A server administrator receives an automated alert for a critical database server. The alert indicates unusually high outbound network traffic that lasted for two hours during the middle of the night. The total data transferred was over 50GB to an IP address that is not on any of the company's allowlists. Suspecting data exfiltration, which of the following should be the administrator's FIRST action?
Check the server's performance monitor logs for CPU and disk I/O spikes during the event.
Verify the server's patch management history to see if it is missing critical security updates.
Review Robocopy and other file transfer service logs for scheduled data migration tasks.
Analyze firewall and network flow logs to identify the destination IP, port, and protocol.
The correct first action is to analyze firewall and network flow logs. These logs provide the most direct and crucial information for investigating a suspected data exfiltration event, including the source and destination IP addresses, ports used, protocol, and the volume of data transferred. This evidence is essential to understand the scope of the incident and determine the immediate next steps for containment. Checking performance monitor logs would confirm that the server was busy but would not provide details about the network connection itself. Reviewing application-level logs like Robocopy is a secondary step; the exfiltration could have used any number of methods, which the network-level logs would capture regardless of the application. Verifying patch levels is important for root cause analysis to determine how a potential compromise occurred, but it is not the first step in investigating the active data transfer.