Monday 9am, four alerts are open. Which do you work FIRST?
Short answer
Triage by impact and reachability: credential dumping (a mimikatz signature) on a domain controller is a crown-jewel event that can lead to full domain compromise, so work it first. The external port scan was already blocked by the IDS, the unapproved browser extension is low severity, and an expired TLS cert on an internal test box is informational. The core SOC skill is prioritizing by blast radius and likelihood of escalation, not by alert age or how loud the alert is.
Triage is the daily core of SOC work, and this question separates analysts who react to alert volume or recency from those who reason about impact and likelihood. Four alerts are open; only one is a potential path to total compromise.
Why the domain controller alert wins
A credential-dumping tool (a mimikatz signature) executing on a domain controller is close to a worst case. The DC holds the keys to the kingdom — dumping LSASS or the NTDS.dit database can yield every domain credential, including Domain Admin and the krbtgt hash (enabling Golden Tickets). That's active, post-exploitation activity on a crown-jewel asset, with a direct path to domain-wide control. High impact, high likelihood of escalation, happening now: it goes first.
Why the others wait
- Blocked port scan — the IDS already dropped it. Reconnaissance that was prevented is low urgency; there's no active foothold to chase.
- Unapproved browser extension — a policy/hygiene issue, low severity. Worth handling, but it isn't an active intrusion on critical infrastructure.
- Expired TLS cert on an internal test box — informational. No confidentiality or integrity breach, no attacker, and it's a non-production system. This is the lowest priority of the four.
The prioritization principle
Rank by blast radius (how much damage if real) and likelihood/stage (is it active exploitation or already-mitigated noise?). The DC alert is high on both axes; the others are low on one or both. Notably, you do not prioritize by which alert is oldest, loudest, or easiest to close — that's how real incidents get buried under busywork.
What the interviewer is probing
They want to see structured triage: identify the crown-jewel asset, recognize active post-exploitation, and articulate why the other three can wait. Bonus signal is naming the next moves on the DC — isolate, capture memory, force enterprise-wide credential resets, and check for krbtgt compromise — which shows you understand the stakes, not just the ranking.
Likely follow-ups
- Why does a domain controller change the severity calculus compared to the same alert on a workstation?
- What immediate actions follow once you confirm credential dumping on the DC?
- How would you justify deprioritizing the other three to a manager asking why they're still open?