Hello @hopeneverfail,

first of all, it would be interesting how you configured the Automated Action Feature? Which Severity Level have you set to trigger the Isolation. So any environment is different.

1. I would start with Severity Level Critical/High to avoid any troubles. Just to be on a secure side to avoid an unnecessary impact to your users.
   Tip: Before you start with your investigation, think about how compromised should be documented. There are many, many templates out side there. This helps in many cases.
2. The AMP Backend is generating the Cloud IOCs based on the monitored information from the endpoint. If there is some "bad behaviour" seen on the endpoint, it is classified to be inspected. You can find such computers in two areas of the console. AMP already does some pre-work here for you. If a system is listed there, you should take a deeper look into the system. The two areas are:
   1. In the Heat Map see Compromises (Dashboard)
   2. Your inbox for compromised systems.
   3. Tip: Use the Casebook feature from beginning to store all interesting observables there.
3. Device Trajectory: The Device Trajectory shows you what happened before and after an highlighted Cloud IOC. It often already shows a clear picture what happened.
   Tip: Use the Demo Data and the included documentation to get more familiar how to use the Device Trajectory.
4. Indicators: AMP for Endpoints Cloud IOCs are enriched with Mitre ATT&CK information. It gives you, once again, an additional information about the objective of an IOC/attack (Analysis --> Indicators).
5. Additional Automated Actions: Use the other three Automated Actions to automate tasks.
   1. Move the computer to a group: Use a group with a strict policy with very less exclusions. This ensures that more files are scanned. Also set the cache values to the lowest value. Enable all features. In this case, Security is more important than performance.
   2. Forensic Snapshot with Orbital: Enable this, it helps you to see what is the state of the computer. Especially when the IOC occurs outside typical working hours.
   3. Submit file to Threatgrid: If AMP see malicious behaviour to a file, it gets analysed in any way.
6. Threat Response: i think it is clear what Threat Response is, when using the Relations Graph and the Timelines to see, if there are more systems impacted or if an Attack is more or less targeted.
   NEW: With SecureX we now added many new 3rd Party Modules, which can deliver you with much more information about Obervables. Find the list of possible integrations here: https://www.cisco.com/c/en/us/products/security/threat-response/partners-integrations.html.
7. SecureX: SecureX will include Playbooks. So many steps listed above will be fully automated done. Just activate is for your existing AMP account.
   Note: for existing users, use your Cisco Security Account for Authentication.

Short Summary: Think about a Security Architecture. This is important to figure out sophisticated Threats.

Cisco is also aware, that many companies are struggling with the analysis process of Incidents. Therefore we announced a new Feature in AMP for Endpoints called "Threat Hunting". What happens: Cisco does all the stuff for you listed above and generates a Threat Hunting Event for you. We are adding much information about the Threat, so it is easy to understand for you what happened.

Hope this helps,

Greetings,

Thorsten