Agent Foskett Academy • Lesson 115 • Incident Response Workflow Series

Incident Response Workflow: Ransomware Incident in Microsoft Defender XDR.

It started with one endpoint.

Five minutes later, another alert appeared. Then another. File shares began disappearing. Finance could not open spreadsheets. Engineering lost access to project files.

Agent Foskett knew this was no longer a simple malware investigation.

This was a race against time: identify patient zero, stop the spread, determine the blast radius and preserve the evidence needed for recovery.

Agent Foskett Academy lesson ransomware incident response in Microsoft Defender XDR
Lesson overview

Learn how to investigate a ransomware incident by correlating Microsoft Defender XDR endpoint, identity, file, network and alert telemetry to reconstruct the attack timeline and guide containment.

Identify patient zero and first execution
Detect encryption and ransom note activity
Investigate lateral movement and privilege abuse
Determine blast radius and containment actions

Why ransomware incident response matters

Ransomware investigations are time-critical because encryption, lateral movement, identity abuse and data theft can unfold quickly across multiple systems.
Patient zero mattersThe first affected device, user and process often explain how the incident started and what needs to be contained first.
Blast radius drives responseDefenders must identify affected devices, accounts, shares, servers and business areas before recovery can begin safely.
Timeline beats guessworkA clear event timeline helps separate initial access, execution, spread, encryption and recovery actions.

The ransomware response workflow

Agent Foskett treats ransomware response as a sequence of containment-focused questions.
1. Confirm the incidentReview the Defender XDR incident, ransomware family, affected devices, alert severity and remediation status.
2. Identify patient zeroFind the first device, user, process and timestamp associated with malicious execution or encryption activity.
3. Build the attack timelineCorrelate identity, process, file, network and alert telemetry into a single investigation view.
4. Investigate lateral movementLook for remote execution, SMB activity, PsExec, WMI, RDP, remote PowerShell and service creation.
5. Determine blast radiusIdentify affected devices, users, servers, file shares, business units and data locations.
6. Contain and recoverIsolate devices, disable compromised accounts, protect backups, block indicators and validate recovery readiness.

Step 1 — Review ransomware-related alerts

Start with Defender XDR alerts that mention ransomware, encryption, mass file activity or malware behaviour.
step-1-review-ransomware-alerts.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let TimeFrame = 7d;
AlertInfo
| where Timestamp > ago(TimeFrame)
| where Title has_any ("ransom", "encryption", "mass file", "malware")
| project Timestamp,
          AlertId,
          Title,
          Severity,
          Category,
          ServiceSource,
          DetectionSource
| order by Timestamp desc

Step 2 — Identify patient zero from alert evidence

Patient zero is usually the earliest affected device or process associated with the incident evidence.
step-2-identify-patient-zero.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let TimeFrame = 7d;
AlertEvidence
| where Timestamp > ago(TimeFrame)
| where EntityType in~ ("Device", "Process", "File", "User")
| summarize FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp),
            EvidenceCount = count(),
            Devices = make_set(DeviceName, 20),
            Accounts = make_set(AccountName, 20),
            Files = make_set(FileName, 20)
      by AlertId
| order by FirstSeen asc

Step 3 — Review suspicious process execution

Ransomware operators often use PowerShell, command shells and LOLBins before encryption begins.
step-3-review-malicious-processes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let TimeFrame = 7d;
let SuspiciousProcesses = dynamic(["powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "mshta.exe"]);
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ (SuspiciousProcesses)
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc

Step 4 — Detect high-volume file changes

Encryption activity often appears as a burst of file creations, modifications or renames in a short period.
step-4-detect-encryption-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let TimeFrame = 24h;
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where ActionType in~ ("FileCreated", "FileModified", "FileRenamed")
| summarize FileChanges = count(),
            Extensions = make_set(FileName, 50),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
      by DeviceName,
         FolderPath,
         InitiatingProcessFileName
| where FileChanges > 100
| order by FileChanges desc

Step 5 — Hunt for ransom notes

Ransomware incidents often create recovery notes or ransom instructions across affected folders.
step-5-hunt-ransom-notes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let TimeFrame = 7d;
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where FileName has_any ("README", "RECOVER", "RESTORE", "DECRYPT", "RANSOM")
   or FolderPath has_any ("README", "RECOVER", "RESTORE", "DECRYPT", "RANSOM")
| project Timestamp,
          DeviceName,
          FileName,
          FolderPath,
          ActionType,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc

Step 6 — Investigate lateral movement paths

Lateral movement often uses SMB, RDP, WinRM, WMI or remote service activity before widespread encryption.
step-6-investigate-lateral-movement.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let TimeFrame = 7d;
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort in (445, 3389, 5985, 5986, 135, 139)
| summarize ConnectionCount = count(),
            Devices = make_set(DeviceName, 20),
            Processes = make_set(InitiatingProcessFileName, 20),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
      by RemoteIP,
         RemotePort,
         ActionType
| order by ConnectionCount desc

