Privileged Access Abuse Response

This runbook covers investigation and containment of suspicious privileged activity in Microsoft Defender and related identity systems.

Initial Triage

• Confirm affected privileged identity, role, or administrative path
• Determine whether the activity is expected, approved, or emergency use
• Review recent role activation, assignment, or admin interface access

Investigation Steps

• Review audit logs for role changes and administrative actions
• Validate whether access was active, eligible, and approved
• Check for related identity, endpoint, email, or cloud anomalies
• Determine scope of actions performed with elevated access

Containment Actions

• Revoke sessions or remove access where unauthorized activity is confirmed
• Coordinate with identity and platform owners before disabling shared or critical privileged accounts
• Escalate immediately when business-critical systems are affected

Recovery Validation

• Confirm privileged access is restored only to approved state
• Confirm unauthorized actions are remediated or rolled back
• Confirm enhanced monitoring is enabled for follow-up review

Evidence to Capture

• Role assignments and activation history
• Administrative actions performed
• Approval records and containment decisions
• Affected systems and business impact notes