# Incident Response CybrHawk provides a **24/7 Incident Response (IR) service** that guarantees the availability of qualified Digital Forensics and Incident Response (DFIR) personnel. The service covers: * **Containment actions** such as isolating affected endpoints or accounts. * **Forensic investigation** to determine the nature and scope of the incident. * **Remediation support** to restore affected systems and services. The DFIR team works in coordination with the SOC to ensure incidents are logged, classified, and managed consistently. Detailed evidence is collected to support both technical resolution and post-incident review. This approach is designed to: * Minimise disruption. * Reduce the likelihood of recurrence. * Ensure a complete record of the incident and response is maintained. *** ## Engaging the 24/7 Incident Response Team For urgent incidents, the Customer must **immediately call the 24/7 SOC hotline**.\ This ensures direct escalation to on-duty analysts and immediate triage. * Customers will receive a response **within 30 minutes** of CybrHawk confirming that the activity constitutes a high-severity security incident. * A “security incident” is defined as an incident ticket comprising an event or group of events deemed **high severity** by the SOC. * Automatically created incident tickets (via correlation technology) or events deemed **low severity** will not be escalated but will remain visible for reporting through the platform. *** ## Communication During an Incident During a **major incident**, customers should avoid using their standard corporate ICT systems for communications, as they may be compromised or under investigation. CybrHawk will provide **out-of-band communication channels** to ensure uninterrupted collaboration with our security engineers and responders. *** ## Services Provided During a Critical Security Incident | Service | Description | | --------------------------- | ------------------------------------------------------------------------ | | Service Management | A dedicated **Incident Coordinator** is assigned to manage the response. | | 24x7 Incident Response Line | Customers can contact our IR team at a dedicated hotline. | | Live Videoconference | A **Conference bridge** is opened for continuous incident collaboration. | | Secure IM Channel | Set up by the SOC team if additional communication is required. | *** ## Sample Incident Response Scenario The following example illustrates a typical sequence of activities during a high-severity incident. Actual timelines may vary depending on severity and complexity, but SLA commitments are noted where applicable. | # | Step | Actions | Timeframe | | -- | --------------------------------- | ------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------- | | 1 | Preparation | Escalation contacts documented, isolation actions approved, customer reviewed Operations Manual. | Prior to incident | | 2 | Signal Analysis | Security events recorded in platform. Alert detected and correlated. | T (time of detection) | | 3 | Detection & Analysis | SOC triages alert. Initial analyst review conducted. | Within 15 minutes for high-severity incidents (SLA); typically faster. | | 4 | Incident Declaration & Escalation | Activity classified as an incident. Initial email escalation sent to Customer. | Within 5 minutes | | 5 | Containment | SOC executes containment (e.g., disable compromised Microsoft 365 account) if authorized. | As applicable | | 6 | Phone Escalation | Direct phone call to Customer contacts per Escalation Contact Order. | Within 5 minutes | | 7 | Response Coordination | Incident Coordinator appointed. Live conference bridge established. | Within 5 minutes | | 8 | Response Plan | Situational response plan developed. | Within 4 hours (SLA); typically 30–60 minutes. | | 9 | Eradication & Recovery | Investigation continues. Updates provided. Recovery actions carried out. | Ongoing until resolution | | 10 | Post-Incident Activities | Delivery of post-incident report. Post-incident review scheduled. | After recovery | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cybrhawksoc.gitbook.io/cybrhawk-docs/security-operations/incident-response.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.