Incident Response for FileMaker Security Events

Beginner

What to do when you detect a potential security breach: immediate containment, investigation, and recovery steps.

What you'll learn

  • Immediate containment steps for a FileMaker breach
  • What evidence is available and where to find it
  • Password and credential rotation procedures
  • Post-incident hardening priorities

When something goes wrong -- a stolen credential, suspicious data access, or a disgruntled employee -- having a clear incident response plan determines whether you contain the damage quickly or let it spread. FileMaker-specific incident response covers immediate containment, investigation using available evidence, and hardening to prevent recurrence.

1/4
1

Immediate containment

Step 1: Disable the suspected compromised account immediately. Step 2: If a service account credential is compromised, disable the account and rotate the credential. Step 3: Check for any data exports or unusual activity in your audit logs. Step 4: If the [Full Access] account password may be compromised, change it -- but note this requires opening the file in a secure environment.

TEXT
// Immediate actions:
// 1. Admin Console > Files > Disconnect all clients from that account
// 2. Accounts: uncheck Active on the compromised account
// 3. Review FileMaker Server access.log for the account's recent activity
// 4. Review your Audit table if you have one
Common Security Vulnerabilities in FileMaker SolutionsSecurity Audit Checklist for FileMaker Solutions

Sign in to track your progress and pick up where you left off.

Sign in to FM Dojo