An engineer discovered a breach, identified the threat's entry point, and removed access. The engineer was able to identify the host, the IP address of the thre...

An engineer discovered a breach, identified the threat's entry point, and removed access. The engineer was able to identify the host, the IP address of the threat actor, and the application the threat actor targeted. What is the next step the engineer should take according to the NIST SP 800-61 Incident handling guide?