This document provides guidance for SOC/NOC Levels 1 and 2 regarding ticket handling for Bland Landscaping, The Crab Place, and Your Behavioral Health based on Karen Kayser's email.
1. Your Behavioral Health
Ticket Types and Actions:
1.1. Threat detected by a Defender product: Investigate. If escalation to SOC Level 3 is required, escalate in ConnectWise. If activity needs client confirmation, create email response using provided templates.
1.2. Vulnerability notification: Investigate and create email response using provided templates.
Recipients:
To: David Chocco (david.chocco@yourbehavioralhealth.com), Tom Carleton (tom.carleton@oagconsulting.com)
CC: Greg Pierce (Greg.Pierce@trofeosolutions.com), Patsy Pollice (patsy.pollice@trofeosolutions.com), Karen Kayser (karen.kayser@trofeosolutions.com)
2. Bland Landscaping
Ticket Types and Actions:
2.1. Threat detected by a Defender product: Investigate. If escalation to SOC Level 3 is required, escalate in ConnectWise. If activity needs client confirmation, create email response using provided templates.
2.2. Vulnerability notification: Investigate and create email response using provided templates.
2.3. Azure resource health alerts: Investigate. If action is required by NOC Level 3, escalate in ConnectWise.
Recipients:
To: Matthew Nguyen (mnguyen@blandlandscaping.com), Josh Bright (jbright@celito.net), Tom Carleton (tom.carleton@oagconsulting.com)
Copy: Greg Pierce (greg.pierce@trofeosolutions.com), Patsy Pollice (patsy.pollice@trofeosolutions.com), Karen Kayser (karen.kayser@trofeosolutions.com)
You may notice Tom Carleton is listed for both Bland Landscaping and Your Behavioral Health. He is associated with both companies so he will see emails for both companies.
3. The Crab Place
Ticket Types and Actions:
3.1. Threat detected by a Defender product: Investigate. If escalation to SOC Level 3 is required, escalate in ConnectWise. If activity needs client confirmation, create email response using provided templates.
3.2. Vulnerability notification: Investigate and create email response using provided templates.
3.3. Azure resource health alerts: Investigate. If action is required by NOC Level 3, escalate in ConnectWise.
Recipients:
To: Trofeo SOC Internal (Trofeo.SOC.Internal@trofeosolutions.com)
We continue to see daily alerts from The Crab Place related to potential attack paths. We are working with the client to get one of the servers (S192-xxxx) retired before the end of January 2026. We need to apply some updates on the second server (APP01), and I hope to have that done prior to the end of next week. When you see a new “potential attack path” ticket, please review it to confirm there is no new finding or recommendation. If the alert is identical to prior alerts, you do not need to create a new email detailing the alert. Add a ticket note stating the alert is identical and then escalate the ticket to SOC 3.
4. Examples of actions
Client | Type of Ticket | Action to Take | Recipients |
Your Behavioral Health Please continue to send SOC alerts and vulnerability emails to the recipients listed below for Your Behavioral Health. | Threat detected by a Defender product | Investigate.
If escalation to SOC Level 3 is required for Level 3 to take action, escalate the ticket in ConnectWise.
If activity just needs to be confirmed by client to determine if the activity is legitimate, create email response using templates already provided.
Send to the recipients listed in the Recipients column. | To: David Chocco David.Chocco@yourbehavioralhealth.com Tom Carleton (tom.carleton@oagconsulting.com)
Copy: Greg Pierce (greg.pierce@trofeosolutions.com) Patsy Pollice (patsy.pollice@trofeosolutions.com) Karen Kayser (karen.kayser@trofeosolutions.com) |
Vulnerability notification | Investigate and create email response using templates already provided. | To: David Chocco David.Chocco@yourbehavioralhealth.com Tom Carleton (tom.carleton@oagconsulting.com)
Copy: Greg Pierce (greg.pierce@trofeosolutions.com) Patsy Pollice (patsy.pollice@trofeosolutions.com) Karen Kayser (karen.kayser@trofeosolutions.com) | |
Bland Landscaping Please send SOC alerts and vulnerability emails to the recipients listed below for Bland Landscaping. You no longer need to send the emails to Trofeo SOC Internal. | Threat detected by a Defender product | Investigate.
If escalation to SOC Level 3 is required for Level 3 to take action, escalate the ticket in ConnectWise.
If activity just needs to be confirmed by client to determine if the activity is legitimate, create email response using templates already provided.
