Skip to content

Incident Response Runbook: Data Leak / Exfiltration

1. Identification

  • Triggers: DLP (Data Loss Prevention) alerts, abnormal outbound network spikes, exposed Azure Storage blob URLs, GitHub secret scanning alerts.
  • Initial Triage: Determine the classification of the data (e.g., PII, PHI, proprietary) and the vector of the leak.

2. Containment

  1. Revoke Access / Cut off Vector:
  2. If a storage account is leaking: Rotate Storage Account Keys, revoke leaked SAS tokens, or restrict Network ACLs to default-deny immediately.
  3. If an identity is leaking data: Revoke sessions and suspend the user or service principal.
  4. If via a web application: Temporarily block the relevant IP addresses or take the application offline if necessary.
  5. Secure Secrets:
  6. If API keys or secrets were leaked in source code, rotate them in Azure Key Vault (or the source system) immediately.

3. Eradication & Investigation

  • Query StorageBlobLogs in Log Analytics to identify exactly what was accessed: 
    StorageBlobLogs
| where TimeGenerated > ago(3d)
| where OperationName == "GetBlob"
| summarize Count=count() by CallerIpAddress, Uri
  • Determine the scope: What files were touched? Over what time period?
  • Identify how the data was leaked (misconfiguration, insider threat, compromised application).

4. Recovery

  • Fix the misconfiguration (e.g., set containers to Private, enforce AAD-only auth via policy).
  • Rotate all potentially compromised credentials that could lead to further data loss.
  • Deploy the remediated configuration via GitOps / Terraform to ensure drift is resolved.

5. Reporting & Lessons Learned

  • Engage legal and compliance teams immediately if PII/PHI was involved.
  • Prepare breach notification reports based on regional requirements (e.g., GDPR 72-hour window).
  • Run the compliance snapshot tool (E0) to check for broader misconfigurations.