Wazuh detects encryption-pattern file writes on three Windows file servers at a customer site, and Defender flags lateral SMB to two more. The MSP needs to contain the spread within minutes — at the switch, the firewall, and Entra ID — preserve evidence for the cyber-insurance investigation, restore the affected shares from clean backups, and have the customer’s executive team in a structured call within the hour.Documentation Index
Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
Use this file to discover all available pages before exploring further.
Systems involved
| System | Role |
|---|---|
| Wazuh / Microsoft Defender / Sentinel | Source detections and timeline. |
| Studio terminal | SSH to access switches for port shutdown and VLAN quarantine. |
| FortiGate / Palo Alto | East-west and north-south containment rules. |
| Microsoft Entra ID | Disable suspect accounts, revoke sessions. |
| Veeam / Datto | Snapshot inventory, identify clean restore points. |
| VMware vCenter / Hyper-V | VM snapshot capture for forensics. |
Microsoft Teams #sec-ir | Internal IR channel. |
| ServiceNow IRM | Customer incident record and case file. |
| Gmail | Customer executive comms and law-enforcement liaison. |
| Studio Procedures | Ransomware containment runbook. |
Walkthrough
Verify the detection in 60 seconds
Copilot pulls the Wazuh and Defender alerts onto one timeline. The encryption pattern matches a known family, the source IP traces to a single contractor laptop on the guest VLAN, and SMB traffic to three file servers is active right now.
Quarantine at the switch
SSH to the access switch the contractor laptop is on. Copilot identifies the port from the MAC table and stages a
shutdown and a VLAN move into the quarantine VLAN. Approval prompt; you approve and execute.Cut east-west at the firewall
Push deny rules at the FortiGate between the guest VLAN and the file server VLAN. Block SMB to all of
10.10.20.0/24 from anything outside the file server segment for the duration of the incident.Disable suspect accounts
Through the Graph connector, disable the contractor’s account and the two service accounts seen in the lateral movement. Revoke all sessions and tokens. The action is logged with timestamps for the case file.
Snapshot the affected hosts
Through the vCenter connector, take a snapshot of each of the five affected VMs without rebooting them. The snapshots become the forensic image set for the investigators.
Identify clean restore points
Through the Datto connector, list backups for the five servers. Copilot highlights the last verified-good restore points before the encryption pattern began and proposes the restore order: domain controllers and DNS first, then file servers, then dependent services.
Open the IR record and brief the customer
Copilot opens the ServiceNow IRM record, attaches the alert evidence, the snapshot list, and the restore plan. Drafts a one-page executive briefing for the customer CEO and CIO: scope, containment status, restore plan, ETA, and the next update time.
Run the executive call
Open a shared Studio session with the customer’s executive team. Screen the timeline diagram, the containment status, and the restore plan. Recording on. The call ends with assigned actions and a 30-minute next-update commitment.
Restore and validate
Trigger the Datto restore in the agreed order. After each restore, run the validation procedure: services back, AD healthy, file shares mounting, no encrypted-pattern writes recurring.
Where Studio earns its keep
- Containment fires at the switch, the firewall, and Entra ID from one workspace in minutes — not from three engineers logging into three consoles.
- The restore order is a clean dependency plan, not a guess from a backup admin under pressure.
- The customer executive call has a screen they can read — timeline, status, plan, ETA — instead of a phone call about feelings.
- Every action is timestamped in the case file from the moment it ran. The cyber-insurance investigation has a proper paper trail without anyone reconstructing it.
Related
Procedures
Author
Ransomware containment so the steps are pre-staged for the next time.Shared sessions
Bring the customer’s exec team into a recorded session for the structured update.