When credentials go sideways, the clock starts. The first day determines whether you’re writing a short incident note or a three-part breach saga. This playbook focuses on four things that actually change outcomes: containment, reset sequencing, forensics, and communications-with cross-refs you can map to your own runbooks (e.g., your “Session Hijacking (Token Theft)” procedures).

Keep this mantra handy: Don’t lock the door before you kick the intruder out.
Translation: revoke sessions/tokens first, then rotate passwords and keys.

Assign roles before you touch anything

• Incident Commander (IC): owns timeline and decisions; prevents “everyone does everything.”
  
  
• IAM Lead: IdP, SSO, MFA, password resets, token revocation, service accounts.
  
  
• Forensics Lead: evidence preservation, triage, and scoping.
  
  
• Threat Hunting / Detection: SIEM queries, IOCs, rule tuning.
  
  
• Comms Lead: executives, legal & privacy, PR, customer/partner notices.
  
  
• IT Ops / Endpoint: containment on endpoints, MDM, EDR actions.
  
  

Document the room (virtual or physical), start the log of decisions, and set a 30-minute battle rhythm. This is your incident response credentials playbook-run it like air traffic control, not open mic night.

The first hour (T+0 → T+60): Contain what’s active, preserve what’s fragile

1. Immediate containment (identity & sessions)

1. Global sign-out for impacted users/tenants via your IdP/SSO.
   
   
2. Revoke refresh tokens and invalidate sessions (OAuth, OIDC, SAML session cookies) for the suspected population.
   
   
3. Block legacy/POP/IMAP/basic auth temporarily (email suites love to be helpful; you don’t).
   
   
4. Enforce step-up MFA on risk (re-auth on sensitive apps, admin actions, and privilege elevation).
   
   
5. Quarantine high-risk logins (impossible travel, TOR/VPN egress, known bad ASNs) with conditional access.

1. Evidence preservation

• Snapshot volatile data: EDR memory captures on suspected endpoints, browser artifact exports (cookies, tokens), key process lists.
  
  
• Lock log retention: IdP/SSO, VPN, email, SaaS admin logs, cloud IAM, EDR, proxy/DNS.
  
  
• Disable auto-cleanup jobs that could roll logs or auto-rotate the very artifacts you need.

1. Quick scoping

• Who/what/when: list of affected identities, apps touched, time window, initial ingress vector (phish? AiTM? OAuth consent?).
  
  

Don’t: change the user’s password before you revoke sessions/tokens. You’ll tip off the adversary and they’ll sprint for persistence.

Hours 2-4: Decide the blast radius and stop the bleeding

Identity & access scoping

• Pull comprehensive sign-in logs from your IdP and key SaaS (admin portals, source control, finance systems).
  
  
• Identify risky sessions: new device enrollments, MFA factor changes, token minting, OAuth consent grants, app passwords created.
  
  
• Map privilege paths: which compromised identities could reach what (directly/indirectly).
  
  

Endpoint & session scoping

• From EDR, hunt for infostealers (that explain how cookies and tokens walked out) and living-off-the-land pivots (RDP, PSExec, WMI).
  
  
• Validate browser profiles used during suspicious logins (token theft = [Session Hijacking] playbook time).
  
  

Containment enhancements

• Geo/time fences on sensitive apps.
  
  
• Temporary block of risky protocols (e.g., POP/IMAP) org-wide if you see active abuse.
  
  
• Disable new OAuth consents and require admin approval until the smoke clears.

Reset sequencing (the order matters)

Think of this as kick out → lock doors → change keys → check spare keys → re-open slowly. Sequence prevents whack-a-mole and avoids locking you out mid-response.

1. Kill active access
   
   
   • Global sign-out (IdP + major SaaS).
     
     
   • Revoke OAuth refresh tokens and invalidate SAML session cookies.
     
     
   • Force re-auth for privileged apps immediately.
     
