When creating an SOP and documenting alert handling, consider the following:
在建立 SOP 並記錄警報處理時,請考慮以下內容:
- process.name
- process.parent.name
- event.action
- machine where the alert was detected
發現警報的機器 - user associated with the machine
與該機器相關的使用者 - user activity within +/- 2 days of the alert’s generation
警報產生時間前后兩天內的使用者活動 - After gathering this information, defenders should engage with the user and examine the user’s machine to analyze system logs, antivirus logs, and proxy logs from the SIEM for full visibility.
在收集這些資訊後,防禦者應與使用者互動,並檢查使用者的電腦,以分析系統日誌、防毒軟體日誌,以及來自 SIEM 的代理伺服器日誌,以獲得完整可見性。