Skip to main content
Video: https://www.youtube.com/watch?v=PUQ3H913xGs

Goal

Contain the host quickly, preserve evidence, then work the investigation to full containment.

When to use

  • Alerts indicating command-and-control (C2) / beaconing

Prereqs

  • Alert routing into CoPilot is working
  • Ability to isolate/quarantine endpoints (if enabled)

Procedure (high level)

  1. Confirm scope (customer, host, user)
  2. Contain first (isolate/quarantine where appropriate)
  3. Pivot into surrounding events + endpoint evidence
  4. Create/attach a case and document actions

Validation

  • Host is contained
  • Evidence captured and case notes updated

Safety notes

  • Prefer containment that preserves volatile evidence when possible.