Create a step-by-step incident response runbook for after-hours access anomalies for [CompanyName], optimized for [SOCProvider] and the [OnCallRotation] schedule. Define triage categories, thresholds, and decision points (e.g., repeated badge attempts, entry without camera confirmation, door-forced alarms). Include legal and HR touchpoints via [LegalContact] and a [SeverityMatrix] for escalation.
Output format:
Trigger Catalogue (table: Event | Signal | Severity | Initial Action)
Triage & Containment Steps (numbered list with time targets)
Decision Tree (ASCII flow with IF/THEN)
Communications Templates (internal notification, executive update, regulator notice)
Post-Incident Review Checklist and evidence collection requirements.
Specify MTTD/MTTR objectives and handoff requirements to facilities/security vendors.