Question: 1/50
A SOC analyst sees hundreds of login failures across many user accounts from a single external IP within a short timeframe. Which event analysis approach is MOST appropriate to quickly confirm whether this is a credential-stuffing attempt?
Correlate authentication failure events by source IP and time window, then enrich with geolocation and known-bad reputation
Disable all externally facing authentication services immediately to prevent further attempts
Search endpoint logs only for malware detections on the affected user devices
Tune the SIEM to ignore authentication failures from external sources to reduce noise