Ask HN: Cyber defenders, what do you do after an alert?

1 points by DLA ↗ HN
So you’re an infosec /cyber defender and you get an alert via an IDS or on your SIEM system, what are some of the things you’d do next or want to know?

For example, I get an alert and see an unfamiliar IP address or URL in the log/event. What should I do next? What should I look for? Where?

Thanks in advance for your insights.

3 comments

[ 2.9 ms ] story [ 15.8 ms ] thread
You should have an incident playbook in front of you.
I concur. I used to work in cyber fiveish years ago.
Anyone else have insights to share? What would you do to learn more about an IP addr, URL, etc.? Thank you.