In order to provide more visibility of SOC actions being taken to contain a threat, preliminary Incident Reports are now being sent by the SOC when a host or identity is manually isolated.
The preliminary Incident Report informs partners and customers that the SOC is investigating an incident and took action to contain a threat, that the investigation is ongoing, and to expect a follow-up Incident Report. We are making this change so we can quickly contain a threat and provide context to partners and customers while minimizing the risk of an attack spreading as the SOC are actively investigating.