This section describes the best practices for investigating alerts.
Check these items:
- Priority score
- Parent path and name
- TTPs involved
- File reputation
- Network connections
- Event details
- Command lines (if there were any)
Ask these questions:
- Was another program or function successfully called?
- Is the path of the files suspicious?
- Is the process running in the “normal” path?
- What attack stage was it in?
- Was the registry modified?
- Were the file reputations worrisome?
Take other steps as needed:
- Google any application or files that you don’t recognize
- Ask a teammate to review for anything that you missed
- Review any referenced MITRE techniques or watchlist hits
- Use “custom time” to review events 15 minutes prior to occurrence for more insight
- Review observed activity for more context