A SIEM system detects that a database administrator account has been used to run unusual queries outside normal business hours, accessing sensitive customer data. What should the analyst investigate FIRST?

Correct answer: Determine whether the account holder was actually present and authorized

When investigating anomalous privileged account activity, the first step is to determine whether the account holder was legitimately present and authorized, because this distinguishes an insider threat or authorized after-hours work from an external compromise, and that determination drives every subsequent response decision. Option A is incorrect and would constitute evidence tampering and destruction of forensic data, which is both legally problematic and operationally harmful. Option C is incorrect as a first action because forcing a password reset before confirming compromise may alert an adversary, destroy forensic evidence, and disrupt a legitimate user without justification. Option D is incorrect as the first action because immediately disabling a privileged database account without confirming compromise could cause significant operational impact and may be unnecessary if the activity is authorized.