Microsoft Defender for Identity raises a high-severity alert on a customer’s domain admin account: sign-ins from two countries within an hour. The on-call MSP engineer needs to confirm scope, kill the active session everywhere it lives, capture evidence, file the incident report, and have the customer’s CISO informed before they read about it on the internet.Documentation Index
Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
Use this file to discover all available pages before exploring further.
Systems involved
| System | Role |
|---|---|
| Microsoft Defender / Sentinel | Source alert with signals and timeline. |
| Microsoft Entra ID (Azure AD) | Disable account, revoke sessions and tokens. |
| Studio terminal | Pull RADIUS accounting, switch port logs, firewall rules. |
| RADIUS server | Identify NAS and active sessions, send CoA disconnects. |
| FortiGate / Palo Alto | Block source IPs and revoke VPN tokens. |
Microsoft Teams #sec-ir | Internal IR channel. |
| ServiceNow IRM | Customer-facing incident record. |
| Gmail / Outlook | Customer CISO and on-call notification. |
| Studio Procedures | Account compromise containment runbook. |
Walkthrough
Pull the Defender alert into context
Copilot fetches the alert via the Microsoft Graph connector, pulls the username, signed-in IPs, devices, and the recent token activity, and times the events on a single timeline.
Confirm scope across other systems
In parallel, Copilot queries the RADIUS accounting log for the same username, the VPN appliance for active tunnels, and the customer’s M365 audit log for sensitive operations in the last six hours. The footprint becomes obvious in one view.
Contain in Entra ID
Through the Graph connector, disable the account, revoke all sessions, and reset the credential. Approval prompt appears once with the exact account name, customer tenant, and revocation count. You approve.
Disconnect active network sessions
SSH into the RADIUS server. Send a CoA disconnect for the active sessions. The procedure captures the disconnect ACKs from each NAS for evidence.
Block at the perimeter
Push a deny rule for the suspicious source IPs at the customer’s FortiGate via SSH. Revoke any VPN tokens for the user. The same IPs get flagged in the firewall’s threat feed for one week.
Capture forensics
Copilot pulls 24 hours of Entra sign-in logs, M365 audit log entries, RADIUS accounting, and firewall session history into a single Markdown report artifact, with hashes and source timestamps preserved.
Open the IR record
Through the ServiceNow IRM connector, open an incident with severity High, attach the report artifact, set the customer contact, and link the original Defender alert.
Notify the customer CISO and on-call
Copilot drafts a one-screen email to the customer CISO and on-call: what happened, what we did, what’s left to do, expected next update time. Reviewed and sent.
Where Studio earns its keep
- The Defender alert, RADIUS log, M365 audit, and firewall view sit on one timeline instead of in five tabs.
- Containment in Entra and on the network happens from the same workspace, with one approval per destructive action and one record of what changed.
- The forensic report writes itself from sources Copilot already pulled — you don’t reconstruct the timeline by hand.
- The customer CISO email goes out before the customer’s monitoring tools page their on-call.
Related
Security and privacy
Where credentials and approvals sit during destructive actions.
Procedures
Save this as
Account compromise containment for the next time.