This section describes the best practices for investigating alerts.

Check these items:

  • Priority score
  • Parent path and name
  • TTPs involved
  • File reputation
  • Network connections
  • Event details
  • Command lines (if there were any)

Ask these questions:

  • Was another program or function successfully called?
  • Is the path of the files suspicious?
  • Is the process running in the “normal” path?
  • What attack stage was it in?
  • Was the registry modified?
  • Were the file reputations worrisome?

Take other steps as needed:

  • Google any application or files that you don’t recognize
  • Ask a teammate to review for anything that you missed
  • Review any referenced MITRE techniques or watchlist hits
  • Use “custom time” to review events 15 minutes prior to occurrence for more insight
  • Review observed activity for more context