Step 7 — Build the ransomware incident timeline

A unified timeline helps responders understand the sequence from execution to encryption and containment.
step-7-build-ransomware-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let TimeFrame = 7d;
let ProcessEvidence =
    DeviceProcessEvents
    | where Timestamp > ago(TimeFrame)
    | project Timestamp, DeviceName, AccountName, EvidenceType = "Process", Detail = strcat(FileName, " ", ProcessCommandLine);
let FileEvidence =
    DeviceFileEvents
    | where Timestamp > ago(TimeFrame)
    | where ActionType in~ ("FileCreated", "FileModified", "FileRenamed", "FileDeleted")
    | project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName, EvidenceType = "File", Detail = strcat(ActionType, ": ", FolderPath);
ProcessEvidence
| union FileEvidence
| order by Timestamp asc

Ransomware investigation clues

Ransomware usually produces several signals before, during and after encryption.
Mass file changesLarge volumes of file modifications, renames or deletions across user folders or shared locations.
Suspicious process chainsOffice, browser, script host, PowerShell or LOLBin processes spawning unexpected child processes.
Credential and privilege activityNew admin use, unusual service account activity, token theft, failed logons or suspicious successful sign-ins.
Lateral movement trafficSMB, RDP, WinRM, WMI or remote service activity across multiple devices.
Backup targetingCommands or tools attempting to delete shadow copies, stop backup services or disable recovery options.
Ransom notesREADME, RECOVER, RESTORE or DECRYPT files created across multiple folders or devices.

False positives to consider

Some legitimate activity can look ransomware-like until context is added.
Software deploymentApplication updates and installers can create or modify many files quickly.
Backup and sync toolsOneDrive, backup agents and migration tools can generate large volumes of file activity.
Administrator scriptsMaintenance scripts may touch many files, services or registry locations at once.
Data migrationsFile server migrations and archive jobs can resemble mass copy or modification activity.
Developer buildsBuild pipelines can create many files in short bursts on developer workstations.
Security toolsEDR remediation, AV scans and containment actions can create noisy process and file telemetry.

Investigation checklist

Use this checklist during a ransomware incident response.
Confirm ransomware activityValidate the alert, affected devices, encryption evidence and ransomware family where possible.
Identify patient zeroFind the first affected device, user, process and timestamp.
Determine blast radiusList affected endpoints, servers, accounts, shares and business systems.
Contain quicklyIsolate devices, disable compromised accounts and block known indicators.
Protect recovery pathsConfirm backups are protected and not reachable by compromised identities or devices.
Document the timelineRecord what happened before, during and after encryption for response and lessons learned.

Related Agent Foskett Academy lessons

These lessons support ransomware incident investigations.
Hunting Playbook: RansomwareProactively hunt for ransomware indicators before an incident is fully declared.
Incident Response Workflow: Malware InfectionInvestigate endpoint malware activity that may precede ransomware execution.
Hunting Playbook: PowerShell AbuseIdentify suspicious PowerShell execution and command-line behaviour.
Hunting Playbook: LOLBinsDetect abuse of legitimate Windows tools during execution and lateral movement.
Hunting Playbook: Persistence MechanismsFind persistence techniques used before or after ransomware deployment.
Investigating DeviceFileEventsUnderstand file creation, modification, deletion and rename telemetry.

Coming next

The Incident Response Workflow series continues with insider threat investigations.
Lesson 116 — Incident Response Workflow: Insider Threat InvestigationNext, Agent Foskett investigates unusual internal behaviour, privileged access misuse, abnormal data access and suspicious activity from trusted accounts.
Why this mattersRansomware response focuses on containment and recovery. Insider threat investigations focus on proving whether trusted access was misused.

Final thought

Ransomware response is not just about encrypted files. It is about understanding the full path the attacker took.
Agent Foskett mindsetFind patient zero, stop the spread, protect recovery, then build the evidence trail from first access to final containment.
Incident Response Workflow SeriesLesson 115 brings together endpoint, identity, network, file and alert telemetry into a complete ransomware response workflow.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Incident Response Workflow Ransomware Incident in Microsoft Defender XDR

Agent Foskett Academy Lesson 115 teaches defenders how to investigate ransomware incidents using Microsoft Defender XDR endpoint, identity, process, file, network and alert telemetry.

Learn ransomware incident response with Microsoft Defender XDR and KQL

Ransomware incident response investigations help Microsoft security analysts identify patient zero, detect encryption behaviour, investigate lateral movement, determine blast radius and guide containment.

Microsoft Defender XDR ransomware investigation tutorial

This lesson explains how to respond to ransomware incidents, build investigation timelines, review DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents, AlertInfo and AlertEvidence, and support recovery decisions.