Threat Containment

Containment (Isolation) actions are performed to limit the spread of an incident and reduce potential impact while investigation and remediation are underway. ThreatDefence supports multiple forms of isolation depending on the nature of the threat.

Note: Isolation actions are applied by ThreatDefence SOC personnel as part of the Incident Response process. While every effort is made to validate malicious activity before initiating isolation, alse positives are possible. Customers may opt out of automatic isolation by completing the opt-out section provided in their onboarding documentation.

Endpoint Isolation

Purpose Remotely isolate an affected endpoint (workstation, server, or virtual machine) from the network while maintaining secure management access for forensic investigation.

This prevents lateral movement and data exfiltration, while still allowing the ThreatDefence team to carry out analysis and remediation tasks.

Pre-requisites

• TD Agent installed (latest version).

How It Works

• A SOC analyst enforces network isolation via the TD Agent.

• The endpoint is restricted to communicate only with the ThreatDefence SOC.

• All other network connections are blocked until the endpoint is cleared and released from isolation.

Account Isolation (Microsoft 365)

Purpose Disable or restrict compromised or suspicious Microsoft 365 accounts to prevent misuse.

This stops further logins and blocks access to collaboration tools (e.g., Exchange, Teams, SharePoint, OneDrive) until the account is secured.

Pre-requisites

• Active Microsoft Graph API integration between ThreatDefence and Microsoft 365.

How It Works

• A SOC analyst disables the affected account via Microsoft Graph.

• The account is immediately restricted from logging in or accessing Microsoft 365 services.

• Once remediation is complete, the account can be safely re-enabled under customer approval.