This document provides guidance for SOC/NOC Levels 1 and 2 regarding ticket handling for Bland Landscaping, The Crab Place, and Your Behavioral Health based on Karen Kayser's email.
1. Your Behavioral Health
Ticket Types and Actions:
1.1. Threat detected by a Defender product: Investigate. If escalation to SOC Level 3 is required, escalate in ConnectWise. If activity needs client confirmation, create email response using provided templates.
1.2. Vulnerability notification: Investigate and create email response using provided templates.
Recipients:
To: David Chocco (david.chocco@yourbehavioralhealth.com), Tom Carleton (tom.carleton@oagconsulting.com)
CC: Greg Pierce (Greg.Pierce@trofeosolutions.com), Patsy Pollice (patsy.pollice@trofeosolutions.com), Karen Kayser (karen.kayser@trofeosolutions.com)
2. Bland Landscaping
Ticket Types and Actions:
2.1. Threat detected by a Defender product: Investigate. If escalation to SOC Level 3 is required, escalate in ConnectWise. If activity needs client confirmation, create email response using provided templates.
2.2. Vulnerability notification: Investigate and create email response using provided templates.
2.3. Azure resource health alerts: Investigate. If action is required by NOC Level 3, escalate in ConnectWise.
Recipients:
To: Trofeo SOC Internal (Trofeo.SOC.Internal@trofeosolutions.com)
3. The Crab Place
Ticket Types and Actions:
3.1. Threat detected by a Defender product: Investigate. If escalation to SOC Level 3 is required, escalate in ConnectWise. If activity needs client confirmation, create email response using provided templates.
3.2. Vulnerability notification: Investigate and create email response using provided templates.
3.3. Azure resource health alerts: Investigate. If action is required by NOC Level 3, escalate in ConnectWise.
Recipients:
To: Trofeo SOC Internal (Trofeo.SOC.Internal@trofeosolutions.com)
4. Examples of actions
Client | Type of Ticket | Action to Take | Recipients |
Your Behavioral Health | Threat detected by a Defender product | Investigate.
If escalation to SOC Level 3 is required for Level 3 to take action, escalate the ticket in ConnectWise.
If activity just needs to be confirmed by client to determine if the activity is legitimate, create email response using templates already provided.
Send to the recipients listed in the Recipients column. | To: David Chocco (david.chocco@yourbehavioralhealth.com) Tom Carleton (tom.carleton@oagconsulting.com)
CC: Greg Pierce (Greg.Pierce@trofeosolutions.com) Patsy Pollice (patsy.pollice@trofeosolutions.com) Karen Kayser (karen.kayser@trofeosolutions.com) |
Your Behavioral Health | Vulnerability notification | Investigate and create email response using templates already provided. | To: David Chocco (david.chocco@yourbehavioralhealth.com) Tom Carleton (tom.carleton@oagconsulting.com)
CC: Greg Pierce (Greg.Pierce@trofeosolutions.com) Patsy Pollice (patsy.pollice@trofeosolutions.com) Karen Kayser (karen.kayser@trofeosolutions.com) |
Bland Landscaping | Threat detected by a Defender product | Investigate.
If escalation to SOC Level 3 is required for Level 3 to take action, escalate the ticket in ConnectWise.
If activity just needs to be confirmed by client to determine if the activity is legitimate, create email response using templates already provided.
Send to the recipient listed in the Recipients column. Someone in SOC Level 3 will review and will send to the client. | To: Trofeo SOC Internal (Trofeo.SOC.Internal@trofeosolutions.com) |
Bland Landscaping | Vulnerability notification | Investigate and create email response using templates already provided.
Send to the recipient listed in the Recipients column. Someone in SOC Level 3 will review and will send to the client. | To: Trofeo SOC Internal (Trofeo.SOC.Internal@trofeosolutions.com) |
Bland Landscaping | Azure resource health alerts | Investigate. If action is required by NOC Level 3, escalate the ticket in ConnectWise. |
|
The Crab Place | Threat detected by a Defender product | Investigate.
If escalation to SOC Level 3 is required for Level 3 to take action, escalate the ticket in ConnectWise.
If activity just needs to be confirmed by client to determine if the activity is legitimate, create email response using templates already provided.
Send to the recipient listed in the Recipients column. Someone in SOC Level 3 will review and will send to the client. | To: Trofeo SOC Internal (Trofeo.SOC.Internal@trofeosolutions.com) |
The Crab Place | Vulnerability notification | Investigate and create email response using templates already provided.
Send to the recipient listed in the Recipients column. Someone in SOC Level 3 will review and will send to the client. | To: Trofeo SOC Internal (Trofeo.SOC.Internal@trofeosolutions.com) |
The Crab Place | Azure resource health alerts | Investigate. If action is required by NOC Level 3, escalate the ticket in ConnectWise. |
|
5. Email templates.
Example 1:
Subject: Trofeo SOC Notification of a <Severity> Severity Defender Alert
Trofeo’s Security Operations received and reviewed the following alert from the Defender portal.
