A SOC analyst receives a SIEM alert for 'impossible travel' โ a user authenticated from New York and then from Tokyo 30 minutes later. Which additional data source should the analyst check FIRST to determine if the account is compromised?
-
A
Antivirus scan results on the endpoint
-
B
VPN and proxy connection logs to check for geographic IP spoofing
-
C
Physical access badge logs
-
D
Email server delivery logs