this information so the responder can act immediately:

Incident Summary:

  • What happened: [one sentence — "User j.morrison's account was compromised via AiTM phishing"]
  • When: [first indicator timestamp — "First suspicious sign-in at 01:15 on Saturday 12 April"]
  • Who: [affected users and systems — "j.morrison's mailbox, 3 inbox rules created"]
  • Scope: [how many users, what data — "1 user confirmed, checking for others"]
  • Current state: [contained or active — "Sessions revoked, password reset, inbox rules deleted"]
  • Actions taken: [what you've done — "Executed AD1.9 procedure at 09:30 Monday"]
  • What's needed: [why you're escalating — "Need deeper mailbox forensics to determine what emails were forwarded"]

This template takes 5 minutes to fill in from your investigation notes. It gives the responder everything they need to continue without repeating your work.

Coordinating with a managed SOC partner

If your organization uses a managed SOC (like NE's BlueVoyant), establish the coordination workflow before you need it. During the onboarding or service review meeting, agree on:

What the managed SOC monitors: Typically Defender for Endpoint alerts, email threat detections, and identity risk signals. They DON'T monitor your Intune compliance, DLP policies, SharePoint sharing, or Secure Score — that's your monitoring cadence.

How to escalate to them: Email address, phone number, ticket system, or portal. Some managed SOCs require specific incident IDs from the Defender portal. Some accept free-form email. Know the process BEFORE the incident.

What information they need: The Defender incident ID (they can pull the details from their portal access), the affected user(s), a brief summary of what you've already done (sessions revoked, password reset), and what you need from them (deeper investigation, 24/7 monitoring of the account, forensic analysis).

What they do vs what you do: The managed SOC investigates and contains. You communicate with the affected user, coordinate with management, handle the business impact, and implement post-incident improvements. The division is: they handle the security response, you handle the organizational response.

Response SLAs: Your managed SOC contract includes response time commitments. Know them: typically 15 minutes for critical/high severity, 1 hour for medium. If they don't meet the SLA, escalate through your account manager. During an incident is not the time to discover that your SOC partner's response time is 4 hours.

When external IR is needed

External incident response is the escalation beyond your managed SOC. The triggers are specific:

Ransomware confirmed: Ransomware requires forensic analysis (determining the initial access vector, assessing the encryption scope, evaluating backup integrity), legal assessment (notification obligations, insurance claims), and recovery planning (clean rebuild vs decrypt vs pay). This is specialist work that most managed SOCs don't fully cover.

Confirmed data exfiltration: If investigation confirms that sensitive data was exfiltrated (not just accessed, but actively removed from your environment), legal and regulatory obligations may apply. External IR providers coordinate with legal counsel and insurers to manage the response correctly.

Sophisticated persistent attacker: If investigation reveals that the attacker has been in your environment for weeks or months (persistence mechanisms, backdoor accounts, modified configurations), eradication requires a thorough assessment that's beyond the scope of a weekly Monday review. External IR provides the deep-dive investigation and comprehensive eradication plan.

If you don't have an external IR retainer, document this gap in your quarterly report: "No external IR retainer — incident response capability limited to internal procedures (AD1-AD5) and managed SOC partner. Recommendation: evaluate IR retainer for ransomware and data breach scenarios." This is a risk acceptance that management should be aware of — and may justify budgeting for an IR retainer in the next financial year.

Preserving evidence before escalation

When you escalate, the responder needs evidence that you may inadvertently destroy if you're not careful. Before escalating, take these preservation steps:

Don't delete anything. When you find a malicious inbox rule, disable it — don't delete it. The rule's creation timestamp, configuration, and the account that created it are evidence. When you find a suspicious file, quarantine it — don't delete it. When you find a rogue service principal, disable it — don't remove it. Deletion destroys forensic evidence that the IR team needs.

Screenshot everything. Before taking any containment action, screenshot the current state: the inbox rules page showing the malicious rule, the sign-in log showing the suspicious sign-in, the incident page showing the attack story. After you revoke sessions or reset passwords, the attacker's active session disappears — the screenshot is the evidence that it existed.

Export sign-in data. Before the sign-in log rotates (default retention: 30 days for Entra ID P1), export the relevant entries:

$user = "r.williams@northgateeng.com"
$startDate = "2026-04-10T00:00:00Z"
Get-MgAuditLogSignIn -Filter "userPrincipalName eq '$user' and createdDateTime ge $startDate" -All |
    Select-Object CreatedDateTime, UserPrincipalName, AppDisplayName,
        @{N="IP";E={$_.IpAddress}},
        @{N="Location";E={"$($_.Location.City), $($_.Location.CountryOrRegion)"}},
        @{N="Device";E={$_.DeviceDetail.OperatingSystem}},
        @{N="MFA";E={$_.MfaDetail.AuthMethod}},
        @{N="CA";E={$_.ConditionalAccessStatus}},
        @{N="Risk";E={$_.RiskLevelDuringSignIn}} |
    Export-Csv -Path "C:\Evidence\$user-signins-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "Exported sign-in data to C:\Evidence\"

Record the timeline. Write down, in chronological order: when you discovered the incident, what you found, what actions you took, and when. This timeline is the first thing the IR team asks for. Having it ready saves 30 minutes of reconstruction during the handoff call.

