CMMC Level 2 Incident Response Runbook For Microsoft 365

When an alert hits your Microsoft 365 tenant, you don’t need a “plan.” You need a CMMC incident response runbook you can follow under stress.

I built the runbook below for a CMMC Level 2 environment where Microsoft Defender XDR and Microsoft Purview are the daily tools. It’s written for real-world Small Business IT teams, not a big SOC with unlimited staff. If you want a Business Technology Partner who can run this with you, this is also exactly how I deliver Cybersecurity Services as part of Managed IT for Small Business.

What kicks off CMMC incident response (scope, triggers, and decision points)

CMMC Level 2 expects you to prove you can prepare, detect, respond, recover, and learn. It also expects documentation and timely reporting, especially when CUI is involved. For extra context on the lifecycle and expectations, I like this plain-language breakdown of the CMMC incident response lifecycle.

Triggers (start the clock)

Start this runbook when any of these happen:

• Defender XDR creates an incident with “High” severity.
• Entra ID sign-in logs show impossible travel, unfamiliar country, or repeated MFA failures for a privileged user.
• Purview Audit shows mass file access, downloads, or sharing changes in SharePoint or OneDrive.
• A user reports “I sent wires” or “my inbox rules changed.”
• Defender for Endpoint detects ransomware behavior or hands out an isolation recommendation.

If CUI might be involved, I start a 72-hour reporting timer immediately and treat evidence handling like it will be reviewed by an assessor.

Severity and decision points

Use this table to decide who to wake up and what to shut down first.

| Decision point | Low | Medium | High | |—|—|—| | Likely CUI touched? | No | Unknown | Yes or likely | | Privileged account involved? | No | Maybe | Yes | | Lateral movement indicators? | No | Unknown | Yes | | Business impact | Minor | Work slowed | Work stopped or data risk | | Action | Document and monitor | Contain within 1 hour | Contain within 15 minutes, notify leadership |

Minimum notifications I send for High: business owner, IT lead, compliance lead, and legal or contract contact (as defined by your IT Strategy for SMBs and Business Continuity & Security plan).

The response timeline in Microsoft 365 (first 15 minutes, 1 hour, 24 hours)

This timeline assumes you already have Secure Cloud Architecture basics in place (MFA, Conditional Access, audit logging). It also assumes you’re using Cloud Management practices like least privilege and named admin accounts.

First 15 minutes (confirm, scope, preserve)

Use this checklist table as written.

Task	Where in Microsoft 365	Done
Open incident, capture incident ID, severity, and involved entities	Microsoft Defender portal > Incidents & alerts > Incidents
Stop the bleeding fast (choose one)	Decision: identity compromise, endpoint compromise, or email-only
Snapshot key evidence (screenshots or PDF)	Defender XDR incident timeline and alert details
Start an evidence log with timestamps	Ticket system + local incident worksheet
Confirm audit logging is available for the time window	Microsoft Purview portal > Audit

Fast decision: if you can’t explain the alert in 5 minutes, contain first, then analyze.

First hour (contain across identity, email, endpoint, data)

Containment should match the suspected entry point, but I usually do these in parallel.

Containment action	Console path	Notes
Disable user and block sign-in	Entra admin center > Users > select user > Block sign-in	For admins, do this immediately
Revoke sessions	Entra admin center > Users > select user > Revoke sessions	Forces token refresh
Reset MFA methods	Entra admin center > Users > Authentication methods	Remove unknown methods, re-register
Isolate a device	Microsoft Defender portal > Devices > select device > Isolate	Endpoint Security priority
Quarantine suspicious email	Microsoft Defender portal > Email & collaboration > Explorer	Move messages to quarantine
Block sender/domain/URL	Microsoft Defender portal > Email & collaboration > Policies & rules	Use Tenant Allow/Block List

For Microsoft’s incident workflow concepts, this guide on managing and responding to incidents in Defender XDR aligns well with how I run triage.

First 24 hours (eradicate, recover, report)

This phase is where CMMC evidence quality is won or lost.

Task	Where	Output
Remove persistence (rules, forwarding, OAuth apps)	Exchange admin center and Entra admin center	Proof of removal
Validate Device Hardening baselines	Intune admin center > Devices > Compliance/Configuration	Exported settings and compliance
Restore clean access	Reset passwords, reissue devices if needed	Recovery notes
Confirm no continued access	Entra sign-in logs + Defender advanced hunting	Query results saved
Prepare required reporting package	Internal template + counsel/contract contact	72-hour ready packet

Preserving evidence for CMMC (Purview, Defender XDR, and chain of custody)

Evidence should be usable later, even if staff changes. That’s why I treat it like “Data Center Technology rules” applied to cloud logs: consistent timestamps, controlled storage, and tracked access.

