SOC Journal

1. EDR Alert Narrative: Unauthorized Hardware Addition Detection Source: Microsoft Defender for Endpoint (MDE)Alert ID: INC-2023-0915-T1200Alert Time: 2023-11-15 14:22:18 UTCSeverity: High (85/100)MITRE ATT&CK: T1200 – Hardware Additions Affected Host: Detection Logic:Microsoft Defender for Endpoint Device Control Policy violation triggered when: Alert Details: text Event Sequence: 14:20:32 – Unknown USB Device connected (VID: 0781, PID: 5583) 14:20:45 – Driver installation attempted: … Read more

Executive Summary: Hardware Security Incident Response A sophisticated Hardware Additions attack (MITRE ATT&CK T1200) targeting financial infrastructure was successfully detected by EDR solutions and contained by our in-house Security Operations Center. This comprehensive incident report details the endpoint detection response, digital forensics investigation, and incident remediation processes following unauthorized USB device installation—a critical cybersecurity threat in modern enterprise environments. 🔴 1. EDR Alert: Unauthorized Hardware Addition … Read more

Microsoft Defender Alert Details Alert ID: MD-IPC-1559-7842Alert Time: 2024-02-13 11:45:22 ESTSeverity: HIGH (82/100)Source: Microsoft Defender for EndpointRule: “COM Hijacking for Persistence Detected”MITRE ATT&CK: T1559 – Inter-Process Communication Alert Details: Detection: COM object hijacking attempt for persistence Host: IT-WS-034 (IT Department) User: mrobinson (Mike Robinson, IT Admin) Time: 11:40 EST Registry Modification: – Key: HKLM\SOFTWARE\Classes\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32 – … Read more

SentinelOne Alert Details Alert ID: S1-EXPLOIT-CLIENT-1203-7842Alert Time: 2024-02-13 15:30:45 ESTSeverity: CRITICAL (92/100)Source: SentinelOne SingularityRule: “Browser Exploit Attempt – CVE-2024-1234 Detected”MITRE ATT&CK: T1203 – Exploitation for Client Execution Alert Details: Detection: Browser exploit attempt via compromised website Host: SLS-WS-112 (Sales Department) User: jharris (Jennifer Harris, Sales Rep) Time: 15:28 EST Process Tree: – chrome.exe (PID: 7842) … Read more

Prisma Cloud Alert Details Alert ID: PRISMA-DEPLOY-CONTAINER-1610-7842Alert Time: 2024-02-13 09:15:33 ESTSeverity: HIGH (82/100)Source: Prisma Cloud ComputeRule: “Unauthorized Container Deployment – Crypto Mining”MITRE ATT&CK: T1610 – Deploy Container Alert Details: Detection: Unauthorized container deployed in Kubernetes cluster Cluster: dev-eks-cluster-02 Namespace: default (unauthorized namespace) Image: docker.io/monero/xmrig:latest Container Name: kube-system-worker (masquerading as system pod) Deployment Time: 09:08 EST … Read more

Aqua Alert Details Alert ID: AQUA-CONTAINER-ADMIN-1609-7842Alert Time: 2024-02-13 14:30:22 ESTSeverity: HIGH (85/100)Source: Aqua Security Cloud Native ProtectionRule: “Unauthorized kubectl exec into Production Container”MITRE ATT&CK: T1609 – Container Administration Command Alert Details: Detection: kubectl exec command executed in production environment Cluster: prod-eks-cluster-01 Namespace: payment-processing Pod: payment-api-v2-7d8f9c4d5-abcde Container: api Time: 14:28 EST Command Details: – User: jenkins-deploy … Read more

CrowdStrike Alert Details Alert ID: CS-POWERSHELL-1059-7842Alert Time: 2024-02-13 10:22:15 ESTSeverity: HIGH (88/100)Source: CrowdStrike Falcon EDRRule: “Suspicious PowerShell Command Line – Encoded Execution”MITRE ATT&CK: T1059.001 – Command & Scripting Interpreter: PowerShell Alert Details: Detection: PowerShell executed with encoded command and hidden window Host: FIN-WS-045 (Finance Department) User: bturner (Brian Turner, Accountant) Time: 10:18 EST Process Tree: … Read more

Microsoft Defender for Identity Alert Details Alert ID: MDI-VALID-ACCTS-1078-7842Alert Time: 2024-02-12 08:45:33 ESTSeverity: HIGH (85/100)Source: Microsoft Defender for IdentityRule: “Honeytoken Account Activity Detected”MITRE ATT&CK: T1078 – Valid Accounts Alert Details: Detection: Honeytoken account activity Honeytoken Account: svc_backup_old (Service Account) – Created: 2023-01-15 (as honeytoken) – Last Activity: Never (until now) – Password: 128-character random (not … Read more

BeyondTrust Alert Details Alert ID: BT-TRUSTED-REL-1199-7842Alert Time: 2024-02-12 13:30:45 ESTSeverity: HIGH (82/100)Source: BeyondTrust Privileged Access ManagementRule: “Vendor Account Anomaly – Unusual Access Pattern”MITRE ATT&CK: T1199 – Trusted Relationship Alert Details: User: vendor_support@acme-partner.com (Acme Solutions Contractor) Account Type: Vendor Privileged Access Time: 13:15-13:30 EST Access Details: – Login Time: 13:15 EST (unusual – normally 09:00-17:00 EST) … Read more

GitHub Alert Details Alert ID: GITHUB-SUPPLY-CHAIN-7842Alert Time: 2024-02-12 10:45:22 ESTSeverity: CRITICAL (95/100)Source: GitHub Advanced SecurityRule: “Compromised Maintainer Account – Malicious Commit”MITRE ATT&CK: T1195 – Supply Chain Compromise Alert Details: Repository: company/internal-toolkit (Private) Action: Malicious commit detected Commit Details: – Commit Hash: 8f7e6d5c4b3a2a1b9c8d7e6f5a4b3c2d1e0f9a8b – Author: “jsmith” (John Smith – Legitimate maintainer) – Time: 2024-02-12 10:30 EST … Read more