ALERT & REPSONSE

1. Create a ticket totrack the event 2. Update the ticket with any enrichment data available. Identify Friend or Foe Add network informationabout the source Internal? Or External? Check blacklist information (AbuseIPDB, Zeus Tracker…) and add to ticket Identify the user logged into the system at time of event (if internal) 3. Classify the ticket Internal / External Recon, Exploit, Data Exfil,Malware, Unknown