3 Days Left to Save $400 on SANS Tyson's Corner Spring 2017

IDFAQ: How do I get support from an ISP to investigate an incident?

ISPs, in general, can't give out account information about their users. Many are willing to warn the user and possibly disable the account. What they need from you is a trace of the log files that caused you to determine that one of their IP addresses was involved in the incident. Be certain to explicitly state the time zone the attacked system is located in. If your sensor or system that created the system logs is synched to a time server, be certain to provide that information as well.

Don't expect too much from an ISP. Remember, they are in business to provide Internet access, not police it. Respect their problems and issues, and try to work with them. If a particular ISP refuses to work with you even after you have provided evidence that repeated attacks are coming from their domain, try to talk to a manager or supervisor. As a last resort, you can always block all traffic to and from that ISP into your networks. However, be aware that this can easily backfire, causing you more problems than the original intrusion attempt itself.