SOC Journal

EDR Alert Alert Source: Microsoft Defender for Endpoint (MDE)Alert Time: 2023-10-26 14:32:18 UTCSeverity: HighDevice: FIN-0789 (Windows 10, Finance Department)User: jane.doe@company.comAlert Title: “Suspicious script execution indicative of drive-by download”Alert ID: INC-2023-2678 Alert Details: Detection: TrojanDownloader:PowerShell/CobaltStrike Path: C:\Users\jane.doe\AppData\Local\Temp\update_check.ps1 Parent Process: msedge.exe (PID: 7845) Command Line: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File “C:\Users\jane.doe\AppData\Local\Temp\update_check.ps1” Process Tree: svchost.exe (services) -> msedge.exe (PID: 7845, visited: hxxps://adobe-flash-update[.]online) -> cmd.exe … Read more

Report Method: User in the Finance department clicked the “Report Phish” button in their Outlook add-in (Microsoft Report Phishing Add-in / PhishMe (Cofense) Reporter Button). Email Details: Email Body: Dear Employee, Our security system has detected unusual login attempts on your corporate account. To protect your data, we require you to reconfigure your Multi-Factor Authentication (MFA) settings immediately. … Read more

2. Updated Workflow: How it was Handled Step A: Automated Ingestion & Ticket Creation Step B: Technical Header & Metadata Analysis Step C: URL & Payload Detonation Step D: Global Search & Containment 3. Detailed Jira Comment of the Analysis Jira Comment – Incident Analysis [INC-2026-8821]Status: Resolved | Priority: HighAnalyst: Walter White (Tier 1) Analysis Details: Remediation Steps: Closing … Read more