Example: Investigation of suspected backdoor traffic

This scenario shows an example of incident investigation of a compromised server.

The administrator receives an IPS alert that there is active two-way backdoor traffic between a server in the organization's internal network and an unknown host in the Internet. The administrator then:

1. Opens an Incident Case to help manage this incident.
2. Searches for previous logs from the Firewall and IPS engines to identify the vulnerability that allowed the server to be compromised.
3. Attaches the relevant logs to the incident case.
4. Reinstalls the server, and installs patches to prevent the same vulnerability from being exploited again.
5. Closes the incident case.