https://catalogartifact.azureedge.net/publicartifacts/adaquestinc1589508805668.scp_agent_ransomware_kill_chain_investigator-f69a96ca-832d-4c94-a5a1-e354659bec4c/c8ba175a-0a56-4392-ba3b-208321e41f5b_adaLogoAgents.png
Ransomware Kill Chain Investigator Agent
durch adaQuest
Just a moment, logging you in...
Automated ransomware triage with user/device/IOC enrichment and guided response.
Ransomware Kill Chain Investigator (RKCI) is a security-focused, read-only ransomware investigation agent that helps organizations analyze Microsoft Defender incidents with speed and confidence. It correlates evidence across users, devices, and indicators, maps activity to the ransomware kill chain, and produces an evidence-based investigation report with prioritized response actions.
The agent is designed for SOC analysts, incident responders, and security operations leaders. It supports both direct execution and guided chat for follow-up analysis.
Inputs (what data the agent consumes)
The agent consumes Microsoft security signals such as Microsoft Defender incident data, Microsoft Entra user and sign-in context, Threat Intelligence data for hashes, IPs, and domains, optional Microsoft Intune device posture, and targeted KQL-based hunting results for ransomware behaviors.
If some signals are unavailable due to permissions, tenant configuration, unsupported dependencies, or retention limits, the agent runs in best-effort mode and reports data gaps and confidence impact instead of failing.
Tasks (what the agent performs)
Investigates ransomware-related incidents, correlates evidence into a kill chain view, enriches users, devices, and indicators, validates hashes, domains, and IPs, runs evidence-led hunts, generates prioritized containment, eradication, and recovery guidance, and supports guided analyst interaction through chat.
Outputs (what results the agent generates)
A consolidated ransomware investigation report including:
- executive summary
- kill chain correlation
- affected assets
- indicator findings
- prioritized response actions
- timeline highlights
- telemetry gap notes.
Estimated SCU consumption
Estimated consumption varies with incident complexity, entity volume, available telemetry, and required enrichment.
Expected consumption per run:
- Low-evidence or no-confirmation cases: around 0.2 to 0.5 SCUs
- Standard single-incident investigation: around 1 to 1.6 SCUs
- Deeper investigations with broader enrichment and hunts: around 1.2 to 1.8 SCUs
Rule of thumb:
- ~0.3 SCUs when no meaningful ransomware path is confirmed
- ~1.6 SCUs for a deeper end-to-end ransomware investigation
Auf einen Blick
https://catalogartifact.azureedge.net/publicartifacts/adaquestinc1589508805668.scp_agent_ransomware_kill_chain_investigator-f69a96ca-832d-4c94-a5a1-e354659bec4c/3bc8c631-80c9-4ac3-847c-275133385b1f_RKCIScreenshot1.png
Andere Apps aus adaQuest
Admin Guard Insight AgentadaQuestMonitor and protect admin activities with Admin Guard Insight Agent's powerful analytics.
+1
Applicable to:
SaaS
SaaSNaN out of 5
Data Leak AgentadaQuestInvestigates Sentinel incidents for data leaks and delivers a clear verdict with evidence and action
+1
Applicable to:SaaS
SaaSNaN out of 5
L1 SOC Triage AgentadaQuestEnhance SOC workflows with L1, designed for rapid triage and threat prioritization.
+1
Applicable to:SaaS
SaaSNaN out of 5
Entity Guard Investigator AgentadaQuestInvestigates Defender incidents and delivers clear risk verdicts with actionable insights.
+1
Applicable to:SaaS
SaaSNaN out of 5
Login Investigator AgentadaQuestInvestigates user sign-ins to detect risk, anomalies, CA outcomes, and related incidents.
+1
Applicable to:SaaS
SaaSNaN out of 5