- Analyze web log alerts and historical search data.
- Audit endpoints to forensically determine origin of exploit.
- Build playbooks for detecting browser behavior.
- Conduct full malware analysis.
- Understand targeted servers, people, and data available to attack.
Explanation: Threat actors may use port scanning toward a web server of an organization and identify vulnerabilities on the server. They may visit the web server to collect information about the organization. The web server logging should be enabled and the logging data should be analyzed to identify possible reconnaissance threats. Building playbooks by filtering and combining related web activities by visitors can sometimes reveal the intentions of threat actors.