The first step upon receiving an alert about user and IP address reconnaissance involving SMB sessions should be to review the activity log linked in the alert for specific commands run. This is crucial because understanding the context and details surrounding the alert is essential for an accurate assessment of the situation.
By examining the activity log, you can identify which commands were executed during the reconnaissance process, the timeline of activities, and the specific users and systems involved. This information helps determine the severity and scope of the potential threat and allows for an informed decision on the best course of action.
Immediately blocking all SMB traffic, changing passwords, or disabling user accounts could disrupt legitimate ongoing processes or systems. Such actions may also hinder the investigation by removing evidence or rendering systems inaccessible for further analysis. Therefore, reviewing the activity log is a critical first step that enables an analyst to gather intel and make informed decisions regarding incident response.