Send to the recipient listed in the Recipients column. Someone in SOC Level 3 will review and will send to the client. | To: Matthew Nguyen (mnguyen@blandlandscaping.com) Josh Bright (jbright@celito.net) Tom Carleton (tom.carleton@oagconsulting.com)
Copy: Greg Pierce (greg.pierce@trofeosolutions.com) Patsy Pollice (patsy.pollice@trofeosolutions.com) Karen Kayser (karen.kayser@trofeosolutions.com) |
Vulnerability notification | Investigate and create email response using templates already provided.
Send to the recipient listed in the Recipients column. Someone in SOC Level 3 will review and will send to the client. | To: Matthew Nguyen (mnguyen@blandlandscaping.com) Josh Bright (jbright@celito.net) Tom Carleton (tom.carleton@oagconsulting.com)
Copy: Greg Pierce (greg.pierce@trofeosolutions.com) Patsy Pollice (patsy.pollice@trofeosolutions.com) Karen Kayser (karen.kayser@trofeosolutions.com) | |
Azure resource health alerts | Investigate. If action is required by NOC Level 3, escalate the ticket in ConnectWise.
| ||
The Crab Place Please continue to send SOC alerts and vulnerability emails to Trofeo SOC Internal. | Threat detected by a Defender product | Investigate.
If escalation to SOC Level 3 is required for Level 3 to take action, escalate the ticket in ConnectWise.
If activity just needs to be confirmed by client to determine if the activity is legitimate, create email response using templates already provided.
Send to the recipient listed in the Recipients column. Someone in SOC Level 3 will review and will send to the client. | To: Trofeo SOC Internal Trofeo.soc.internal@trofeosolutions.com
|
Vulnerability notification | Investigate and create email response using templates already provided. We continue to see daily alerts from The Crab Place related to potential attack paths. We are working with the client to get one of the servers (S192-xxxx) retired before the end of January 2026. We need to apply some updates on the second server (APP01), and I hope to have that done prior to the end of next week. When you see a new “potential attack path” ticket, please review it to confirm there is no new finding or recommendation. 1) If the alert is identical to prior alerts, you do not need to create a new email detailing the alert. Add a ticket note stating the alert is identical and then escalate the ticket to SOC 3. 2) If the alert is different (i.e., different findings or recommendations), please create the normal threat email communication and continue to send the email to the Trofeo SOC Internal group. Then escalate the ticket to SOC 3. | To: Trofeo SOC Internal Trofeo.soc.internal@trofeosolutions.com
| |
Azure resource health alerts | Investigate. If action is required by NOC Level 3, escalate the ticket in ConnectWise.
| ||
5. Merge the second and subsequent tickets to the initial ticket
5.1. If you receive multiple tickets related to a single event, you may merge the second and subsequent tickets to the initial ticket. All activity to resolve the issue should then be noted in the initial ticket.
5.2. Open the initial ticket. Look for the section labeled “Combined Tickets” and select the “+” to merge tickets.
Select the option to Merge (do not Bundle). You will see a screen with tickets associated with the client. Filter the list to find the ticket(s) you want to merge. Select the tickets to merge. Click the Merge button. You will be prompted to select a status to assign to the tickets being merged. Select the status of “Closed”.
You can only merge tickets located in the same service board as the primary ticket. This means you cannot merge a ticket from the SOC/NOC Triage board with one in the SOC Level 3 service board.
6. Close Tickets (Set Status field to Closed).
6.1. If you are sending a vulnerability notification email, you may close the ticket after you send the email and update the ticket with your actions.
6.2. For security threat alerts, please take the following action:
Set to resolved once you send the client email.
- If the client responds to the ticket indicating the alert is safe to dismiss, add a ticket note and close the ticket.
- If the client does not respond, you may close the ticket after waiting 2 business days for the client to respond.
6.3. For Azure resource health alerts (i.e., heartbeat alerts), you may close the ticket once you confirm the Azure resource health issue is resolved.
7. Email templates.
Example 1:
Subject: Trofeo SOC Notification of a <Severity> Severity Defender Alert
Trofeo’s Security Operations received and reviewed the following alert from the Defender portal.
Field | Description |
Client Name | Client name as shown in Defender portal |
Incident ID | Incident ID from Defender portal |
Severity | Severity from alert email or Defender portal |
Alert Name | Alert name from alert email or Defender portal |
Automated Investigation Status | Automated Investigation Status from the Defender portal. |
Recommended Actions for Client | Insert the most appropriate recommendation from the list below. If there is no appropriate recommendation in the list below, type up a recommended action based on the type of alert. |
Please review the alert and take any recommended actions. If you have any questions, please reply to this email.
