The questions to ask for that alert to traige it are:
what is the src ip/host?
what is the dst ip/host?
what was the user name used to log in over SMB?
is there a correlation between the human who owns the src host & the user name to log in to the dst host?
what is the src ip/host?
what is the dst ip/host?
what was the user name used to log in over SMB?
is there a correlation between the human who owns the src host & the user name to log in to the dst host?
Comments
on the dst host was activity was done in the login session?
does any of that activity match known threat actor behaviours?
This is the "what" to do & not the "how" to do it.
How do we get those answers - that will depends on the data sources/telemetry available aka logging or via host forensics.