# Responder brief — S6 (identical across both arms)

**Your role:** SOC / threat-hunt lead investigating suspicious-but-authenticated administrative activity in the
enterprise.

**Your simulated tooling / telemetry (this is everything you have):**
- **EDR** on hosts — process creation (4688-equivalent), remote-execution tooling, file access.
- **Active Directory / Windows Security logs** — logons (4624 / 4672 special-privilege), RDP session events,
  remote service / WMI execution, account usage.
- **Administrative-tool logs** — the org's sanctioned remote-admin, backup, and deployment software activity.
- **SIEM** with the org's standing correlation rules; user/entity activity history for baselining lookups.

**Response latitude:** query any modeled log source, isolate hosts, disable / reset / step-up accounts, revoke
sessions, and tune detections. You may NOT stand up new sensors mid-incident.

**Turn cap:** 5.
