SOC isolated and catalogued affected endpoints and captured inventory details (hostname/serial) for police and asset records. Users were instructed to back up data to cloud services (OneDrive/Personal Home drive/Teams) before device exchange; replacement hardware was shipped or procured and loaners issued while recoveries were attempted. For stolen or irretrievable devices the device record (serial/hostname) was documented for police and a remote wipe was initiated where the device was reachable; BitLocker/encryption status was verified and recorded to assess data exposure risk. Devices that were out-of-support or had stopped receiving security/management telemetry (Windows 10 EOL, AV not reporting) were flagged in inventory, user accounts were deprovisioned as appropriate, and those assets were handled as lost/unrecoverable until remote management connectivity could be restored. Smart Support processed physical returns and completed RMA/exchange operations. Incident reports and replacement requests were captured through the reporting workflow (notes recorded when users selected items such as 1Password in the incident form), and records were retained to support chain-of-custody and data-protection reporting to legal or law enforcement.

Affected accounts were reset and account owners were notified; Okta password resets were executed and distributed to designated contact addresses when requested. Compromised student and staff accounts had passwords changed and recipients were advised to run AV scans and enable MFA where applicable. Investigations reviewed authentication logs and telemetry and sometimes concluded with no evidence of lateral compromise after monitoring. When unauthorized TeamViewer activity was reported, investigators inspected TeamViewer autostart/easy-access configuration and session history, reviewed Defender detections and Azure MCAS telemetry, and removed or updated the TeamViewer client where appropriate. For unrecognized logons from outdated Windows 10 devices (Security Center–flagged), the endpoint was isolated from the network, passwords were changed for affected accounts, and the isolated device and security logs were monitored for further activity until no additional anomalies were observed.

Network and endpoint IoCs were identified and blocked at the network perimeter and on endpoints; firewall rules and logging were adjusted to contain outbound malicious traffic and implicated IP ranges/blocks were isolated. Malicious domains and URLs discovered in the Salesforce OBW submissions were blocked on endpoints, quarantine entries for banned attachments were confirmed as spam/malicious and retained in quarantine, and logging/alerting was increased to support follow-up analysis.

The Meraki intrusion detection/prevention device was identified as the source of SMTP_COMMAND_OVERFLOW (Snort rule 124-1) hits that interrupted SMTP DATA transfers. The mail gateways were whitelisted/IDS state tuned so that legitimate SMTP DATA (including MIME boundary lengths) was allowed to complete; after the IDS/IPS adjustment Postfix deliveries retried and the deferred mail queue cleared.

Percona Security Operations discovered the publicly-exposed bucket and reported the finding; the bucket’s public access was removed and access controls were tightened. The investigation identified that two data records (name, email, address, telephone) may have been accessible and those findings were handled through the established incident/forensics channels.

A SOAR/playbook-based automation approach was implemented to isolate compromised endpoints and to trigger account credential resets when MDE tamper or bypass indicators were detected. The automation included server exclusion rules and a circuit-breaker to reduce high-impact false positives, and integrated MDE findings with Sentinel to drive standardized containment and remediation actions.

Twilio vendor notifications were validated against mail logs and vendor contacts and were confirmed to be legitimate automated token-rotation notices following a vendor security event. Recurring Course Feed/calendar items were investigated and attributed to calendar/delivery-management policy behavior rather than malicious activity; those items were handled through calendar policy/removal permissions and end-user education. Separately, multiple incidents of macOS security popups that named local provisioning scripts (ProtectAdminGroup.sh, UserConfiguration.sh) were recognized as benign provisioning/package artifacts triggered after account changes or IT-driven reinstalls; the OS reported them as “downloaded on an unknown date” and flagged them via Gatekeeper/XProtect. Those macOS incidents were resolved after updated management packages were prepared and deployed by IT; once the device received the updated packages (applied during the next restart), the Gatekeeper/XProtect warnings ceased and the tickets were closed.

IT deployed an updated TeamViewer client to clients to address a potential TeamViewer vulnerability. The concerned laptop was inspected remotely and scanned with endpoint protection; the scan results indicated the device was clean. Support staff advised the user that simple charging via a cable did not itself transfer malware unless file sharing or other services had been enabled, and no evidence of infection was found.

The lecturer muted all participants to stop the disruption and reported the incident to IT support. IT staff indicated they had no technical method available to trace the disruptive participant and no further technical tracing actions were taken.

The ticket recorded that certificate expiry checks had been temporarily ignored in configuration and that a standard vulnerability assessment (port scan, default password checks, version verification) identified expired AP certificates and potential risks. No recorded remediation steps or final patching actions were documented in the ticket.

Ivanti Connect Secure was upgraded to version 22.7R2.7 to remediate the reported vulnerability. Endpoint protection on affected systems was confirmed to be in use (Microsoft Defender and Trellix).

Support discussed using Microsoft Teams as a temporary notice channel but recommended evaluating dedicated panic‑button or emergency notification systems for a reliable silent‑alarm capability. The ticket recorded the request and recommendations for appropriate emergency notification solutions rather than a Teams‑only approach.

Course Management temporarily moved lectures to a different room and Real Estate (facility management) dispatched a technician. The technician inspected the room, found the TV mounting bracket to be loose, and confirmed the electrical power outlets were functioning normally.

The issue was escalated to Microsoft Support who handled the case; the user confirmed the security warning no longer appeared and Excel opened normally afterward. Microsoft provided suggested troubleshooting actions (collecting screenshots, updating Office, repairing add-ins), but the ticket did not record which specific Microsoft remediation steps were applied.

The affected device was identified and then isolated using Microsoft Defender (device isolation/quarantine) to contain risk pending remediation. The ticket recorded the isolation action and closure.