HACKER Q&A
📣 DLA

Cyber defenders, what do you do after an alert?


So you’re an infosec /cyber defender and you get an alert via an IDS or on your SIEM system, what are some of the things you’d do next or want to know?

For example, I get an alert and see an unfamiliar IP address or URL in the log/event. What should I do next? What should I look for? Where?

Thanks in advance for your insights.

  👤 1970-01-01 Accepted Answer ✓
You should have an incident playbook in front of you.
👤 DLA
Anyone else have insights to share? What would you do to learn more about an IP addr, URL, etc.? Thank you.