Malware Outbreak Response

This runbook covers Microsoft Defender-driven response to suspected malware activity affecting one or more endpoints.

Initial Triage

• Confirm the alert source, severity, and affected endpoint count
• Identify whether execution is active, blocked, or historical
• Review device criticality and business impact before containment

Investigation Steps

• Review process tree, file path, and execution lineage
• Check whether the same indicator appears on other devices
• Review user context, recent sign-ins, and adjacent alerts
• Determine whether lateral movement or persistence is present

Containment Actions

• Isolate affected endpoints when active execution or spread is suspected
• Quarantine confirmed malicious files where supported
• Escalate high-impact or business-critical device isolation decisions

Recovery Validation

• Confirm malicious processes no longer execute
• Confirm device health and telemetry return to expected state
• Confirm reintroduction to network is approved and documented

Evidence to Capture

• Device ID and hostname
• Alert IDs and timestamps
• File hashes and process lineage
• Containment actions and approvers