Overview

What is Live Incident Recovery plan

A Live Incident Recovery Plan is a high-speed restoration strategy used during an active ransomware attack or cyber emergency.

Unlike testing schedules, this plan is designed for real-time execution to restore critical systems as quickly as possible during a crisis.

The Live Incident Recovery Plan is your organization’s "Emergency Exit." It provides a safe, verified, and isolated path to bring your business back online while ensuring that the malware that caused the initial incident is identified and blocked from the recovered systems.

Key Benefits:

Re-infection Prevention: Built-in security scans verify the health of the data during restoration, ensuring the attack does not spread to the new environment.
Incident Response Alignment: Synchronizes perfectly with your organization’s broader Incident Response (IR) strategy, acting as the technical execution arm of your recovery.

Prerequisites

To ensure a successful and secure recovery during a live incident, the following requirements must be met:

For VMware

1. Infrastructure Requirements

VMware Environment: You must have a functional VMware Virtual Machine target available for the recovery process.
Isolated Recovery Environment (IRE): A dedicated, pre-configured "Sandbox" or Isolated Recovery Environment must be ready. This prevents the recovered data from communicating with the infected production network.

2. Security Configuration

Post-Recovery Automated Scans: By pre-configuring these tools, the plan automatically triggers a malware scan immediately after the systems boot up. This ensures that the restored latest data is clean before users are granted access.

For Microsoft 365

Microsoft Tenant must be in a connected state. For more information, see Register M365 tenant.

How to create a Live Incident Recovery Plan

Access Path: From the Cloud Platform console dashboard, navigate to Global Navigation icon > Cyber Resiliency > Ransomware Recovery > Cyber Recovery > Get Started with Cyber Recovery > Create a Cyber Recovery > Create Live Incident Recovery Plan.

Following are the steps on how to create a Live Incident Recovery Plan to proactively test your recovery readiness.

On the Cyber Recovery Plan pop-up, click Create Live Incident Recovery Plan and follow the steps mentioned below.

Step 1: General Plan Details - General Tab

Every recovery plan requires basic identification and a schedule to ensure regular testing without impacting active production systems.

Plan Details

Recovery Name: Provide a unique name to identify this plan.
Recovery Description: Briefly explain the purpose of this specific plan.

Step 2 : Resource Selection For Recovery - Resources Tab

Select the specific resource that you want to protect and recover. For example, VMware, Microsoft 365 - OneDrive, SharePoint, Exchange Online.

Search Resources for VMware

📝 Note: In case of VMware, you can select a maximum of 10 VMs per plan.

Filter and search resources by the following criteria:

Resource Type: Select the required resource type. For example, VMware.
Organizations: Select the required organization from the dropdown.
vCenter/ESXi Hosts: Select the vCenter/ESXi Hosts from the dropdown.
Match: Select the match criteria by which the resources must be searched. It can be VMware Folders, Resource Name, Tags, DataStore, Host, or Clusters.

Search Resources for OneDrive and Exchange Online

📝 Note: In case of OneDrive and Exchange Online, you are limited to 5% of your total user licenses, up to a maximum of 200. This limit applies to each workload every quarter.

Filter and search resources for OneDrive and Exchange Online by the following criteria:

Resource Type: Select the required resource type. For example, OneDrive or Exchange Online.
Match Criteria: Select the match criteria by which the resources must be searched. It can be Profiles or Users.

Search Resources for SharePoint

📝 Note: In case of OneDrive and Exchange Online, you are limited to 5% of your total user licenses, up to a maximum of 200. This limit applies to each workload every quarter.

Filter and search resources for SharePoint by the following criteria:

Resource Type: Select the required resource type. For example, SharePoint.
Match Criteria: Select the match criteria by which the resources must be searched. It can be Backup Profiles or Attribute-based conditions. In case of Attribute-based conditions selection, filter resources by Site Attribute, Operator, or Value.

Step 3: Snapshot Selection For Recovery - Snapshot Tab

A snapshot is a saved or backed up version of your data from a specific point in time. Select which snapshot should be used for recovery.

