Recommendations/Investigative actions
Identify the affected endpoint: Get the source IP address and the device type from the alert, Check the OS version and if there are vulnurable characteristics. Find the site name, subnet and the indicated business process. Once you have all the information needed, contact POC site manager and verify if it’s legitimate device and close the event.