Field | Description |
Client Name | Client name as shown in Defender portal |
Incident ID | Incident ID from Defender portal |
Severity | Severity from alert email or Defender portal |
Alert Name | Alert name from alert email or Defender portal |
Automated Investigation Status | Automated Investigation Status from the Defender portal. |
Recommended Actions for Client | Insert the most appropriate recommendation from the list below. If there is no appropriate recommendation in the list below, type up a recommended action based on the type of alert. |
Please review the alert and take any recommended actions. If you have any questions, please reply to this email.
Thank you.
Security Operations
******************************
Possible recommended actions which can be copied and pasted into the email body:
Device isolated. Follow up with user regarding steps to remediate device.
Device not isolated. Follow up with user associated with the device, if needed.
URL, email message, or file quarantined. No further action required.
User’s Microsoft 365 account should be reviewed to determine if it should be disabled or have the password reset.
Example 2:
Subject: Trofeo SOC Notification of new vulnerabilities
Trofeo’s Security Operations received and reviewed a vulnerability email notification from the Defender portal.
Field | Description |
Client Name | Client name as shown in Defender portal |
Notification Source | Vulnerability Management |
Number of CVEs in Notification | Enter a count of the number of CVEs listed in the email. |
Highest Severity | Highest level of severity in the email (since multiple CVEs may be included in the email). |
Notification Purpose | Microsoft Defender Vulnerability Management is configured to send the SOC an email notification when it detects one or more new vulnerabilities on one or more of your endpoints (devices), and the vulnerabilities have a medium or higher severity. |
Recommended Actions for Client | Please review the vulnerabilities in the Defender portal. Go to Vulnerability Management (under Endpoints in the left navigation). Within Vulnerability Management, navigate to the Weaknesses page. You may sort on the 'First Detected' column to see the vulnerabilities most recently detected first. Vulnerability Management also provides recommendations. We recommend you review and perform remediation actions to remove the vulnerabilities. |
If you have any questions, please reply to this email.
Thank you.
Security Operations
Example 3:
Subject: Trofeo SOC Notification of vulnerabilities with publicly disclosed exploits
Trofeo’s Security Operations received and reviewed a vulnerability email notification from the Defender portal.
Field | Description |
Client Name | Client name as shown in Defender portal |
Notification Source | Vulnerability Management |
Number of CVEs in Notification | Enter a count of the number of CVEs listed in the email. |
Highest Severity | Highest level of severity in the email (since multiple CVEs may be included in the email). |
Notification Purpose | Microsoft Defender Vulnerability Management is configured to send the SOC an email notification when it detects one or more vulnerabilities on one or more of your endpoints (devices), and the vulnerabilities have known or publicly disclosed exploits. The notification does not indicate your exposed endpoints have been exploited; it indicates exploits of the vulnerability have been reported. |
Recommended Actions for Client | Please review the vulnerabilities in the Defender portal. Go to Vulnerability Management (under Endpoints in the left navigation). Within Vulnerability Management, navigate to the Weaknesses page. You may sort on the 'First Detected' column to see the vulnerabilities most recently detected first. You may also filter on the 'Threats' column to see which vulnerabilities are associated with verified or available exploits. Vulnerability Management also provides recommendations. We recommend you review and perform remediation actions to remove the vulnerabilities. |
If you have any questions, please reply to this email.
Thank you.
Security Operations
Example 4:
Subject: Trofeo SOC Notification of vulnerabilities with known, verified exploits
Trofeo’s Security Operations received and reviewed a vulnerability email notification from the Defender portal.
Field | Description |
Client Name | Client name as shown in Defender portal |
Notification Source | Vulnerability Management |
Number of CVEs in Notification | Enter a count of the number of CVEs listed in the email. |
Highest Severity | Highest level of severity in the email (since multiple CVEs may be included in the email). |
Notification Purpose | Microsoft Defender Vulnerability Management is configured to send the SOC an email notification when it detects one or more vulnerabilities on one or more of your endpoints (devices), and the vulnerabilities have known or publicly disclosed exploits. The notification does not indicate your exposed endpoints have been exploited; it indicates exploits of the vulnerability have been reported. |
Recommended Actions for Client | Please review the vulnerabilities in the Defender portal. Go to Vulnerability Management (under Endpoints in the left navigation). Within Vulnerability Management, navigate to the Weaknesses page. You may sort on the 'First Detected' column to see the vulnerabilities most recently detected first. You may also filter on the 'Threats' column to see which vulnerabilities are associated with verified or available exploits. Vulnerability Management also provides recommendations. We recommend you review and perform remediation actions to remove the vulnerabilities. |
If you have any questions, please reply to this email.
Thank you.
Security Operations
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article