1.9 Incident Classification Framework

8-10 hours · Module 1 · Free

Operational Objective

Every SOC needs a shared language for severity. When the on-call analyst says "Severity 2," the SOC lead, the IR team, the CISO, and the managed SOC partner must all understand the same thing — the scope, the urgency, the escalation path, and the expected response time. Without a documented classification framework, severity is subjective: one analyst's Severity 2 is another's Severity 3, and the response is inconsistent.

Deliverable: A 4-tier incident classification framework with defined criteria, escalation paths, and response time targets per tier.

Estimated completion: 40 minutes

Figure 1.9 — Severity classification from triage data through escalation.

The 4-tier classification model

The classification framework maps every incident to one of 4 severity levels based on 3 dimensions: scope (how many users, systems, or data assets are affected), impact (what business function is impaired or what data is at risk), and attacker state (is the attacker active, dormant, or contained).

Severity 1 — Critical. Scope: multiple systems or accounts compromised, OR infrastructure compromise (Entra Connect, domain controllers, federation servers). Impact: confirmed data breach with regulatory notification obligation, OR business-critical systems offline, OR active ransomware encryption. Attacker state: active and expanding. Response: IR team activated within 15 minutes. CISO notified within 30 minutes. External retainer engaged if needed. All containment pre-authorised per the authority matrix.

Severity 2 — High. Scope: single account compromised with evidence of post-compromise activity (persistence established, data accessed, or lateral movement attempted). Impact: sensitive data accessed but not confirmed exfiltrated, OR single business system at risk. Attacker state: active but contained to a limited scope. Response: SOC lead engaged within 15 minutes. Evidence collection initiated immediately. Containment actions (session revocation, endpoint isolation) executed per the authority matrix without waiting for IR team.

Severity 3 — Medium. Scope: single account with sign-in anomaly but no confirmed post-compromise activity. Impact: no confirmed data access, no business system impact. Attacker state: possible compromise, investigation needed. Response: SOC analyst investigates within 1 hour. Evidence collection for the affected account. No containment until investigation confirms compromise.

Severity 4 — Low. Scope: alert with no confirmed compromise indicator. Impact: none confirmed. Attacker state: no evidence of attacker presence. Response: SOC analyst triages within 4 hours. Close if false positive. Document if benign true positive.

Compliance Myth: "We classify by alert severity from the detection tool"

Defender XDR and Sentinel assign alert severity based on the detection rule configuration — not on the business context. A "High" alert from Defender for Endpoint about a suspicious process on a test workstation is not the same severity as a "High" alert about the same process on the CFO's laptop containing board materials. The SOC's classification framework overlays business context onto the tool's technical severity — the tool tells you WHAT happened, the framework tells you HOW MUCH IT MATTERS.

The classification framework is documented in the SOC charter, posted at the SOC desk, and included in every analyst’s onboarding. The managed SOC partner (BlueVoyant for NE) uses the same framework — incidents escalated from BlueVoyant arrive pre-classified using NE’s criteria, not BlueVoyant’s internal criteria. This alignment was negotiated during the MSSP onboarding and is reviewed annually.

Decision point

A SOC analyst receives an alert: a user’s account signed in from an IP in a country where NE has no employees or suppliers. The sign-in was successful and MFA was satisfied. No post-compromise activity is visible yet — no inbox rules, no file downloads, no admin operations. Is this Severity 2 (confirmed compromise) or Severity 3 (possible compromise)?

The answer depends on the MFA detail. If MFA was satisfied by interactive challenge (the user approved a push notification), this may be legitimate travel — classify as Severity 3 and investigate. If MFA was satisfied by claim in the token (the AiTM signature), this is confirmed compromise regardless of whether post-compromise activity is visible yet — classify as Severity 2 and initiate containment. The classification framework must include the MFA detail as a classification criterion, not just the geographic anomaly.

The framework also defines reclassification triggers. An incident starts at Severity 3 (possible compromise). The investigation confirms post-compromise activity (inbox rule created, emails accessed). The incident is reclassified to Severity 2. The investigation then discovers a second compromised account — reclassified to Severity 1 (multi-account compromise). Each reclassification triggers the escalation path for the new severity level. The analyst documents each reclassification with a timestamp and rationale in the incident timeline.

