When reviewing suspicious, but successful, login activity, the immediate priority should be to look for other types of suspicious activity in the moments before or after the login. This helps to identify any patterns or additional indicators of compromise, such as unusual file access or changes in user behavior, which could provide more context around the suspicious login and assist in determining the appropriate next steps. Disabling the user account immediately, inspecting network firewalls, or reviewing all active accounts might be steps taken later based on findings from the initial review of surrounding activities.