Incident Responder
Role Overview
Section titled “Role Overview”Incident responders coordinate the full lifecycle of a security incident: detection, containment, evidence collection, analysis, eradication, and recovery. Fleet compresses the time between each phase by handling tool-intensive analysis and AIR operations through a single conversational interface.
Workflow: Ransomware Response
Section titled “Workflow: Ransomware Response”A ransomware infection is detected on a workstation. The responder needs to contain the threat, collect evidence, analyze the sample, and deploy organization-wide detection.
Step 1: Contain the Affected Endpoint
Section titled “Step 1: Contain the Affected Endpoint”Isolate WORKSTATION-042 from the network immediately.Fleet isolates the endpoint through AIR, cutting network access while preserving management communication for continued investigation.
Step 2: Assess the Endpoint
Section titled “Step 2: Assess the Endpoint”Run an endpoint triage on WORKSTATION-042. Check for running processes, network connections, scheduled tasks, and recently modified files.Fleet connects to the endpoint via AIR interACT, executes the assessment commands, and returns a structured security posture report.
Result: Prioritized findings with suspicious processes, persistence mechanisms, and network connections flagged.
Step 3: Acquire Evidence
Section titled “Step 3: Acquire Evidence”Trigger a full evidence acquisition on WORKSTATION-042 using the default acquisition profile.Fleet initiates forensic evidence collection through AIR, monitors task progress, and notifies when collection is complete.
Step 4: Retrieve and Analyze the Ransomware Sample
Section titled “Step 4: Retrieve and Analyze the Ransomware Sample”Download the file C:\Users\jdoe\Desktop\README_DECRYPT.txt and C:\ProgramData\svchost.exe from WORKSTATION-042.Fleet retrieves the files via interACT. Then analyze the sample:
Perform ransomware triage on this binary. Assess the encryption scheme and evaluate decryption feasibility.Fleet identifies cryptographic imports and constants, analyzes the key management scheme, determines whether keys are local or server-side, rates decryption feasibility, and produces an IR decision matrix (decrypt vs. restore vs. negotiate).
Result: Crypto scheme analysis, decryption feasibility rating, detection rules, and recommended response path.
Step 5: Generate and Deploy Detection Rules
Section titled “Step 5: Generate and Deploy Detection Rules”Generate a YARA rule for this ransomware binary and a Sigma rule for the process creation pattern. Deploy both to all Windows endpoints.Fleet creates both rules from the analysis findings, validates them, and deploys through AIR triage to detect the threat across the environment.
Step 6: Check for Lateral Movement
Section titled “Step 6: Check for Lateral Movement”Search for all endpoints that have communicated with the C2 IP addresses found in the ransomware analysis.Fleet queries AIR endpoints and identifies any additional compromised machines.
If more endpoints are found:
Isolate all endpoints that communicated with those C2 addresses.Step 7: Document the Incident
Section titled “Step 7: Document the Incident”Produce a full incident response report covering: timeline of events, affected endpoints, malware analysis summary, containment actions taken, detection rules deployed, and recommended recovery steps.Result: A structured IR report ready for management and compliance review.
Workflow: Supply Chain Compromise
Section titled “Workflow: Supply Chain Compromise”A vendor update package is suspected of containing a backdoor. The responder needs to analyze the package and determine the blast radius.
Step 1: Analyze the Suspicious Package
Section titled “Step 1: Analyze the Suspicious Package”Upload the vendor update file to Fleet.
Perform full static analysis on this binary. Focus on network indicators, backdoor functionality, and any code that does not match expected vendor behavior.Fleet runs comprehensive PE analysis, identifies suspicious capabilities (C2 communication, data exfiltration, persistence), and maps techniques to MITRE ATT&CK.
Step 2: Extract and Enrich IOCs
Section titled “Step 2: Extract and Enrich IOCs”Extract all network indicators from this binary and enrich them. Check domains and IPs against reputation databases.Fleet extracts all embedded IPs, domains, URLs, and hashes, enriches each with reputation data, and produces a scored IOC table.
Step 3: Determine Blast Radius
Section titled “Step 3: Determine Blast Radius”Search for all endpoints where this file hash is present. Also check for endpoints that have communicated with the C2 domains found in the analysis.Fleet queries AIR to identify every affected endpoint.
Step 4: Contain and Remediate
Section titled “Step 4: Contain and Remediate”Isolate all affected endpoints. Then generate detection rules for both the binary and its network indicators.Fleet isolates the endpoints, generates YARA and Sigma rules, and deploys them organization-wide.
Step 5: Produce the Investigation Package
Section titled “Step 5: Produce the Investigation Package”Create a complete investigation package: STIX 2.1 bundle with all IOCs, detection rules, ATT&CK mapping, affected endpoint list, and executive summary.Result: A complete, distributable intelligence package for internal teams and external reporting.
Workflow: Insider Threat Investigation
Section titled “Workflow: Insider Threat Investigation”Suspicious data access patterns are detected for an employee account. The responder needs to investigate without alerting the subject.
Step 1: Review Endpoint Activity
Section titled “Step 1: Review Endpoint Activity”List all recent activity on WORKSTATION-077 including process creation, file modifications, and network connections from the last 48 hours.Fleet retrieves the data through AIR and presents a timeline of activity.
Step 2: Analyze Collected Evidence
Section titled “Step 2: Analyze Collected Evidence”If evidence has already been acquired, upload the relevant artifacts.
Analyze these Windows Event Logs. Focus on authentication events, file access patterns, USB device connections, and any data staging activity.Fleet parses the EVTX files, extracts security-relevant events, identifies suspicious patterns (bulk file access, USB connections, data staging in temporary directories), and produces a timeline.
Step 3: Check for Data Exfiltration
Section titled “Step 3: Check for Data Exfiltration”Upload any network captures from the monitoring period.
Analyze this PCAP for data exfiltration indicators. Look for large outbound transfers, DNS tunneling, cloud storage uploads, and encrypted connections to unusual destinations.Fleet performs protocol analysis, identifies exfiltration patterns, and quantifies the data volume involved.
Step 4: Document for Legal and HR
Section titled “Step 4: Document for Legal and HR”Produce a forensic investigation report suitable for legal review. Include: timeline of suspicious activity, evidence of data access, exfiltration indicators, and chain of custody notes for all analyzed artifacts.Result: A legally defensible investigation report with timestamped evidence and clear methodology documentation.
Cross-Incident Patterns
Section titled “Cross-Incident Patterns”Regardless of the incident type, Fleet supports several patterns that recur across all IR workflows:
| Pattern | How Fleet Helps |
|---|---|
| Rapid containment | Isolate endpoints through AIR in seconds, directly from the conversation |
| Evidence preservation | Trigger forensic acquisition through AIR before remediation begins |
| Artifact analysis | Upload and analyze any artifact type without switching tools |
| Detection deployment | Generate rules from findings and deploy organization-wide in the same session |
| Blast radius assessment | Query AIR endpoints for IOCs found during analysis |
| Case documentation | Produce structured reports at any point in the investigation |
| Intelligence sharing | Export STIX 2.1 bundles for distribution to partner organizations or ISACs |