Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Postmortem
Some security incidents, especially those incidents that impact customers or result in a data breach, require a full incident postmortem. The security response team conducts a detailed postmortem with all the parties involved in security incident response to:
- Document the sequence of events that caused the incident.
- Create a technical summary of the incident as supported by the evidence that includes the actors involved in the breach (if known). This summary includes how the response was executed and other key takeaways.
- Identify technical lapses, procedural failures, manual errors, process flaws, communication glitches, and any previously unknown attack vectors that the security incident response uncovered.
The postmortem directly influences Microsoft online service improvement, operational processes, and documentation by setting new priorities in the Microsoft online services engineering development cycle.
Documentation
The postmortem process captures all key technical findings in a report and documents service investments or fixes as bugs or development change requests. The security response team follows up with the appropriate engineering teams on these findings. For process failures and cross-organizational issues, the team documents issues in its database and follows up with the appropriate groups to address them.
Process improvement
Responding to a security incident in Microsoft online services involves coordination with multiple groups spread across different organizations within Microsoft, and potentially even appropriate external organizations such as law enforcement. It's critical to evaluate our responses after every security incident for both sufficiency and completeness. For any identified improvements or changes, the security response team evaluates the suggestions in consultation with the appropriate teams and stakeholders, and where appropriate incorporates them into standard operating procedures. The team logs and tracks all required changes, bugs, or service improvements identified during the security incident response or postmortem activity in an internal Microsoft engineering database. The Microsoft security response team reviews all entries until the issue is resolved.
Related articles
- Microsoft security incident management
- Microsoft security incident management: Preparation
- Microsoft security incident management: Detection and analysis
- Microsoft security incident management: Containment, eradication, and recovery
- How to Log a Security Event Support Ticket
- Azure and Dynamics 365 breach notification under the GDPR