Try it: Classify these 4 scenarios

Scenario A: Defender for Endpoint detects Mimikatz execution on a domain controller. Classify and identify the escalation path.

Scenario B: Identity Protection flags an impossible travel alert — the user signed in from London and São Paulo within 30 minutes. MFA was satisfied by interactive push notification. No post-compromise activity visible.

Scenario C: A user reports receiving a phishing email. The email was delivered but the user claims they did not click the link. EmailUrlInfo shows no click event for this user.

Scenario D: The managed SOC partner (BlueVoyant) escalates an incident: 3 accounts in the finance department have AiTM-pattern sign-ins within a 2-hour window, all from the same residential proxy IP range.

Answers: A = Severity 1 (DC compromise with credential theft tool), B = Severity 3 (investigate — interactive MFA suggests possible legitimate travel), C = Severity 4 (no interaction with the phishing content), D = Severity 1 (multi-account compromise with coordinated attack pattern).

An incident is classified as Severity 3 at 14:00. By 15:30, the investigation confirms the account was compromised via AiTM and the attacker created an inbox rule forwarding financial emails. The SOC analyst updates the incident notes but does not reclassify the severity. What is the impact of this failure?

No impact — the investigation is already underway regardless of the classification.

The severity classification drives the escalation path and response time targets. At Severity 3, the SOC lead is not required to be engaged and containment is not initiated until compromise is confirmed. At Severity 2, the SOC lead should already be engaged and containment (session revocation, MFA method removal, inbox rule deletion) should be executing. The failure to reclassify means the incident is still being handled at the Severity 3 pace while the attacker continues operating with Severity 2 impact. Every minute of delayed reclassification is a minute of delayed containment.

The SOC lead will notice the updated notes and engage without a reclassification.

The managed SOC partner will flag the misclassification during their daily review.

NE’s classification in action: the March 2026 AiTM escalation

When Wave 5 of INC-2026-0227-001 hit at 09:17 on March 12, the initial alert classified as Severity 3 — a single suspicious sign-in for s.chen@northgateeng.com. Rachel opened the incident, checked the MfaDetail field, and saw “satisfied by claim” from a residential proxy IP. She reclassified to Severity 2 immediately — the MFA-by-claim pattern is a confirmed AiTM indicator per the classification framework, not a “possible” compromise requiring investigation.

Within 8 minutes, 4 more AiTM alerts fired for different users from the same proxy subnet. Rachel reclassified to Severity 1 — multi-account compromise with a coordinated attack pattern. The Severity 1 classification triggered the full escalation chain: CISO notified at 09:30, IR lead paged at 09:31, #soc-critical Teams channel updated with all 5 affected accounts, and BlueVoyant notified to monitor for additional alerts.

Without the classification framework, Rachel would have investigated the first alert as an isolated suspicious sign-in, potentially spending 30 minutes before recognising the campaign pattern. The framework’s explicit criteria — “MFA satisfied by claim from non-corporate IP = Severity 2, reclassify to Severity 1 if multiple accounts” — compressed the classification decision from 30 minutes to 8 minutes. The remaining 22 minutes were spent on containment (session revocation for all 5 accounts) rather than on deciding whether the situation was serious.

The classification framework is reviewed after every Severity 1 incident. The INC-2026-0227-001 PIR added a new criterion: “3 or more AiTM alerts from the same IP subnet within 30 minutes = automatic Severity 1 classification, regardless of whether post-compromise activity is confirmed.” This criterion now feeds the Sentinel automation rule that auto-escalates campaign patterns without waiting for manual reclassification.

The framework’s value is not the document itself — it is the decision speed it enables. An analyst with a framework makes the classification decision in seconds. An analyst without one makes the decision in minutes (while reading the situation) or not at all (triaging each alert independently without recognising the campaign pattern).

Expand for Deeper Context

The classification framework is not just an internal SOC document — it is a shared language across the incident response ecosystem. When NE escalates to the external IR retainer, the retainer’s team uses NE’s severity classification to prioritise their response. When BlueVoyant triages an overnight alert, they classify using NE’s criteria, not their own internal framework. When the CISO reports to the board, “we had 3 Severity 2 incidents this quarter,” the board understands the meaning because the classification framework was presented during the SOC programme briefing. The framework’s value scales with adoption: the more teams that use the same classification language, the less time is spent on miscommunication during incident response.

