Goal
Contain the host quickly, preserve evidence, then work the investigation to full containment.When to use
- Alerts indicating command-and-control (C2) / beaconing
Prereqs
- Alert routing into CoPilot is working
- Ability to isolate/quarantine endpoints (if enabled)
Procedure (high level)
- Confirm scope (customer, host, user)
- Contain first (isolate/quarantine where appropriate)
- Pivot into surrounding events + endpoint evidence
- Create/attach a case and document actions
Validation
- Host is contained
- Evidence captured and case notes updated
Safety notes
- Prefer containment that preserves volatile evidence when possible.