Course Capstone Analyze SIEM Alerts: Alert #$4$: Account status change $$ User was added to a different group, removed from a group, or added to the security group by user IT$\_$User$\_$Admin Question: Should this issue be escalated? Answer: $$ If you answered Yes: $1.$ Briefly describe the potential impact of the issue, including its potential impact to C$.$I.A$.$ a$.2.$ Describe any recommended immediate action to address the event. a$.3.$ Provide your recommendation for a security control to mitigate risk moving forward. a$.$ If you answered No: $1.$ Provide your reason for dismissing the alert. a$.$ Alert #$5$: Device login $$ A user account logged into a desktop computer Question: Should this issue be escalated? Answer: $$ If you answered Yes: $1.$ Briefly describe the potential impact of the issue, including its potential impact to C$.$I.A$.$ a$.2.$ Describe any recommended immediate action to address the event. a$.3.$ Provide your recommendation for a security control to mitigate risk moving forward. a$.$ If you answered No: $1.$ Provide your reason for dismissing the alert. a$.$ Alert #$6$: Service change $$ Anti$-$malware service stopped on a host Question: Should this issue be escalated? Answer: $$ If you answered Yes: $1.$ Briefly describe the potential impact of the issue, including its potential impact to C$.$I.A$.$ a$.2.$ Describe any recommended immediate action to address the event. a$.3.$ Provide your recommendation for a security control to mitigate risk moving forward. a$.$ If you answered No: $1.$ Provide your reason for dismissing the alert. a$.$ Alert #$7$: Logon$/$Logoff pattern $$ User login outside of normal pattern Question: Should this issue be escalated? Answer: $$ If you answered Yes: $1.$ Briefly describe the potential impact of the issue, including its potential impact to C$.$I.A$.$ a$.2.$ Describe any recommended immediate action to address the event. a$.3.$ Provide your recommendation for a security control to mitigate risk moving forward. a$.$ If you answered No: $1.$ Provide your reason for dismissing the alert. a$.$ Alert #$8$: File integrity $$ Evidence log files were deleted or tampered with Question: Should this issue be escalated? Answer: $$ If you answered Yes: $1.$ Briefly describe the potential impact of the issue, including its potential impact to C$.$I.A$.$ a$.2.$ Describe any recommended immediate action to address the event. a$.3.$ Provide your recommendation for a security control to mitigate risk moving forward. a$.$ If you answered No: $1.$ Provide your reason for dismissing the alert. a$.$ Alert #$9$: Geographic login disparity $$ A user attempted to log in from places that are geographically separated by a long distance in a short amount of time. Question: Should this issue be escalated? Answer: $$ If you answered Yes: $1.$ Briefly describe the potential impact of the issue, including its potential impact to C$.$I.A$.$ a$.2.$ Describe any recommended immediate action to address the event. a$.3.$ Provide your recommendation for a security control to mitigate risk moving forward. a$.$ If you answered No: $1.$ Provide your reason for dismissing the alert. a$.$ Alert #$10$: Log$-$on$/$log$-$off pattern $$ Excessive login attempts for a user Question: Should this issue be escalated? Answer: $$ If you answered Yes: $1.$ Briefly describe the potential impact of the issue, including its potential impact to C$.$I.A$.$ a$.2.$ Describe any recommended immediate action to address the event. a$.3.$ Provide your recommendation for a security control to mitigate risk moving forward. a$.$ If you answered No: $1.$ Provide your reason for dismissing the alert

a$.$