Thank you.
Security Operations
******************************
Possible recommended actions which can be copied and pasted into the email body:
Device isolated. Follow up with user regarding steps to remediate device.
Device not isolated. Follow up with user associated with the device, if needed.
URL, email message, or file quarantined. No further action required.
User’s Microsoft 365 account should be reviewed to determine if it should be disabled or have the password reset.
Example 2:
Subject: Trofeo SOC Notification of new vulnerabilities
Trofeo’s Security Operations received and reviewed a vulnerability email notification from the Defender portal.
Field | Description |
Client Name | Client name as shown in Defender portal |
Notification Source | Vulnerability Management |
Number of CVEs in Notification | Enter a count of the number of CVEs listed in the email. |
Highest Severity | Highest level of severity in the email (since multiple CVEs may be included in the email). |
Notification Purpose | Microsoft Defender Vulnerability Management is configured to send the SOC an email notification when it detects one or more new vulnerabilities on one or more of your endpoints (devices), and the vulnerabilities have a medium or higher severity. |
Recommended Actions for Client | Please review the vulnerabilities in the Defender portal. Go to Vulnerability Management (under Endpoints in the left navigation). Within Vulnerability Management, navigate to the Weaknesses page. You may sort on the 'First Detected' column to see the vulnerabilities most recently detected first. Vulnerability Management also provides recommendations. We recommend you review and perform remediation actions to remove the vulnerabilities. |
If you have any questions, please reply to this email.
Thank you.
Security Operations
Example 3:
Subject: Trofeo SOC Notification of vulnerabilities with publicly disclosed exploits
Trofeo’s Security Operations received and reviewed a vulnerability email notification from the Defender portal.
Field | Description |
Client Name | Client name as shown in Defender portal |
Notification Source | Vulnerability Management |
Number of CVEs in Notification | Enter a count of the number of CVEs listed in the email. |
Highest Severity | Highest level of severity in the email (since multiple CVEs may be included in the email). |
Notification Purpose | Microsoft Defender Vulnerability Management is configured to send the SOC an email notification when it detects one or more vulnerabilities on one or more of your endpoints (devices), and the vulnerabilities have known or publicly disclosed exploits. The notification does not indicate your exposed endpoints have been exploited; it indicates exploits of the vulnerability have been reported. |
Recommended Actions for Client | Please review the vulnerabilities in the Defender portal. Go to Vulnerability Management (under Endpoints in the left navigation). Within Vulnerability Management, navigate to the Weaknesses page. You may sort on the 'First Detected' column to see the vulnerabilities most recently detected first. You may also filter on the 'Threats' column to see which vulnerabilities are associated with verified or available exploits. Vulnerability Management also provides recommendations. We recommend you review and perform remediation actions to remove the vulnerabilities. |
If you have any questions, please reply to this email.
Thank you.
Security Operations
Example 4:
Subject: Trofeo SOC Notification of vulnerabilities with known, verified exploits
Trofeo’s Security Operations received and reviewed a vulnerability email notification from the Defender portal.
Field | Description |
Client Name | Client name as shown in Defender portal |
Notification Source | Vulnerability Management |
Number of CVEs in Notification | Enter a count of the number of CVEs listed in the email. |
Highest Severity | Highest level of severity in the email (since multiple CVEs may be included in the email). |
Notification Purpose | Microsoft Defender Vulnerability Management is configured to send the SOC an email notification when it detects one or more vulnerabilities on one or more of your endpoints (devices), and the vulnerabilities have known or publicly disclosed exploits. The notification does not indicate your exposed endpoints have been exploited; it indicates exploits of the vulnerability have been reported. |
Recommended Actions for Client | Please review the vulnerabilities in the Defender portal. Go to Vulnerability Management (under Endpoints in the left navigation). Within Vulnerability Management, navigate to the Weaknesses page. You may sort on the 'First Detected' column to see the vulnerabilities most recently detected first. You may also filter on the 'Threats' column to see which vulnerabilities are associated with verified or available exploits. Vulnerability Management also provides recommendations. We recommend you review and perform remediation actions to remove the vulnerabilities. |
If you have any questions, please reply to this email.
Thank you.
Security Operations
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article