# Responder brief — S3 (identical across both arms)

**Your role:** SOC incident lead (blue-team lead) — you own detection triage and response for this Active
Directory environment.

**Your simulated tooling / telemetry (this is everything you have):**
- **DC Windows Security logging** including Kerberos service-ticket events (**4768 / 4769**) with the
  **encryption-type field**, forwarded to a **SIEM**.
- **SIEM** running one **correlation rule** for anomalous / RC4 TGS requests.
- **EDR** on the high-value SQL/app server **SQLPROD-01** (process, logon, network telemetry) and on workstations.
- **Member-server logon events (4624)**.

**Response latitude:** query any modeled log source, isolate hosts, disable / reset accounts, and tune detection
rules. You may NOT re-architect Kerberos or deploy new analytics mid-incident.

**Turn cap:** 5.
