As cyber threats continue to grow in frequency and sophistication, organizations must take proactive measures to protect their assets from potential security breaches. One such measure is implementing an effective incident response plan that outlines the steps to be taken in case of a security incident. This blog post will focus on the operational process for isolating a machine in MDE ATP when a high-severity alert comes in.

Step 1: Isolation of the Device The first step in handling a high-severity alert is to isolate the device from the rest of the network to prevent the spread of any potential malware. This can be done manually by disabling the network adapter or remotely through MDE ATP’s isolation feature.

Step 2: Running a Full Scan Once the device is isolated, a full system scan should be initiated to identify potential threats that may have caused the high-severity alert. This scan should be conducted using the latest antivirus software and updated definitions.

Step 3: Escalation to the Cyber Security Remediation Engineer If any malicious activity is detected during the scan or the cause of the high severity alert cannot be determined, the incident should be escalated to the Cyber Security Remediation Engineer (CSRE) on staff. The CSRE will then assess the situation and determine the appropriate action.

Step 4: Releasing the Machine or Further Investigation If no malicious activity is found during the entire scan, the machine can be released from isolation and returned to normal operations. However, if malicious activity is detected or the CSRE determines that further investigation is necessary, additional steps will be taken to address the issue.

Step 5: End User Notification and 3x Strikes Policy If the actions are deemed to be the end user’s fault, a 3x strikes policy will be implemented. This policy involves notifying the end user and their manager after each strike. If the end user reaches three strikes, additional disciplinary action may be taken, including termination.

Step 6: Collection of Investigation Package If necessary, an investigation package will be collected for further analysis. This package may include system logs, network traffic captures, and other relevant information.

Log File Locations and Event Log IDs to Check For:

  1. Microsoft Defender ATP Windows Event Log: This log contains detailed information about the alerts that MDE ATP generates. It also contains information about the actions taken by the IT department to remediate the threat.
  2. Microsoft Defender ATP Diagnostic Log: This log contains detailed diagnostic information about the behavior of MDE ATP on the affected device.
  3. Endpoint Protection Status: This log contains detailed information about the status of the endpoint protection features on the affected device.
  4. Windows Security Event Log: This log contains information about the security events on the affected device.

Conclusion In conclusion, isolating a machine in MDE ATP when a high-severity alert comes in is a critical step in maintaining the security of an organization’s assets. By following these steps, organizations can quickly respond to security incidents, limit the spread of malware, and minimize the impact of any potential breaches. Therefore, it is essential to have a robust incident response plan that outlines the steps to be taken in a security incident.


John O’Neill Sr. rMVP