> For the complete documentation index, see [llms.txt](https://docs.blusapphire.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.blusapphire.io/m-soc/m-soc-or-architecture-and-workflow/incident-response-workflow.md).

# Incident Response Workflow

## Incident Response Workflow

### Standard Operating Procedure (SOP)

## 1. Purpose

This document outlines the incident response process for alerts received from the **Next-Gen SIEM**, detailing the responsibilities of **M-SOC, RE (Regulated Entity), and Exchange** at each stage of incident handling.

## 2. Scope

This SOP applies to all security alerts/Incidents triggered in the **Next-Gen SIEM**, ensuring timely detection, notification, and remediation of security incidents.

## 3. Roles & Responsibilities

* **M-SOC**: Responsible for triaging, confirming incidents, and tracking resolution.
* **RE (Regulated Entity)**: Takes necessary actions, submits the Root Cause Analysis (RCA), and remediate/resolve the incident.
* **Exchange**: Facilitates communications with external regulatory bodies (e.g., CERT-IN, NCIIPC, SEBI) as required.

## 4. Incident Handling Procedure

{% stepper %}
{% step %}

### Alert Reception

* **M-SOC** receives an alert from **Next-Gen SIEM** and assesses its severity:
  * **Critical**
  * **High**
  * **Medium**
  * **Low**
    {% endstep %}

{% step %}

### Incident Classification and Notification

#### Critical Incident

1. **M-SOC** triage and confirms the alert as a **Critical Incident**.
2. **M-SOC** notifies the **RE SPOC (Single Point of Contact)**.
3. **M-SOC** sends a notification to **Exchange**.
4. **RE** informs **CERT-IN/NCIIPC/SEBI** (if required as per impact).
5. **M-SOC** tracks incident status.

#### High Incident

1. **M-SOC** triage and confirms the alert as a **High Incident**.
2. **M-SOC** notifies the **RE SPOC**.
3. **M-SOC** sends a notification to **Exchange**.
4. **M-SOC** tracks incident status.

#### Medium Incident

1. **M-SOC** triage and confirms the alert as a **Medium Incident**.
2. **M-SOC** notifies the **RE SPOC**.
3. **M-SOC** tracks incident status.

#### Low Incident

1. **M-SOC** triage and confirms the alert as a **Low Incident**.
2. **M-SOC** notifies the **RE SPOC**.
3. **M-SOC** tracks incident status.
   {% endstep %}

{% step %}

### Incident Resolution

* **RE** takes action to mitigate and remediate the incident.
* **RE** submits the **Root Cause Analysis (RCA)** to both **Exchange and M-SOC** (for Critical and High Incidents).
* **For Medium & Low Incidents**, **RE** updates M-SOC on the resolution status.
  {% endstep %}

{% step %}

### Validation and Closure

* **M-SOC** validates the resolution provided by **RE**.
* **M-SOC** closes the incident upon successful resolution verification.
* **End of Process**.
  {% endstep %}
  {% endstepper %}

**Incident Workflow** and **Defined SLA’s** are detailed in [Annexure A](https://app.gitbook.com/o/RP5QC3ULbyB3uRyWKTb8/s/-MMRHZBPHlLDUc8519fX/~/edit/~/changes/316/m-soc/m-soc-or-architecture-and-workflow/incident-response-workflow#annexure-a)

## 5. Compliance and Reporting

* **M-SOC** must ensure that all incidents are tracked and documented.
* **RE** must report critical incidents to regulatory authorities as required.
* **RE** must provide an RCA for every incident to improve future security posture.

## 6. Escalation Matrix

* If an incident is not addressed within the defined SLA, **MSOC** escalates it to the higher-level stakeholders within **RE and Exchange**.
* For unresolved or repeated security incidents, **Exchange** and **MSOC** must collaborate on further mitigation strategies.

{% hint style="info" %}
**Note** – Response and mitigation must be performed by the **RE**. BluSapphire is responsible only for sharing recommendations. The BluSapphire team will provide guidance to the RE via Microsoft Teams if any assistance is required. BluSapphire **does not support or engage** in remote access to the RE's environment using remote administration tools such as AnyDesk, TeamViewer, etc.
{% endhint %}

### Annexure A

Incident Workflow:

<figure><img src="/files/ILpauAOnSMyqi64AkdSR" alt=""><figcaption></figcaption></figure>

#### Classification of cybersecurity incidents

<table><thead><tr><th width="145.08203125">Classification</th><th width="111.5859375">Level</th><th>Details</th></tr></thead><tbody><tr><td><strong>Low</strong></td><td>1</td><td>- System probes or scans detected on external systems<br>- Intelligence received concerning threats to which systems may be vulnerable<br>- Intelligence received regarding username<br>-password compromise- Isolated instances of known malware easily handled by antivirus software</td></tr><tr><td><strong>Medium</strong></td><td>2</td><td>- Target recon or scans detected<br>- Penetration or Denial of Service attacks attempted with no impact on operations<br>- Widespread instances of known malware easily handled by antivirus software<br>- Isolated instances of new malware not handled by antivirus software- Instances of phishing emails clicked by employees<br>- Instances of data corruption, modification, and deletion being reported</td></tr><tr><td><strong>High</strong></td><td>3</td><td>- Penetration or Denial of Service attacks attempted with limited impact on operations - Widespread instances of new malware not handled by antivirus software - Unauthorized access to servers and network devices- Unauthorized or unexpected configuration changes on network devices detected- Impersonation of SEBI officials in emails- Data exfiltration - High volume of phishing emails- Outbound phishing emails- Some risk of negative financial or PR impact</td></tr><tr><td><strong>Critical</strong></td><td>4</td><td>- Successful penetration or Denial of Service attacks with significant impact on operations- Ransomware attack - Exfiltration of market-sensitive data- Widespread data corruption impacting operations - Significant risk of negative financial or PR impact</td></tr></tbody></table>

#### Classification of incident SLA’s:

<table data-header-hidden><thead><tr><th width="105.65625"></th><th width="196.140625"></th><th></th></tr></thead><tbody><tr><td><strong>S.No.</strong></td><td><strong>KPI</strong></td><td><strong>SLA Timelines</strong></td></tr><tr><td>1</td><td>Time to Detect</td><td>> 4 Min</td></tr><tr><td>2</td><td>Time to Respond</td><td>Critical – 30 Mins</td></tr><tr><td></td><td></td><td>High – 60 Mins</td></tr><tr><td></td><td></td><td>Medium – 90 Mins</td></tr><tr><td></td><td></td><td>Low – 120 Mins</td></tr><tr><td>3</td><td>Time to Resolution</td><td>Critical – 2 Hours</td></tr><tr><td></td><td></td><td>High – 4 Hours</td></tr><tr><td></td><td></td><td>Medium – 2 Business days</td></tr><tr><td></td><td></td><td>Low – 5 Business days</td></tr></tbody></table>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.blusapphire.io/m-soc/m-soc-or-architecture-and-workflow/incident-response-workflow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.