Try this first
- 1Categorize each alert: 'Informational' (no action), 'Low' (later), 'Medium/High' (today) or 'Critical' (now). The tool already classifies, use that.
- 2Medium or higher: click into details. Which user, which device, which process? Often you spot familiar work activity or not.
- 3Unknown process that 'did something with PowerShell': isolate the device (in Defender: 'Isolate device'). Do not power off, keep it online for investigation.
- 4Gather context on another device: did the user do something unusual? Install a new tool? Ask in person, not by email from the suspect device.
- 5Do not close alerts without investigation. Better a lingering 'false positive' than something missed.
When to bring us in
Critical alert plus no EDR investigation experience equals call us right away. We can troubleshoot in your console within an hour. Do not draw 'quick conclusions' alone.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.