SCENARIO 07 Incident Response NIST IR SOC 2

Identity Risk Response Playbook

No standardized runbook existed for responding to Entra Identity Protection alerts. A full 5-phase IR playbook was built — detection through post-incident documentation — backed by Graph API automation to reduce manual triage from 20–40 minutes to under 5 minutes. Mapped to NIST SP 800-61 and SOC 2 CC7.2/CC7.3.

Entra Identity Protection Graph API NIST IR SOC 2 CC7.2/CC7.3 PowerShell Incident Response

Business Problem

IDSentinel Solutions' Security Operations team had no standardized process for responding to identity-based alerts surfaced by Entra Identity Protection. When risky sign-in events fired, analysts were triaging them manually through the Entra portal — no documented runbook, no consistent remediation steps, and no audit trail proving the event was investigated and closed.

A P1 incident involving a compromised contractor account exposed the gap: the analyst who responded documented nothing, the remediation actions were inconsistent with what policy required, and the post-incident review had no evidence to work from.

Risk

  • No documented runbook means inconsistent response quality depending on who is on-call
  • Manual triage through the Entra portal adds 20–40 minutes to MTTR per incident
  • No RCA template means repeat incidents cannot be tracked or trended
  • Missing audit trail fails SOC 2 CC7.2 (incident response) and CC7.3 (incident documentation) controls
  • Risky sign-in events left unactioned allow attackers to maintain persistence

Playbook Scope — 5 Phases

PhaseNIST SP 800-61 EquivalentActions
DetectionDetectIdentity Protection alert fires on anonymized IP
InvestigationAnalyzeGraph API pulls risk detail, detections, sign-in logs
ContainmentContainAccount disabled, all sessions revoked
RemediationEradicatePassword reset, account re-enabled, risk dismissed
Post-IncidentRecover + DocumentRCA completed, SOC 2 evidence packaged

Solution Design

The playbook uses the existing OAuth2 app registration from Scenario 06 — no new app registration required. Additional permissions added: IdentityRiskyUser.ReadWrite.All and IdentityRiskEvent.Read.All.

All investigation and containment steps are performed programmatically via Graph API rather than manual portal triage — producing a documented, reproducible evidence trail that satisfies SOC 2 audit requirements.

// diagrams/risk-response-flow.png — NIST-mapped identity risk response flow expand
NIST-mapped identity risk response flow

Implementation

  • 01

    Simulate Risky Sign-In and Confirm Detection

    Tor Browser used to authenticate as test user wking@IDSentinelSolutions.com through a Tor exit node. Entra Identity Protection classified this as an anonymizedIPAddress risk event and flagged the user as at-risk.

    // 01a-tor-signin expand
    Tor Browser sign-in via exit node
    // 01b-tor-signin expand
    Tor Browser sign-in confirmation
    // 02-identity-protection-alert expand
    Identity Protection alert — anonymized IP risk detected
  • 02

    Update App Registration Permissions

    Existing app registration updated with additional permissions required for risk investigation and dismissal. No new service principal required.

    // 03-api-permissions expand
    App registration updated with risk investigation permissions
  • 03

    Investigate via Graph API

    All three investigation queries run programmatically via Postman:

    Query 1 — Risky User Detail
    GET /v1.0/identityProtection/riskyUsers
  ?$filter=userDisplayName eq 'wking'
  &$select=id,riskLevel,riskState,riskLastUpdatedDateTime
    Query 2 — Risk Detection Events
    GET /v1.0/identityProtection/riskDetections
  ?$filter=userDisplayName eq 'wking'
  &$select=riskEventType,riskLevel,detectedDateTime,ipAddress,location
    Query 3 — Sign-In Log Correlation
    GET /v1.0/auditLogs/signIns
  ?$filter=userPrincipalName eq 'wking@IDSentinelSolutions.com'
           and createdDateTime ge 2026-05-13T00:00:00Z
    // 04-risky-user-query expand
    Postman — risky user detail response
    // 05-risk-detection-query expand
    Postman — risk detection events response
    // 06-signin-log-query expand
    Postman — sign-in log correlation response
  • 04

    Containment — Account Disable + Session Revocation

    PowerShell — Disable Account
    # Disable account
$body = @{ accountEnabled = $false } | ConvertTo-Json
Invoke-MgGraphRequest -Method PATCH `
  -Uri "https://graph.microsoft.com/v1.0/users/$userId" `
  -Body $body

# Revoke all active sessions
Invoke-MgGraphRequest -Method POST `
  -Uri "https://graph.microsoft.com/v1.0/users/$userId/revokeSignInSessions"
    // 07-containment-output expand
    Account disabled and sessions revoked
  • 05

    Remediation — Password Reset + Risk Dismissal

    Password reset performed via Active Directory on-premises — wking is a directory-synced user. Passwords are mastered on-prem; Entra reflects the change after the next sync cycle. Account re-enabled and risk state dismissed via Graph API POST to /identityProtection/riskyUsers/dismiss. Risk state confirmed dismissed.

    // 08-risk-state-atrisk expand
    Risk state confirmed atRisk before remediation
    // 09-password-reset expand
    Password reset performed in Active Directory
    // 10-account-reenabled expand
    Account re-enabled via Graph API
    // 11-risk-dismissed expand
    Risk state dismissed via Graph API
    // 12-risk-state-remediated expand
    Risk state confirmed dismissed — incident closed
  • 06

    Post-Incident Documentation + RCA

    Root cause identified: CA risk policy was scoped to High risk only — Medium risk sign-ins were logged but not challenged. CA policy updated to challenge Medium risk with MFA step-up. RCA filed as SOC 2 CC7.2/CC7.3 evidence. Playbook added to SOC runbook library as INC-TYPE-001.

    // 13-rca-document expand
    RCA filed as SOC 2 CC7.2/CC7.3 evidence
    // 14-evidence-package expand
    Evidence package — INC-2026-007

Outcome

End-to-end Identity Risk Response Playbook built and documented across 5 NIST-mapped phases
Graph API automation replaces manual portal triage — containment in under 5 minutes following runbook
Hybrid identity behavior correctly handled — on-prem password sync documented in runbook
Risk state confirmed dismissed via Graph API following all remediation steps
CA policy gap identified — Medium risk sign-ins now challenge with MFA step-up
RCA filed as SOC 2 CC7.2/CC7.3 evidence — complete audit trail from detection to closure

Incident Summary

FieldValue
Incident IDINC-2026-007
SeverityP2 — Medium Risk
Affected Userwking@IDSentinelSolutions.com
Detection SourceEntra Identity Protection
Risk Event TypeanonymizedIPAddress (Tor exit node)
Detection Time2026-05-13 UTC
SOC 2 ControlsCC7.2, CC7.3
Root CauseCA risk policy scoped to High risk only — Medium risk sign-ins not challenged
Corrective ActionCA policy updated to challenge Medium risk with MFA step-up

Files