# Security Incident Timeline Template

ใช้ตอนสงสัยว่า token/key หลุด, DLP policy เปลี่ยนแล้วงานพัง, connector ถูกใช้ผิดทาง, หรือข้อมูลถูกแชร์ผิดกลุ่ม

## 1. Incident Summary

- Incident name:
- Reported by:
- Date/time reported:
- Owner:
- Status: Open / Investigating / Contained / Resolved / Closed
- Severity: Low / Medium / High
- Systems affected: Power BI / Power Apps / Power Automate / SharePoint / Dataverse / Other

## 2. What Happened

เขียนแบบสั้นและไม่เดาเกินหลักฐาน

- What was observed:
- First known time:
- User or team affected:
- Data involved:
- Current business impact:

## 3. Data Classification

- Data level: Public / Internal / Confidential / Highly Confidential
- Sensitive fields involved:
- Export/download involved: Yes / No / Unknown
- External sharing involved: Yes / No / Unknown
- Evidence link:

## 4. Timeline

| Time | Event | Source | Who/Actor | Resource | Result | Evidence |
| --- | --- | --- | --- | --- | --- | --- |
|  |  | Run history / Admin log / Connector log / SharePoint / Power BI |  |  |  |  |
|  |  | Run history / Admin log / Connector log / SharePoint / Power BI |  |  |  |  |
|  |  | Run history / Admin log / Connector log / SharePoint / Power BI |  |  |  |  |

## 5. Audit Questions

- [ ] Who changed, opened, shared, exported, or triggered the resource?
- [ ] What resource was touched?
- [ ] When did it happen?
- [ ] From which app, flow, connector, environment, workspace, site, or account?
- [ ] Was the action successful, failed, skipped, or retried?
- [ ] Does the timeline match the user report?

## 6. Containment Actions

- [ ] Revoke leaked token/key if needed
- [ ] Rotate secret/key if needed
- [ ] Disable or isolate affected flow/app/connector if needed
- [ ] Remove incorrect sharing link or permission
- [ ] Block risky connector or adjust DLP policy
- [ ] Notify owner, platform admin, security owner, or data owner

## 7. Root Cause Notes

Use plain language. Avoid blaming a person before evidence is clear.

- Likely root cause:
- Missing guardrail:
- Why existing controls did not catch it:
- Similar resources to check:

## 8. Follow-up Tasks

| Task | Owner | Due date | Status |
| --- | --- | --- | --- |
| Update DLP policy or exception list |  |  |  |
| Review permissions or sharing links |  |  |  |
| Rotate or move secrets |  |  |  |
| Update checklist, docs, or training |  |  |  |

## 9. Closure

- Resolved date/time:
- Reviewed by:
- Evidence archived at:
- Final note: