A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the alert triage phase, Which action gives the analyst the clearest next triage step?
Trap 1: Only the user's browser cache
Browser cache is not the authoritative source for sign-in and mailbox-rule activity.
Trap 2: The organisation's public DNS zone file
DNS zone data is unrelated to mailbox-forwarding abuse.
Trap 3: Only DHCP logs from the London office
DHCP logs cannot explain the remote sign-in or mailbox change.
- A
Only the user's browser cache
Why wrong: Browser cache is not the authoritative source for sign-in and mailbox-rule activity.
- B
The organisation's public DNS zone file
Why wrong: DNS zone data is unrelated to mailbox-forwarding abuse.
- C
Sign-in logs, MFA result, device details, and mailbox audit events
Impossible travel plus forwarding rule creation is a strong account-compromise pattern; identity and mailbox audit data confirm whether the activity is malicious.
- D
Only DHCP logs from the London office
Why wrong: DHCP logs cannot explain the remote sign-in or mailbox change.