Before you export, confirm you know how Purview auditing works and what’s searchable. Microsoft’s Purview auditing overview is the reference I keep bookmarked.

Evidence collection table (what I capture every time)

Evidence item	Source	How I preserve it
Incident timeline and alerts	Defender XDR incident page	Export or PDF, hash file, store read-only
Unified Audit Log results	Purview portal > Audit > Search	Export CSV, note search parameters
Entra ID sign-in details	Entra admin center > Monitoring > Sign-in logs	Export JSON/CSV, capture filters
Email artifacts (message ID, headers)	Defender Explorer	Export results, keep original headers
Endpoint investigation package	Defender for Endpoint device page	Download package where available

Copy/paste friendly paths and queries

Use these when you need answers fast.

• Unified Audit Log search: Microsoft Purview portal > Audit > Search. Reference steps in Microsoft’s audit log search guide.
• Entra sign-in log filter: Entra admin center > Sign-in logs, filter on User, Application, Result, Location, Device.
• Defender Advanced Hunting (KQL examples):
  • Suspicious sign-ins: SigninLogs | where ResultType != 0 | where UserPrincipalName =~ "user@domain.com" | sort by TimeGenerated desc
  • Mass downloads from SharePoint/OneDrive (Defender XDR): CloudAppEvents | where ActionType has_any ("FileDownloaded","FileSyncDownloadedFull") | summarize dcount(ObjectId) by AccountDisplayName, bin(Timestamp, 1h)
  • OAuth consent activity (audit-based): CloudAppEvents | where ActionType has "Consent" or ActionType has "OAuth" | sort by Timestamp desc

Incident-type playbooks (quick actions by scenario)

These mini playbooks are designed for Infrastructure Optimization: act fast, reduce blast radius, then prove what happened.

Business email compromise (BEC)

Trigger	Contain now	Key checks
Inbox rules, forwarders, wire fraud email, unusual sign-ins	Block sign-in, revoke sessions, reset password and MFA	Purview Audit for New-InboxRule, Defender Explorer for similar messages

Ransomware on an endpoint

Trigger	Contain now	Key checks
Defender detects encryption behavior, files renamed	Isolate device, stop sync client, disable user temporarily	Defender device timeline, then follow Microsoft’s ransomware response playbook

Malicious OAuth app or consent grant

Trigger	Contain now	Key checks
New enterprise app with broad mail/file scopes	Disable app, remove permissions, revoke sessions for consenting user	Entra admin center > Enterprise applications > Permissions; review consent events in hunting

Data exfiltration from SharePoint or OneDrive

Trigger	Contain now	Key checks
Spike in downloads, new anonymous links	Disable external sharing temporarily, remove links, block compromised accounts	Purview Audit searches for sharing and download activity, verify DLP alerts if enabled

Lost or stolen mobile device

Trigger	Contain now	Key checks
Phone missing, user reports theft	Intune remote wipe, revoke sessions, reset password	Intune admin center > Devices > select device > Wipe; Entra sign-in logs for new access

Malicious email campaign (phish or QR phish)

Trigger	Contain now	Key checks
Many users report same email	Quarantine, block sender/domain/URL, search and purge	Defender Explorer: identify message, then remediate across mailboxes

After the incident: lessons learned and CMMC assessment artifacts

I wrap up every event the same way because assessors don’t certify “intent.” They certify proof. This is also where Digital Transformation becomes real: security becomes part of daily operations, not a once-a-year scramble.

Here’s what I produce for CMMC Level 2 readiness:

Artifact	What it must show	Where I store it
Incident report	timeline, scope, CUI impact decision, actions taken	Controlled IR folder, access logged
Evidence bundle	exports, hashes, chain of custody, screenshots	Read-only repository
Corrective action plan	fixes, owners, due dates, validation method	Ticketing system + SSP/POA&M
Tabletop or retest record	the runbook works under pressure	Training and compliance folder

This is also the moment to check adjacent systems. If you support Restaurant POS Support and Kitchen Technology Solutions, confirm those endpoints and networks weren’t a side door. If your environment includes Cloud Infrastructure outside Microsoft 365, confirm cloud logs and access paths too. Finally, if this happened during an Office 365 Migration, document tenant configuration changes carefully because they affect root cause.

Conclusion

A strong CMMC incident response runbook is simple, timed, and evidence-first. In Microsoft 365, Defender XDR handles the threat story, while Purview proves what users and data did. If you want this to hold up in a CMMC Level 2 assessment, practice it, document it, then practice it again. When you’re ready, I can help as your Business Technology Partner with Tailored Technology Services that fit how your team actually works.