A cloud operations engineer receives a high-severity alert from the SIEM showing multiple failed and then successful root-level SSH logins to several Linux jump hosts at 03:15 local time, well outside normal maintenance hours. The organization's incident-response runbook states that any suspected compromise must be contained within 15 minutes while evidence is preserved for later investigation. Which immediate action BEST meets these requirements?
Increase the SIEM threshold for failed logins to reduce alert noise while gathering more data
Add the suspicious IP addresses to a temporary firewall deny list and start packet capture on the affected hosts
Disable multi-factor authentication on the jump hosts to simplify administrator access during investigation
Snapshot the affected VMs and power them off to prevent further damage
Temporarily blocking the suspicious source addresses at the cloud firewall cuts off the attacker's access (containment) and, because the systems remain online, allows security staff to enable packet capture and collect volatile data and logs. Powering off hosts before containment could disrupt ongoing forensic data collection and violate the 15-minute containment window. Disabling MFA weakens security and does not address the compromise. Raising alert thresholds delays response and leaves the environment exposed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a SIEM, and how does it help in incident response?
Open an interactive chat with Bash
Why is packet capture important during a security incident?
Open an interactive chat with Bash
Why is blocking suspicious IPs via a firewall effective in containment?