AD6.12 Module Summary

Module Summary

This module provided the response procedures that complete your security program. Modules AD1-AD4 deployed protection controls. Module AD5 built the monitoring that detects when those controls are challenged. This module provides the step-by-step response for when monitoring identifies a confirmed incident — transforming detection into action.

You built three response procedures, each a numbered checklist with PowerShell commands ready to execute:

The compromised account procedure (AD6.2) — the 5-step response you execute within 15 minutes of confirming a credential compromise. Revoke sessions (terminate the attacker's access), reset password (prevent re-entry), review MFA methods (remove attacker-registered devices), remove persistence (inbox rules, OAuth consents, mailbox delegates), and report (document the timeline and notify management). Each step has a specific PowerShell command and a verification method.

The phishing click response (AD6.3) — the decision tree that determines impact after a user clicks a suspicious link. If Safe Links blocked the click: thank the user, scope other recipients, block the sender, purge the email. If the click reached the phishing page: treat as potential credential compromise, check the sign-in log for post-click anomalies, and execute AD6.2 if compromised. Compliance Search provides the email purge capability on E3.

The BEC response (AD6.4) — the 10-step procedure that extends AD6.2 with financial fraud prevention. Notify the finance team within 30 minutes (verify all payment changes by phone). Identify forwarded emails to determine what the attacker knows. Notify affected vendors by phone (not email — the attacker may be intercepting email). Check sent items for fraud emails sent from the compromised mailbox. Contact legal and law enforcement if money was transferred.

You built the supporting procedures that make the technical response complete: evidence preservation (AD6.5) — the 5-minute pre-containment capture that exports sign-in logs, inbox rules, and MFA methods before containment actions modify or destroy them. Managed SOC coordination (AD6.6) — the handoff protocol, shared incident references, and responsibility split that makes external support effective rather than duplicative. After-hours decisions (AD6.7) — the matrix that determines whether to respond immediately, escalate to the SOC, or triage in the morning based on whether the attacker has active access. Automatic attack disruption (AD6.8) — understanding when Microsoft's automated containment fires, what it handles, and what you still need to do after it acts.

You built the documentation and improvement processes: the 6-section incident report template (AD6.9) covering summary, timeline, impact, containment, GDPR assessment, and improvement recommendations. The post-incident review (AD6.10) — three questions that turn every incident into an improvement: how did we detect it, what could prevent it, what would we do differently.

What changed at NE

NE's security program is now complete across six domains: identity controls (AD1), email protection (AD2), device compliance (AD3), data protection (AD4), security monitoring (AD5), and incident response (AD6). The IT administrator has printed procedures for the three most common incidents, evidence preservation scripts ready to run, escalation contacts on the desk, and an incident report template that produces management-ready documentation in 15 minutes. The total time investment for the complete program: deployment across 12 weeks, maintenance at 30-45 minutes per week, and response procedures that execute in 15-20 minutes when needed.

What's next

Module AD7 covers security governance and program documentation — the policies, quarterly reports, program summary, audit readiness, and handover documentation that formalize the program. With technical controls (AD1-AD4), monitoring (AD5), response (AD6), and governance (AD7) in place, the program is complete, documented, auditable, and sustainable regardless of who operates it.