Ransomware behaviour alert on WS-LAP-011 — please investigate

TKT-0006 Urgent In Progress Incident Response

Created By: h.roberts
Created: 2026-04-07 06:15
Last Updated: 2026-04-09 01:40

Assigned Analyst: Marcus Webb
Category: Incident Response
Messages: 5

Conversation

h.roberts Customer

2026-04-07 06:15

We've noticed some concerning activity and would like the SOC team to investigate urgently.

Subject: Ransomware behaviour alert on WS-LAP-011 — please investigate

Please provide an initial assessment as soon as possible. Our IT team is standing by to assist with any containment actions needed.

Marcus Webb SOC Analyst

2026-04-07 08:02

We've applied the policy change you requested. It will take effect within 15 minutes across all monitored endpoints. Please let us know if you see any issues.

h.roberts Customer

2026-04-07 10:51

The affected user has confirmed they changed their password. Can you verify MFA is active?

Marcus Webb SOC Analyst

2026-04-07 13:46

I've updated the DLP policy as requested. The HR shared drive is now excluded from the external transfer monitoring rule, but internal audit logging remains active.

h.roberts Customer

2026-04-07 16:42

Thanks. Could you also check if any other accounts were affected?

Ransomware behaviour alert on WS-LAP-011 — please investigate

Conversation

Reply