Product SiteDocumentation Site

4.2. Initial Contact

Upon investigation of a suspicious machine contact the teamlead $TEAMLEAD,$SECONDARY. Before escellation answer the following questions. Ensure that To be filled out knows that the answers to these questions are tentative and that they may change as the investigation continues.
Required Config Lines
Who is currently aware of this issue?
Which hosts are known to be affected (hostname)?
Which users who have access to this host (by usernames or groups)?
Is sensitive data stored on this host? If yes, is it encrypted?
What is the nature of the data on this host?
What is the earliest point we suspect the host was compromised?
Does this initially appear to be a targeted attack or random/script kiddy?