A SOC analyst received an alert about a potential compromise and is reviewing the following SIEM logs:
Which of the following is the most appropriate action for the SOC analyst to recommend?
The SIEM logs indicate suspicious behavior that could be a sign of a compromise, such as the launching of cmd.exe after Outlook.exe, which is atypical user behavior and could indicate that a machine has been compromised to perform lateral movement within the network. Isolating laptop314 from the network would contain the threat and prevent any potential spread to other systems while further investigation takes place.
Bok
7 days agoXochitl
7 days agoArmando
8 days agoSanjuana
9 days agoVallie
9 days agoKanisha
10 days agoIzetta
10 days agoMelita
11 days agoGrover
13 days agoRaina
15 days ago