Incident Mitigation

Build me a containment workflow in Tracecat. From a confirmed-malicious case, isolate the host in CrowdStrike, clear the user's sessions and suspend sign-in in Okta, and post the containment status to the incident channel. Gate each action behind an approval in Slack, and record who approved what on the case timeline. First help me understand how this maps to RS.MI-01 and how containment choices trade speed against business disruption. Ask me which user populations and systems need extra care before isolation. Talk me through which approvals could safely drop away as confidence grows.

Build me an eradication workflow in Tracecat. Take the indicators from a contained incident, sweep the whole fleet for them through CrowdStrike and Defender, remove persistence mechanisms found, force credential resets for touched accounts, and rescan to verify nothing answers. Write the sweep coverage and results to the case. First help me understand how this maps to RS.MI-02 and why eradication without a full sweep invites reinfection. Ask me what fleet coverage our EDR actually has. Talk me through deciding between cleaning a host and reimaging it.

Build me a blocking automation in Tracecat. From a case's confirmed indicators, push domains to the DNS filter in Cloudflare, URLs to Zscaler, and IPs to the Palo Alto blocklist, each with an expiry date and the case reference. Include a rollback step that removes a block cleanly if it breaks something legitimate. First help me understand how this maps to RS.MI-01 and why blocks need expiry and provenance to stay maintainable. Ask me which enforcement points we run and who owns them. Talk me through confidence thresholds: which indicators auto-block and which wait for review.