Which alert would you consult if attack indicators have been detected on the system?

Indicators of Attack alerts are used when there are signs of a running breach. These alerts are triggered by suspicious behaviors and sequences of activity that indicate an attacker is present or attempting to move within the system, such as unusual process activity or privilege escalation. They are focused on dynamic attacker techniques rather than static remnants, so they guide you toward immediate investigation and containment. Other alert types cover different issues—protection errors point to problems with protection modules, license alerts warn about licensing status, and unmanaged computer discovery alerts flag devices not yet managed by the system. Because the scenario involves attack indicators on the system, the Indicators of Attack alert is the most relevant and actionable source.