Task 04: Contain and remediate

Security Architecture Team

If malicious emails continue to arrive, you can:
1. Go to Email and collaboration > Explorer.
2. Filter by Subject, URL, or Sender address.
3. Select an email on the table.
4. Select Take action > Select Move or delete > Soft delete or Hard delete > Submit.
5. Go to Investigation & response > Actions & submissions > Action center.
6. Check Pending/History to validate remediation results.
If a device exhibits credential-theft behavior:
1. Go to Assets > Devices, then select the device.
2. Open the context menu (…) and select an action like Isolate device or Run antivirus scan.
3. Validate the action’s success in Action center under Pending/History.

General information for the Engineering team.

Isolate a device:
1. Go to Assets > Devices, then select the device.
2. Select the context menu (…) > Isolate device.
Quarantine a file:
1. Go to Incidents & alerts > Incidents, then select the EICAR_Test_File incident.
2. Select Evidence and response > File > Quarantine (or Undo quarantine).
Purge email for impacted recipients:
1. Go to Email and collaboration > Explorer.
2. Select the email message.
3. Select Take action > Move or Delete.
Revoke OAuth app consents or disable an app:
1. Go to Cloud Apps > Cloud App catalog.
2. Select the app and select Sanction or Unsanction.
Safeguard affected users:
1. Go to entra.microsoft.com, select Users, then select the user.
2. Select Revoke sessions.

General information for the SOC Analysts.

Queue and monitor actions:
1. Go to Incidents, select the incident, then select Evidence and response.
2. Select items (Device/File/Email/User/Cloud App) and queue necessary actions.
3. Open Action center and verify Pending or History actions.
Add incident comments:
- In Manage incident, record the containment timeline. For example, “10:24 NZDT - VM fully isolated; 10:29 - email soft-deleted org-wide; residual: monitor OAuth app re-consent.”
Resolve the incident once all actions are complete.