1.3 Shift Handover Procedures

Shift Handover Procedures

Introduction

A shift handover is the 15-minute bridge between two analysts. Done well, the incoming analyst knows every active investigation, every pending alert, and every environmental condition that affects monitoring. Done poorly (or not done at all), the incoming analyst starts cold — active investigations stall, pending escalations are forgotten, and the adversary gains hours of undetected dwell time during the transition gap.

The structured handover

Every shift handover follows a standard template. The outgoing analyst prepares the handover 15 minutes before shift end. The incoming analyst reviews it at shift start.

Handover template:

SHIFT HANDOVER
==================================
Outgoing: [Name] | Shift: [time range]
Incoming: [Name] | Shift: [time range]
Date:     [date]

1. ACTIVE INCIDENTS
[For each active incident:]
- INC-ID: [ID]
  Status: [Triage / Investigation / Containment / Monitoring]
  Summary: [1-2 sentences: what happened, current state]
  Next action: [What needs to happen next]
  Urgency: [Immediate / Next 2 hours / Next shift]

2. PENDING ALERTS (not yet triaged)
- Count: [number of alerts in queue]
- Notable: [Any high-severity or unusual alerts flagged]

3. ENVIRONMENTAL CONDITIONS
- [Anything affecting monitoring: planned maintenance, 
   known outages, VPN migration, new deployment, 
   connector issues, unusual traffic patterns]

4. ACTIONS COMPLETED THIS SHIFT
- [Significant actions: rules deployed, incidents closed,
   escalations made, containment actions taken]

5. HANDOVER NOTES
- [Anything the incoming analyst should know that does 
   not fit the above categories]
==================================

The 15-minute handover meeting (for in-person or virtual teams):

1. Minutes 0–5: Outgoing analyst walks through active incidents. For each: what is happening, what has been done, what needs to happen next.
2. Minutes 5–10: Queue status. How many alerts are pending? Any that look high-priority but have not been triaged?
3. Minutes 10–15: Environmental conditions, completed actions, and anything unusual. Questions from the incoming analyst.

For teams without overlapping shifts (the outgoing analyst leaves before the incoming analyst starts), the written handover template is the only handover mechanism. It must be self-contained — the incoming analyst cannot ask questions.

Active incident transfer

When an investigation is in progress at shift change, the transfer requires more than a template entry. The incoming analyst needs to pick up mid-investigation without losing context.

Transfer requirements for active incidents:

1. Investigation log is current (Module S8, subsection 8.1) — the outgoing analyst’s real-time log should be up to date through their last action. The incoming analyst reads the log and knows exactly where the investigation stands.

2. Next action is specific — not “continue investigating” but “Run the persistence check queries (playbook Step 2). The OAuth consent query has not been run yet. Start there.”

3. Evidence collected so far is documented — the incoming analyst should not re-collect evidence the outgoing analyst already gathered.

4. Pending approvals are noted — if containment is waiting for SOC manager approval, the incoming analyst needs to know and follow up.

Handover for managed/hybrid SOCs

If your overnight monitoring is handled by an MDR provider, the handover happens between the provider and your internal team at the start and end of business hours.

Morning handover (MDR → internal team):

The provider should deliver a morning summary covering:

• Incidents detected and actioned overnight (with status and actions taken)
• Alerts triaged and closed overnight (summary, not detail)
• Alerts escalated to the internal team for daytime investigation
• Any environmental issues observed (connector failures, unusual alert volumes)

Evening handover (internal team → MDR):

Your team should provide:

• Active incidents in progress (with investigation log access)
• Pending alerts that were not completed during the day
• Known environmental conditions (planned changes, expected anomalies)
• Any specific monitoring instructions (“User X is traveling to [country] this week — sign-ins from that location are expected”)

The quality of the evening handover directly determines the MDR provider’s overnight effectiveness. A provider who does not know that your CEO is traveling will escalate every sign-in from the CEO’s travel location — wasting their time and yours.

SHIFT HANDOVER
==================================
Outgoing: A. Smith | Shift: 09:00-17:00
Incoming: B. Jones | Shift: 17:00-01:00
Date: 2026-03-15

1. ACTIVE INCIDENTS
- INC-2026-0315-001
  Status: Contained, investigation ongoing
  Summary: BEC via AiTM. Finance user compromised, 
  forwarding rules removed, tokens revoked, password 
  reset. No financial loss.
  Next action: Complete data exposure assessment — 
  run MailItemsAccessed query for the compromise 
  window (08:48-10:19Z). Query is in the 
  investigation log. Then write executive summary.
  Urgency: Next 2 hours (CISO wants update by 19:00)

2. PENDING ALERTS
- Count: 7 (2 medium, 5 low)
- Notable: The 2 medium alerts are both DET-SOC-001 
  (anomalous sign-in) for different users. May be 
  related to VPN migration prep.

3. ENVIRONMENTAL CONDITIONS
- VPN MIGRATION: IT migrating egress IPs between 
  22:00-02:00 tonight. Expect DET-SOC-003 
  (impossible travel) false positives during this 
  window. Do NOT disable the rule — triage and 
  close with note "VPN migration FP."
- NEW RULE: DET-SOC-015 deployed at 14:00 today. 
  First tuning day. Review every alert from this 
  rule — classify as TP/FP and log patterns.

4. ACTIONS COMPLETED
- INC-2026-0315-001 containment (10:17-10:25Z)
- DET-SOC-015 deployed to production
- 12 alerts triaged and closed (all low severity)

5. HANDOVER NOTES
- CISO expecting INC-2026-0315-001 executive 
  summary by 19:00. Draft is in the incident 
  record — needs data exposure section completed.
==================================