A SOC analyst received an alert about a potential compromise and is reviewing the following SIEM logs:
Which of the following is the most appropriate action for the SOC analyst to recommend?
The SIEM logs indicate suspicious behavior that could be a sign of a compromise, such as the launching of cmd.exe after Outlook.exe, which is atypical user behavior and could indicate that a machine has been compromised to perform lateral movement within the network. Isolating laptop314 from the network would contain the threat and prevent any potential spread to other systems while further investigation takes place.
Bok
8 days agoXochitl
8 days agoArmando
9 days agoSanjuana
10 days agoVallie
10 days agoKanisha
11 days agoIzetta
11 days agoMelita
12 days agoGrover
14 days agoRaina
16 days ago