For us specifically they blocked the server from downloading more assumedly dangerous tools. Blocked more privilege escalation and blocked crypto mining software from running.

Our teams were also able to do a “network isolation” and essentially bring the server offline quickly, without touching more pieces and possibly exposing our credentials or tokens.

We also had the paid Overwatch protection which is Crowdstrikes 24/7 security monitoring solution which resulted in an actual person emailing half our team at 1am letting us know this was happening and their recommended remediation steps.