Skip to main content
Microsoft Defender for Identity raises a high-severity alert on a customer’s domain admin account: sign-ins from two countries within an hour. The on-call MSP engineer needs to confirm scope, kill the active session everywhere it lives, capture evidence, file the incident report, and have the customer’s CISO informed before they read about it on the internet.

Systems involved

SystemRole
Microsoft Defender / SentinelSource alert with signals and timeline.
Microsoft Entra ID (Azure AD)Disable account, revoke sessions and tokens.
Studio terminalPull RADIUS accounting, switch port logs, firewall rules.
RADIUS serverIdentify NAS and active sessions, send CoA disconnects.
FortiGate / Palo AltoBlock source IPs and revoke VPN tokens.
Microsoft Teams #sec-irInternal IR channel.
ServiceNow IRMCustomer-facing incident record.
Gmail / OutlookCustomer CISO and on-call notification.
Studio ProceduresAccount compromise containment runbook.

Walkthrough

1

Pull the Defender alert into context

Copilot fetches the alert via the Microsoft Graph connector, pulls the username, signed-in IPs, devices, and the recent token activity, and times the events on a single timeline.
2

Confirm scope across other systems

In parallel, Copilot queries the RADIUS accounting log for the same username, the VPN appliance for active tunnels, and the customer’s M365 audit log for sensitive operations in the last six hours. The footprint becomes obvious in one view.
3

Contain in Entra ID

Through the Graph connector, disable the account, revoke all sessions, and reset the credential. Approval prompt appears once with the exact account name, customer tenant, and revocation count. You approve.
4

Disconnect active network sessions

SSH into the RADIUS server. Send a CoA disconnect for the active sessions. The procedure captures the disconnect ACKs from each NAS for evidence.
5

Block at the perimeter

Push a deny rule for the suspicious source IPs at the customer’s FortiGate via SSH. Revoke any VPN tokens for the user. The same IPs get flagged in the firewall’s threat feed for one week.
6

Capture forensics

Copilot pulls 24 hours of Entra sign-in logs, M365 audit log entries, RADIUS accounting, and firewall session history into a single Markdown report artifact, with hashes and source timestamps preserved.
7

Open the IR record

Through the ServiceNow IRM connector, open an incident with severity High, attach the report artifact, set the customer contact, and link the original Defender alert.
8

Notify the customer CISO and on-call

Copilot drafts a one-screen email to the customer CISO and on-call: what happened, what we did, what’s left to do, expected next update time. Reviewed and sent.
9

Internal handoff

Post the timeline in #sec-ir Teams. The next-shift IR analyst inherits the incident with full context — alert, containment, evidence, customer status — without you walking them through it.

Where Studio earns its keep

  • The Defender alert, RADIUS log, M365 audit, and firewall view sit on one timeline instead of in five tabs.
  • Containment in Entra and on the network happens from the same workspace, with one approval per destructive action and one record of what changed.
  • The forensic report writes itself from sources Copilot already pulled — you don’t reconstruct the timeline by hand.
  • The customer CISO email goes out before the customer’s monitoring tools page their on-call.

Security and privacy

Where credentials and approvals sit during destructive actions.

Procedures

Save this as Account compromise containment for the next time.