The post-incident improvement cycle

After every escalated incident is resolved, schedule a 30-minute review with yourself (or with your manager if they were involved). Answer three questions:

  1. How was the incident detected? Was it the Monday review, an alert notification, a user report, or accidental discovery? If it was accidental discovery, what monitoring check should have caught it earlier?
  1. What could have prevented it? Would a different CA policy have blocked the attack? Would user training have prevented the phishing click? Would a DLP policy have caught the data exfiltration? Each answer becomes a potential improvement action for the next quarter.
  1. What would you do differently next time? Was the escalation timely? Did you preserve the right evidence? Did the handoff template contain enough information? Each answer improves your response procedure.

Document the answers in a brief "lessons learned" note and file it with the incident record. After 4 incidents, you have a pattern: "3 of 4 incidents involved AiTM phishing — consider implementing conditional access token protection" or "2 of 4 incidents were discovered during the Monday review — the monitoring cadence is working." These patterns feed your quarterly report's "next steps" section with data-driven recommendations.

Compliance Myth: "Escalating shows weakness — a competent IT admin should handle everything"
Escalating shows judgment. A ransomware incident needs forensic tools you don't have. A data breach needs legal assessment you're not qualified to make. A multi-user compromise needs investigation capacity you can't provide alone while also maintaining the IT environment. The IT administrator who escalates a ransomware incident in the first 30 minutes gives the organization the best chance of containment. The IT administrator who tries to handle it alone for 4 hours before admitting they need help gives the attacker 4 additional hours. Know your boundary. Contain what you can. Escalate what you can't. Document everything.
Decision point

Your Monday review reveals a confirmed credential compromise: user s.chen's account was accessed from an unfamiliar IP at 04:00 on Sunday. The attacker created 2 inbox rules forwarding emails containing "invoice" and "payment" to an external address. You've already executed AD1.9 (sessions revoked, password reset, rules deleted). Message trace shows 7 emails were forwarded to the external address before you deleted the rules. The forwarded emails include 3 vendor invoices with bank details. Who do you escalate to?

Option A: Manager only — the incident is contained, you handled the response.

Option B: Manager AND legal. The 7 forwarded emails contained vendor bank details (personal financial data). The external forwarding constitutes a data breach — personal data was disclosed to an unauthorized party. Legal needs to assess the GDPR notification obligation (72 hours from awareness). Management needs to assess whether the vendors should be notified that their bank details were exposed to an attacker — the vendors may be targeted for fraudulent payment redirection.

The correct answer is Option B. The technical response is complete (account contained, rules deleted). But the data impact requires legal and management assessment. Bank details forwarded to an attacker create financial fraud risk for the vendors. GDPR Article 33 may require notification to the ICO within 72 hours. The vendors themselves may need to be warned that their bank details are compromised — the attacker may use the stolen bank details to create fraudulent payment redirect requests. This is beyond the IT administrator's authority — legal and management make the notification decisions.

Try it: Build your escalation contact sheet

Create a simple document with escalation contacts for each target:

1. Your manager: Name, email, phone, Teams handle 2. Managed SOC (if applicable): Escalation email, phone number, service ID, SLA for response 3. Legal / DPO: Name, email, phone — the person responsible for data breach notification 4. Senior management: CTO/CISO name, email — for executive account compromise or business-critical incidents 5. External IR (if contracted): Provider name, incident hotline number, contract reference

Save this document somewhere accessible — not buried in a SharePoint folder you can't find at 09:00 on a Monday when you've just discovered a breach. Desktop, pinned in Teams, or printed next to your monitor.

If you don't have a managed SOC or external IR provider, document that gap: "No managed SOC — all incidents handled internally. No external IR — escalation path is to management for procurement of emergency IR services." This gap is a finding for your next quarterly report — it may justify the case for adding managed SOC coverage.

You discover a high-severity incident at 09:15 on Monday: ransomware indicators on a file server (VSS deletion, mass file renaming). You're an IT administrator, not a security analyst. What's your first action?
Investigate the file server to determine the scope — Understanding scope is important but not the first action for ransomware. Containment comes before investigation.
Restore from backup — Restoring before containing the threat risks the backup being encrypted too. Contain first, then restore.
Isolate the file server from the network immediately (disconnect the network cable or disable the network adapter), then escalate to management and any external IR/managed SOC resources. Don't investigate further until the server is isolated — every minute connected is a minute the ransomware can spread to other systems — Correct. For ransomware, containment (network isolation) is always the first action. Isolation buys time. Then escalate — ransomware is beyond the typical IT administrator's scope. Provide the escalation handoff: what server, what indicators (VSS deletion, file renaming pattern), when you discovered it, and that you've isolated the server.
Check if the antivirus detected anything — If antivirus caught it, there would be a Defender alert, not manual discovery of VSS deletion. The absence of an AV alert suggests the ransomware evaded endpoint protection. Isolate first.
Operational Artifact — Escalation Decision Tree and Contact Sheet
Escalation criteria: 1 user/blocked = handle yourself. 1-3 users/successful = handle + notify manager. 4+ users or data breach = escalate to managed SOC + legal. Ransomware = isolate + escalate immediately. Contact sheet: manager, managed SOC, legal/DPO, senior management, external IR. Handoff template: what happened, when, who, scope, current state, actions taken, what's needed. Print the contact sheet and the decision tree. Keep them accessible — not in a folder you can't find during an incident.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →