hi in this video we will be walking through a virus detection use case and demonstrate how secop's security incident response can be leveraged to streamline the collaboration with id and improve the organization's cyber resilience here we are looking at an endpoint on which an end user browses to a suspicious site and downloads a binary file although he gets notified that this binary file is suspicious he chooses to download it anyways after which microsoft defender triggers an alert here we open a continuous ping to demonstrate that the system will now get automatically contained after which the sock will get notified to further investigate the case also here we can see that internet traffic has been blocked for this system here we are looking at the dashboard of sarah who is one of our analysts within the sock sarah receives a notification that a critical security incident has been assigned to her and can read up about the enrichment and auto containment activities that have already occurred she will now open the analyst workbench and go to the security case in question there she can leverage the short description and description field to learn more about the case specifics in this case it contains a url which you can use to look up additional information from microsoft upon opening the incident sarah is presented with additional details such as the aggregated alerts from the sim solution but also the name of the binary file that was downloaded by going into the explorer tab sarah has access to the enriched information such as the configuration or the system involved and also the running processes and network statistics this can be leveraged to quickly determine if the binary file was executed or still is executed on the endpoint and in this case we also see a link to a miter technique that got automatically populated at the creation of the security incident this allows the analyst to read the technique the related tactic and find out additional mitre related information the first security response task that is presented to sarah is the request if she would like to obtain the lockdown user of the endpoint she clicks yes and then opens the dependency view of the involved system this allows her to visually understand the relations of what else is known about this particular device and what other alerts id incidents or security incidents are currently open because this is an endpoint it is not related to supporting any critical business services by going back to the security incident view she sees an additional response task is populated requesting her to analyze the findings in determining if the blocking activity was accurate she goes into the collected user information and see this person is actually part of the finance department additionally the microsoft site confirms that a potential trojan was stopped from downloading although the blocking was successful we still want to continue blocking the endpoint until we have finished our investigation the next step is to request to run a full antivirus scan this is definitely something that sarah would like to execute and in this example this is not assigned to sarah itself but outside of the sock automatically assigned to the it team that will be involved to run the full antivirus scan on the involve system this is why sarah adds the security incidents to a kanban board to make sure she can follow up the progress and start looking into it again once it completed their activities here we see the dashboard of david who is part of the i.t team upon opening his kanban board he can see a newly assigned response task coming from the sock he sees that sarah is requesting him to run a full antivirus scan and the first thing he does is to populate the response task with an acknowledgement for sarah that he will pick this up as soon as possible whenever david performs any activities the items are locked within the security response task for sarah to see and therefore being able to follow the progress of the actions david will next also update the status of the security response task to ensure any related slas get properly populated he has now completed his activities and ran a full antivirus scan and informed sarah to find the results as an attachment to the security response task david can easily drag and drop files over that get automatically attached to the response task after that he's ready to move it to the close complete phase after which sarah get notified now we are back at a kanban board from sarah where she receives notification about the completed activities from david she's also able to follow up the progress within the security incident itself and also find the attachment that was added by david in the security incident timeline here she can confirms that additional malware was found and she continues to one of the last phases within the security runbook here the question is asked if the security incident should be considered a false positive as more malware was detected that is definitely not the case additionally sarah notes that the system should get re-imaged upon closing this security response task we will see the security incidents will be automatically moved to the review phase additionally an id incident gets automatically created requesting it to perform the re-imaging action sarah can now add the correct closure note and provide additional information about the next steps it will perform upon closing the security incident each activity is tracked and stored within the incident timeline additionally a post-incident review is automatically created that can be shared with third parties containing the same information we are now moving back to the dashboard of david who can easily find the newly created id incident requesting him to re-image the system david however is not the only one that gets notified also marcel the end user involved receives an automatic notification explaining in what has happened with his endpoint and how to get in contact with it for further details you