Step-by-Step IR: From C2 Alert to Full Containment

Documentation Index

Fetch the complete documentation index at: https://docs.socfortress.co/llms.txt

Use this file to discover all available pages before exploring further.

Video: https://www.youtube.com/watch?v=PUQ3H913xGs

​

Goal

Contain the host quickly, preserve evidence, then work the investigation to full containment.

​

When to use

• Alerts indicating command-and-control (C2) / beaconing

​

Prereqs

• Alert routing into CoPilot is working
• Ability to isolate/quarantine endpoints (if enabled)

​

Procedure (high level)

1. Confirm scope (customer, host, user)
2. Contain first (isolate/quarantine where appropriate)
3. Pivot into surrounding events + endpoint evidence
4. Create/attach a case and document actions

​

Validation

• Host is contained
• Evidence captured and case notes updated

​

Safety notes

• Prefer containment that preserves volatile evidence when possible.