Incident Response

Session-1 baseline process:

  1. Detect suspicious login or policy violation.
  2. Record a security event.
  3. Revoke or isolate the affected session if needed.
  4. Expose the incident through the security overview.
  5. Prepare user notification flow in the next stage.

This runbook will expand once persistent incident tables and notification delivery exist.