The framework also connects to regulatory reporting. A Severity 1 incident with confirmed personal data exposure triggers the GDPR 72-hour notification clock. A Severity 1 incident affecting NE’s defence supply chain operations triggers the NIS2 24-hour early warning. The classification framework maps each severity level to the regulatory obligations it may trigger — so the analyst who classifies the incident simultaneously identifies the regulatory reporting requirements. This mapping was added after INC-2026-0315-002, where the GDPR notification was delayed by 8 hours because the initial Severity 3 classification did not trigger the legal team’s regulatory assessment workflow.

Reclassification triggers: when severity changes mid-investigation

The classification framework defines 5 reclassification triggers that force an immediate severity change:

Trigger 1: Multi-account compromise confirmed. Any investigation that discovers a second compromised account reclassifies to Severity 1 regardless of the original severity. The rationale: multi-account compromise indicates a campaign, not an isolated incident — the attacker’s scope and capability are higher than a single-account compromise.

Trigger 2: Data exfiltration confirmed. Any investigation that confirms data was exfiltrated (not just accessed) reclassifies to Severity 1 if the data includes personal data (GDPR trigger), financial data, or classified engineering IP. The regulatory clock starts at confirmation of exfiltration, not at incident detection.

Trigger 3: Infrastructure compromise indicators. Any investigation that identifies Entra Connect abuse, federation changes, PTA agent anomalies, or domain controller compromise reclassifies to Severity 1. Infrastructure compromise is the highest-severity category in the MDDR taxonomy — it enables persistent, undetectable access.

Trigger 4: Attacker breaks containment. Any incident where the attacker establishes new access after containment was executed (new sign-in from a different account, new C2 channel, persistence mechanism firing) reclassifies to Severity 1 if not already at that level. Containment breakout indicates the attacker has capabilities or access paths that the initial containment did not address.

Trigger 5: Regulatory trigger identified. Any investigation that identifies personal data access (GDPR 72-hour clock), essential service impact (NIS2 24-hour early warning), or payment card data exposure (PCI DSS) reclassifies to at minimum Severity 2, regardless of technical severity. The regulatory reporting obligation creates an urgency independent of the technical impact.

Each reclassification is logged in the Sentinel incident timeline with a timestamp, the trigger that caused the reclassification, and the analyst who made the decision. The log ensures accountability and provides the audit trail for post-incident review.

The classification framework is tested during every tabletop exercise. The exercise facilitator presents a scenario and each analyst independently classifies the severity. If the classifications diverge (one analyst says Severity 2, another says Severity 3), the facilitator leads a discussion to identify which criterion was interpreted differently — and the framework is updated to resolve the ambiguity. After 4 exercises, NE’s analysts now achieve consistent classification on 95% of scenarios — up from 72% when the framework was first deployed. The remaining 5% of divergence occurs at the Severity 2/3 boundary for cases where post-compromise activity is ambiguous — the framework was updated to add the MFA-by-claim criterion specifically to resolve this boundary case.

The framework is a living document — updated after every Severity 1 incident based on the PIR findings. The February 2026 version had 3 pages. The April 2026 version (after the AiTM campaign and BEC incident) has 5 pages — the additional content includes the MFA-by-claim classification criterion, the multi-account campaign escalation trigger, and the BEC financial containment parallel track. Each update is versioned and the change history is maintained at the bottom of the document.

The framework integrates with the Sentinel automation programme: automation rules reference the classification criteria to adjust incident severity automatically. An AiTM alert with MFA-by-claim from a non-corporate IP is auto-classified to Severity 2 by the automation rule — the analyst validates the classification rather than making it from scratch. This automation-assisted classification reduces human error and ensures consistent severity assignment across all analysts and shifts, including overnight BlueVoyant triage.

The classification is not a bureaucratic exercise — it is the single decision that determines the speed and resources of the response. A Severity 3 that should have been Severity 1 delays containment by hours. A Severity 1 that should have been Severity 3 wastes senior analyst and IR team time on a routine alert. The framework makes this decision fast, consistent, and defensible.

You're reading the free modules of SOC Operations

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus

← Previous Next →