Incident Response: 12 Steps to Take in the First 60 Minutes

When the critical alarm arrives, first hour decisions determine the damage. This playbook is for SIEM-focused SOC teams.

1. Verify alarm — false positive? Open the relevant log lines.
2. open Incident — single ticket, connect all associated alarms.
3. List affected assets — IP, user, host.
4. containment — firewall deny, account disabled (approved).
5. Lock logs — Don't delete retention, get forensic bundle.
6. timeline — Populate the SIEM timeline view.
7. Contact — management and legal information.
8. Root cause hypothesis — do not share until it is proven yet.
9. Tag MITER — T1110, T1190 etc. for reporting.
10. Improvement — update rule, close detection gap.

OxiSec incident builder automatically groups associated alarms; A.I. provides summary “what happened / what to do”.