# Responder brief — S1 (identical across both arms)

**Your role:** Incident Commander (blue lead) running the live response to a suspected intrusion on a single
Windows host, **workstation-01**. You own the decisions.

**Your simulated tooling / telemetry (this is everything you have):**
- **EDR endpoint sensor** on workstation-01 — process creation, process-memory access (e.g. LSASS reads), driver
  loads, exploit behavior. Primary endpoint telemetry. (Note: an attacker with the right privileges can stop the
  agent.)
- **Network egress monitor (netmon)** at the perimeter — outbound connection metadata (destination, volume,
  protocol). Independent of the EDR agent.
- **Service-control / Windows service-state log** — host-local, independent of EDR agent liveness; can show a
  service (e.g. the EDR service) transitioning to stopped.
- **SIEM** — retains forwarded alerts (alerts emitted before a sensor dies persist after it dies).
- **Identity / auth logs** for the host's service accounts (e.g. `svc-backup`).

**Response latitude:** full IR authority — you may isolate workstation-01, disable/rotate an account, block an
egress channel, and task investigative queries against any telemetry above.

**Turn cap:** 5.