     
2. MFA hygiene
   
   
   • Reset or rebind MFA factors for impacted users (remove attacker-enrolled devices).
     
     
   • Enforce phishing-resistant MFA (FIDO2/WebAuthn) on admin roles now, org-wide soon.
     
     
3. Human password resets
   
   
   • Reset passwords after sessions are dead.
     
     
   • Sequence: break-glass/admins → highly targeted users → everyone in the affected ring.
     
     
4. Application/legacy passwords
   
   
   • Rotate app passwords/IMAP/POP (if used), and disable them where feasible.
     
     
5. Tokens and keys outside the IdP
   
   
   • Personal Access Tokens (GitHub/GitLab, Jira, etc.): revoke and reissue.
     
     
   • API keys & secrets in SaaS/cloud: rotate in the vault, not just the app.
     
     
   • Cloud IAM access keys (AWS/GCP/Azure): rotate keys, shorten TTLs, and re-issue roles with least privilege.
     
     
6. Service accounts & non-human identities
   
   
   • Inventory via your vault/CMDB; rotate secrets; restrict from interactive login; bind to least-privilege roles.
     
     
   • Re-sign service-to-service trust (mTLS/workload identity) if you suspect credential capture on hosts.
     
     
7. Device trust
   
   
   • Re-enroll compromised endpoints to MDM/EDR, re-issue device certificates if needed; block devices failing posture checks.
     
     

Golden rule: every reset should be audited and attributable. If you can’t prove a token/key is rotated, it isn’t.

Hours 4-8: Forensics you’ll actually use

Build the timeline

• First suspicious auth → privilege escalation → persistence → data access/exfil → covering tracks.
  
  
• Correlate IdP logs with endpoint/browser artifacts and SaaS admin logs.

Look for persistence

• New MFA devices added, email forwarding rules, OAuth consents to suspicious apps.
  
  
• New local admins, scheduled tasks, run keys, browser extensions with broad permissions.
  
  
• Cloud persistence: alternate access keys, new app registrations/service principals, rogue OAuth apps.

Assess exfiltration

• DLP/egress logs for spikes, unusual destinations, or large downloads from admin portals and file stores.
  
  
• SaaS audit: exports, mailbox rules, source-code pulls, billing report downloads.
  
  

Document IOCs

• IPs, user agents, file hashes, OAuth app IDs, refresh token IDs, suspicious SSIDs (if travel was involved).
  
  
• Share to detection engineering and SOC for immediate blocking/hunting.

Hours 8-12: Communications (clarity beats speed-barely)

Internal stakeholders

• Execs/Board: what happened, what you did, what you’re doing next, what might change tomorrow. No jargon, just impact and control status.
  
  
• IT & Helpdesk: scripts for resets, expected user prompts (MFA re-bind, re-login), how to escalate edge cases.
  
  
• Legal/Privacy: regulatory clock check (breach definitions vary), outside counsel engagement if needed.
  
  

External

• Customers/Partners: only if impact is confirmed. Share concrete actions (token revocation, forced re-auth) and what you expect them to do (e.g., re-bind MFA).
  
  
• Vendors: if your IdP/SSO/SaaS needs to flip org-level switches (OAuth admin consent, API rate limits, emergency support).
  
  
• Regulators: as required by your jurisdiction/sector.
  
  

Golden comms rules

• Single source of truth (one page you update).
  
  
• Plain language.
  
  
• Action orientation (“Here’s what you’ll see; here’s what to do”).
  
  
• No speculation; commit to the next update time.

Hours 12-24: Stabilize, monitor, and tighten

Monitor for re-entry

• Watch for re-authentication attempts from attacker infrastructure (same IPs/ASNs/UAs).
  
  
• Alert on new OAuth consents, MFA factor changes, unusual geo/time patterns.
  
  

Harden where it hurts

• Kill legacy auth you had to keep “for one printer” in 2017.
  
  
• Mandate FIDO2 for admins now; set a date for org-wide.
  
