Incident Response Workflow: Ransomware Incident in Microsoft Defender XDR.
It started with one endpoint.
Five minutes later, another alert appeared. Then another. File shares began disappearing. Finance could not open spreadsheets. Engineering lost access to project files.
Agent Foskett knew this was no longer a simple malware investigation.
This was a race against time: identify patient zero, stop the spread, determine the blast radius and preserve the evidence needed for recovery.
Lesson overview
Learn how to investigate a ransomware incident by correlating Microsoft Defender XDR endpoint, identity, file, network and alert telemetry to reconstruct the attack timeline and guide containment.
Why ransomware incident response matters
The ransomware response workflow
Step 1 — Review ransomware-related alerts
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
let TimeFrame = 7d;
AlertInfo
| where Timestamp > ago(TimeFrame)
| where Title has_any ("ransom", "encryption", "mass file", "malware")
| project Timestamp,
AlertId,
Title,
Severity,
Category,
ServiceSource,
DetectionSource
| order by Timestamp descStep 2 — Identify patient zero from alert evidence
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
let TimeFrame = 7d;
AlertEvidence
| where Timestamp > ago(TimeFrame)
| where EntityType in~ ("Device", "Process", "File", "User")
| summarize FirstSeen = min(Timestamp),
LastSeen = max(Timestamp),
EvidenceCount = count(),
Devices = make_set(DeviceName, 20),
Accounts = make_set(AccountName, 20),
Files = make_set(FileName, 20)
by AlertId
| order by FirstSeen ascStep 3 — Review suspicious process execution
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
let TimeFrame = 7d;
let SuspiciousProcesses = dynamic(["powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "mshta.exe"]);
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ (SuspiciousProcesses)
| project Timestamp,
DeviceName,
AccountName,
FileName,
ProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp descStep 4 — Detect high-volume file changes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
let TimeFrame = 24h;
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where ActionType in~ ("FileCreated", "FileModified", "FileRenamed")
| summarize FileChanges = count(),
Extensions = make_set(FileName, 50),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by DeviceName,
FolderPath,
InitiatingProcessFileName
| where FileChanges > 100
| order by FileChanges descStep 5 — Hunt for ransom notes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
let TimeFrame = 7d;
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where FileName has_any ("README", "RECOVER", "RESTORE", "DECRYPT", "RANSOM")
or FolderPath has_any ("README", "RECOVER", "RESTORE", "DECRYPT", "RANSOM")
| project Timestamp,
DeviceName,
FileName,
FolderPath,
ActionType,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp descStep 6 — Investigate lateral movement paths
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
let TimeFrame = 7d;
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort in (445, 3389, 5985, 5986, 135, 139)
| summarize ConnectionCount = count(),
Devices = make_set(DeviceName, 20),
Processes = make_set(InitiatingProcessFileName, 20),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by RemoteIP,
RemotePort,
ActionType
| order by ConnectionCount descStep 7 — Build the ransomware incident timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
let TimeFrame = 7d;
let ProcessEvidence =
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| project Timestamp, DeviceName, AccountName, EvidenceType = "Process", Detail = strcat(FileName, " ", ProcessCommandLine);
let FileEvidence =
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where ActionType in~ ("FileCreated", "FileModified", "FileRenamed", "FileDeleted")
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName, EvidenceType = "File", Detail = strcat(ActionType, ": ", FolderPath);
ProcessEvidence
| union FileEvidence
| order by Timestamp ascRansomware investigation clues
False positives to consider
Investigation checklist
Related Agent Foskett Academy lessons
Coming next
Final thought
Incident Response Workflow Ransomware Incident in Microsoft Defender XDR
Agent Foskett Academy Lesson 115 teaches defenders how to investigate ransomware incidents using Microsoft Defender XDR endpoint, identity, process, file, network and alert telemetry.
Learn ransomware incident response with Microsoft Defender XDR and KQL
Ransomware incident response investigations help Microsoft security analysts identify patient zero, detect encryption behaviour, investigate lateral movement, determine blast radius and guide containment.
Microsoft Defender XDR ransomware investigation tutorial
This lesson explains how to respond to ransomware incidents, build investigation timelines, review DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents, AlertInfo and AlertEvidence, and support recovery decisions.
