> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Compromised account: alert to containment to incident report

> A Microsoft Defender alert flags impossible-travel sign-ins for a customer admin account. Verify, contain across cloud and network, capture forensics, file the IR ticket, and brief the customer.

Microsoft Defender for Identity raises a high-severity alert on a customer's domain admin account: sign-ins from two countries within an hour. The on-call MSP engineer needs to confirm scope, kill the active session everywhere it lives, capture evidence, file the incident report, and have the customer's CISO informed before they read about it on the internet.

## Systems involved

| System                        | Role                                                      |
| ----------------------------- | --------------------------------------------------------- |
| Microsoft Defender / Sentinel | Source alert with signals and timeline.                   |
| Microsoft Entra ID (Azure AD) | Disable account, revoke sessions and tokens.              |
| Studio terminal               | Pull RADIUS accounting, switch port logs, firewall rules. |
| RADIUS server                 | Identify NAS and active sessions, send CoA disconnects.   |
| FortiGate / Palo Alto         | Block source IPs and revoke VPN tokens.                   |
| Microsoft Teams `#sec-ir`     | Internal IR channel.                                      |
| ServiceNow IRM                | Customer-facing incident record.                          |
| Gmail / Outlook               | Customer CISO and on-call notification.                   |
| Studio Procedures             | `Account compromise containment` runbook.                 |

## Walkthrough

<Steps>
  <Step title="Pull the Defender alert into context">
    Copilot fetches the alert via the Microsoft Graph connector, pulls the username, signed-in IPs, devices, and the recent token activity, and times the events on a single timeline.
  </Step>

  <Step title="Confirm scope across other systems">
    In parallel, Copilot queries the RADIUS accounting log for the same username, the VPN appliance for active tunnels, and the customer's M365 audit log for sensitive operations in the last six hours. The footprint becomes obvious in one view.
  </Step>

  <Step title="Contain in Entra ID">
    Through the Graph connector, disable the account, revoke all sessions, and reset the credential. Approval prompt appears once with the exact account name, customer tenant, and revocation count. You approve.
  </Step>

  <Step title="Disconnect active network sessions">
    SSH into the RADIUS server. Send a CoA disconnect for the active sessions. The procedure captures the disconnect ACKs from each NAS for evidence.
  </Step>

  <Step title="Block at the perimeter">
    Push a deny rule for the suspicious source IPs at the customer's FortiGate via SSH. Revoke any VPN tokens for the user. The same IPs get flagged in the firewall's threat feed for one week.
  </Step>

  <Step title="Capture forensics">
    Copilot pulls 24 hours of Entra sign-in logs, M365 audit log entries, RADIUS accounting, and firewall session history into a single Markdown report artifact, with hashes and source timestamps preserved.
  </Step>

  <Step title="Open the IR record">
    Through the ServiceNow IRM connector, open an incident with severity High, attach the report artifact, set the customer contact, and link the original Defender alert.
  </Step>

  <Step title="Notify the customer CISO and on-call">
    Copilot drafts a one-screen email to the customer CISO and on-call: what happened, what we did, what's left to do, expected next update time. Reviewed and sent.
  </Step>

  <Step title="Internal handoff">
    Post the timeline in `#sec-ir` Teams. The next-shift IR analyst inherits the incident with full context — alert, containment, evidence, customer status — without you walking them through it.
  </Step>
</Steps>

## Where Studio earns its keep

* The Defender alert, RADIUS log, M365 audit, and firewall view sit on one timeline instead of in five tabs.
* Containment in Entra and on the network happens from the same workspace, with one approval per destructive action and one record of what changed.
* The forensic report writes itself from sources Copilot already pulled — you don't reconstruct the timeline by hand.
* The customer CISO email goes out before the customer's monitoring tools page their on-call.

## Related

<CardGroup cols={2}>
  <Card title="Security and privacy" icon="shield" href="../../security-and-privacy" arrow="true" cta="Review controls">
    Where credentials and approvals sit during destructive actions.
  </Card>

  <Card title="Procedures" icon="workflow" href="../../procedures" arrow="true" cta="Save the runbook">
    Save this as `Account compromise containment` for the next time.
  </Card>
</CardGroup>