An incident response manager has started to gather all the facts related to a SIEM alert showing
multiple systems may have been compromised.
The manager has gathered these facts:
– The breach is currently indicated on six user PCs
– One service account is potentially compromised
– Executive management has been notified
In which of the following phases of the IRP is the manager currently working?