compromise assessment

The frist thing we see an alert from CS that an whoami command was written on the production server ,

so what is the frist thing that will came to your Md

should we isolate the server

should we give the CS option to isolate all the files that it found ?

What should we do in such a case?

we found this web shell in more than 2 web server , both of them on the same subnet

Okay, now let's check what really happened.