Push runbooks for detection and response teams

This article provides a downloadable set of structured runbooks (step-by-step guidance) designed for detection and response teams to quickly and effectively manage security incidents surfaced by the Push platform.

These PDF runbooks cover in-browser threats, identity attacks, and SaaS risks, including:

• Credential phishing

• Account takeover recovery

• Malicious browser extensions

• Unapproved SaaS applications

• Stolen credential use

• Personal account use in work applications

• MFA noncompliance

• Malicious OAuth applications

• Malicious email rules

How to use these runbooks

Each runbook follows a four-phase structure to guide your team from initial alert to final resolution:

• Trigger: The event that initiates the runbook (typically a Push Security detection or a user report).

• Investigation: The steps required to scope the breach, gather evidence, and identify persistence mechanisms.

• Containment: Immediate actions to stop the attack and remove the threat.

• Post-incident review: Steps for documentation, remediation confirmation, and procedural updates.