Some sample questions a security team may ask when triaging events that come from a SIEM/Log Management or directly via a H(N)IDS.
Generally, the exact information an analyst may need to triage the alert may vary depending on the type of event and its source.
Alert triage usually happens in the 'event handling' process -> before a 'security incident' is declared and more detailed invevstigation is needed. However, in smaller SOCs with less rigeur, often the process is compressed - e.g., the same person who is triaging -> performs more detailed investigation, forensics, and other processes that is needed to proceed with incident response. Answering some of the question below may fall into these later phases vs being pure 'triage' tasks.
- What hostname(s) corresponds to the IP addresses (reverse IP lookup)? (e.g., 123.44.5.55 == google.com, or badmailserver.ru?) Do the hostnames appear to be suspicious, or valid business activity?