Snapshot Recovery Window: Enter a start and end date as the recovery window. The most recent backups between the provided time range will be selected.
Recovery Options: Select the required option based on the selection of resources.
- Curated Snapshot: Allows you to create a single latest and cleanest snapshot by identifying clean files from multiple snapshots available within the selected recovery window. This recovery option is applicable for OneDrive and SharePoint only.
  - Curated Snapshot Settings: Select the required option per your requirement - Enable Quick Scan, Exclude file extensions.
- Latest Snapshot: Automatically selects the most recent backup available.
- Manual Selection of snapshot post Threat Hunt: Select the Review and override the recommended snapshot before recovery checkbox to manually select a snapshot after viewing threat hunt results.
- Latest Clean Snapshot: Performs a Threat Hunt first to find the most recent backup that does not contain known Indicators of Compromise (IOCs).
  - Threat Hunt Scanning Criteria: You can scan for specific File Hashes (using predefined libraries or custom values) and File Extensions to ensure the restored data is clean.
    This recent snapshot without IOC matches is selected for recovery if you select this option.
    💡Tip: For Exchange Online and VMware always use Latest Clean Snapshot and for OneDrive and SharePoint always use Curated Snapshot, if you suspect a virus was present in recent backups.

Step 4: Target Environment Details - Target Environment Tab

This section defines where the recovered resources will be hosted. This is an isolated environment to prevent re-infection of your production network.

For VMware

Field	Description
Destination VMware Setup	The vCenter instance where the VMs will be restored.
Backup Proxy Pool	It is recommended to use an Isolated Recovery Environment for restore. This provides dedicated resources that keep your recovery separate from regular backup tasks to ensure better performance.
Destination Hypervisor	The hypervisor details for the restored VMs.
Destination Datastore	The storage location for the restored VMs (must meet minimum disk space requirements).
Compute Restore	The host, cluster, or a resource pool where you want to restore the virtual disk. You cannot select a data center or a folder. This option is not available if you are restoring a virtual disk to a standalone ESXi host.
Folder	A folder under the data center hierarchy where you want to restore the virtual disk. This option is not available if you are restoring a virtual disk to a standalone ESXi host.
Network	The isolated network segment where the recovered VMs will reside.

For Microsoft 365

Resource	Target Environment
Exchange Online	Restore to original location: Restore and replace existing Exchange Online data to the user's original location. Restore Location: Restored as a copy within the **inSync Restore folder of the same user's mailbox. Include archive mailbox**:
OneDrive	Restore to original location: Restore and replace existing OneDrive data to the user's original location. Restore to alternate location: Restored as a copy within the *Plan name- inSync Restore folder-date/time* under the same user's OneDrive. Retain Share Settings:
SharePoint	Restore to original location: Restore and replace existing SharePoint data to the original SharePoint site. Restore to a new site: Restored as a copy to a new SharePoint site.

[For VMware Only] Step 5: Post-Restore Actions - Recovery Settings Tab

Once the system is restored, you can automate the clean-up and validation of VMs once they are powered on in the recovery environment.

Recovered VM Name

Recovered VM Name Prefix: Add a prefix (e.g. "TEST-") to the names of recovered virtual machines to distinguish them from production.

Post Restore Actions

Detach Network Card: Isolates the recovered virtual machine from your production network upon boot to prevent accidental interference. Keep Detach Network Card active and enabled during testing to avoid IP address conflicts.
Enable OS Boot Configuration: Verifies network connectivity within the guest OS after the virtual machine starts up.
Post-Boot Scripts: Automatically runs custom scripts (PowerShell or Bash) after the virtual machine starts up. You can upload and run up to 5 scripts (e.g., .ps1) to reconfigure applications or hostnames. Allowed script file types are .ps1 and .sh, with a maximum file size of 100 KB.
Post-Restore Scan: Runs a malware scan on the restored virtual machines and can optionally delete malicious files automatically.

Priority Order for Post Boot script and restore Scans

Select the Run post-Boot scripts after the Post restore scan to prioritize the order for these tasks.

Once you complete all the steps successfully, a new Live Incident Recovery Plan is created.

Data Anomalies Dashboard

Release Notes - Cyber Resiliency

Get Started with Cyber Recovery Runbooks

Scheduled Cyber Recovery Testing plan

Cyber Recovery Runbook Dashboard