  
• Shorten token TTLs and add re-auth for sensitive actions (admin consoles, code pushes, exports).
  
  

Detections & playbooks

• New rules for: session hijacking anomalies, consent phishing, MFA fatigue, privilege timeboxing breaches.
  
  
• Bake quick-wins into your SIEM/XDR; create SOAR actions for global sign-out and token revocation.
  
  

Debrief setup

• Schedule a blameless review (within 72 hours): what worked, what didn’t, and one automation you’ll ship this sprint.
  
  

Appendix A: Quick actions by domain (generic, IdP-agnostic)

IdP/SSO

• Global sign-out / revoke refresh tokens
  
  
• Disable legacy/basic auth
  
  
• Reset MFA factors and require phishing-resistant MFA for admins
  
  
• Review admin role assignments; remove standing privileges
  
  

SaaS suites (mail, docs, chat)

• Kill app passwords; block POP/IMAP if possible
  
  
• Audit mailbox rules and external forwarding
  
  
• Review OAuth app grants; disable user consent temporarily
  
  

Source control / Dev platforms

• Revoke Personal Access Tokens; rotate deploy keys and webhooks secrets
  
  
• Audit new collaborators, SSO bypasses, and org owners
  
  

Cloud providers

• Rotate access keys; invalidate long-lived credentials
  
  
• Review role assumptions and create JIT admin paths
  
  
• Enable/expand conditional access and device posture checks
  
  

Endpoints

• Memory capture on suspect hosts; browser artifact export
  
  
• Quarantine, re-enroll, and re-issue device certs if needed
  
  

Appendix B: Queries & signals (starter list)

• IdP sign-ins by IP/UA/geolocation deltas for affected users (last 30 days).
  
  
• MFA events: new device registrations, factor changes, disable/recovery use.
  
  
• OAuth consents: new grants, especially to high-risk scopes (mail, files, contacts).
  
  
• SaaS admin logs: exports, role changes, mailbox rules, shared link creations.
  
  
• EDR telemetry: browser token-stealing, credential manager access, LOLBins (rundll32, regsvr32, powershell with encoded commands).

Top 10 gotchas (so you don’t star in someone else’s post-mortem)

1. Resetting passwords before killing sessions. You just gave the attacker a heads-up.
   
   
2. Forgetting OAuth tokens/refresh tokens. They outlive passwords by design.
   
   
3. Leaving app passwords on. IMAP/POP are attacker catnip.
   
   
4. Ignoring service accounts. Non-human identities often hold the real keys.
   
   
5. Not checking MFA enrollments. Attackers love to add their own device.
   
   
6. Assuming “on-prem looks clean” = “SaaS is clean.” Different logs, different problems.
   
   
7. Skipping device posture. Compromised endpoints re-steal tokens after your big reset.
   
   
8. Rotating secrets in the app, not the vault. Shadow copies will betray you.
   
   
9. Letting comms fragment. Rumor fill-in is never your friend.
   
   
10. Re-enabling legacy auth “temporarily.” Spoiler: it won’t be temporary.

Tie-ins to your control stack

• Session Hijacking (Token Theft): ensure your global sign-out/token revocation is one click; add alerts for cookie-reuse patterns.
  
  
• Phishing & Vishing: pre-approve domains for login links; use banners and proxy stripping for suspected AitM.
  
  
• Malicious Extensions / Trojanized Apps: browser extension allow-lists; MDM profiles that block side-loading.
  
  
• Password Spraying & Brute Force: smart lockouts, IP reputation, and risk-based challenges.
  
  
• SIM Swapping / SS7: deprecate SMS for admins; prioritize FIDO rollouts.

The last word (for now)

Credential incidents are rarely about “advanced” anything; they’re about discipline and sequence. If you kill sessions first, rotate the right secrets in the right order, hunt for persistence, and communicate clearly, your first 24 hours will shrink both blast radius and board anxiety.

After that? Turn the playbook into buttons. The best IR is the one-click kind.