When investigating a large and sustained spike in alerts from a Security Information and Event Management (SIEM) system, the network security specialist should first examine the network traffic logs or firewall logs. These logs can provide insights into the volume and type of traffic that is currently passing through the network, which can help the specialist identify unusual patterns, potential attacks, or compromised devices that might be generating the spike in alerts.
Network traffic logs can reveal information about:
- Unusual inbound or outbound traffic patterns, which may indicate scanning, data exfiltration, or denial-of-service attacks.
- Source and destination IP addresses that may be responsible for the alerts.
- The types of protocols being used and whether there is a sudden increase in specific services or ports being accessed.
Once the specialist analyzes the network traffic logs, they can correlate this data with other sources, such as system event logs, application logs, and threat intelligence, to get a clearer picture of the situation and take appropriate action.