identify

The first phase of incident response once an alert has been escalated to an incident. It is never optional. This phase involves understanding the following to a degree that allows closure of the incident: the signature, the vulnerability or exposure, the action, the target, the result, and any attack tools involved.