Post-Incident ReviewP2~90 min

Review Data Disclosure and Notification Decision Evidence

Assemble the evidence used for disclosure and notification decisions, including exact datasets accessed, exfiltration channels confirmed, and residual uncertainty.

Actions

  1. 1

    Create a source-backed inventory of data that was confirmed accessed, staged, or exfiltrated. Distinguish evidence-backed facts from assumptions.

  2. 2

    Correlate DLP, eDiscovery, proxy, and mailbox evidence into a single disclosure worksheet that maps datasets to affected users, systems, and timeframes.

  3. 3

    Document uncertainty explicitly: missing logs, retention gaps, and third-party blind spots that affect the confidence of notification scoping.

  4. 4

    Package the evidence bundle so legal, privacy, and regulators can trace each disclosure decision back to concrete artifacts.

Queries

OfficeActivity | where TimeGenerated > ago(30d) | where Operation in ("FileDownloaded", "FileAccessed", "MailItemsAccessed") | summarize count() by UserId, Operation, bin(TimeGenerated, 1h)
CommonSecurityLog | where TimeGenerated > ago(30d) | where SentBytes > 10000000 | summarize TotalBytes=sum(SentBytes) by SourceIP, DestinationHostName, ApplicationProtocol

Notes

Disclosure decisions should be evidence-backed and reproducible. Uncertainty should be documented, not hidden.

For mixed insider and external-access cases, preserve both HR-sensitive and regulator-facing evidence trails separately if required by counsel.

Where to Go Next

Capture the disclosure rationale in the report

Update the incident report

Convert disclosure findings into monitoring improvements

Improve data-loss detections

Related Resources

Artifacts

4
SRUM Database (SRUDB.dat)eDiscovery Content Search ResultsMicrosoft Purview DLP & Insider Risk LogsProxy / Web Filter Logs

Suggested Acquisition

4
FTK Imager Full Disk ImageEnCase Forensic Full Disk Imagedd / dc3dd Raw Disk ImageGuymager Full Disk Image