SOC Journal - SOCJournal

T1091 – Replication via Removable Media (CrowdStrike Detection)

May 31, 2026 by SOC Journal

CrowdStrike Alert Details Alert ID: CS-WORM-USB-1091-7842Alert Time: 2024-02-12 14:15:33 ESTSeverity: HIGH (88/100)Source: CrowdStrike Falcon EDRRule: “Replication Through Removable Media – Worm Behavior”MITRE ATT&CK: T1091 – Replication Through Removable Media Alert Details: Detection: Worm-like file replication to USB devices Host: ENG-WS-078 (Engineering) User: npatel (Neha Patel, Engineer) Time: 14:10-14:15 EST Process Tree: – explorer.exe (PID: 3421) … Read more

T1566 – Phishing (Proofpoint Detection)

May 31, 2026 by SOC Journal

Proofpoint Alert Details Alert ID: PROOFPOINT-PHISH-1566-7842Alert Time: 2024-02-12 09:30:15 ESTSeverity: HIGH (85/100)Source: Proofpoint Targeted Attack Protection (TAP)Rule: “Credential Phishing – Brand Impersonation”MITRE ATT&CK: T1566 – Phishing Alert Details: Email Analysis Report: Sender: noreply@docusign-verify[.]net Reply-To: support@document-processing[.]com Subject: “Action Required: Document Ready for Signature – DocuSign” Recipients: 124 employees (All departments) Time: 2024-02-12 09:15 EST Email Headers: … Read more

T1200 – Hardware Additions (ForeScout Detection)

May 31, 2026 by SOC Journal

ForeScout Alert Details Alert ID: FORESCOUT-HW-ADD-7842Alert Time: 2024-02-11 13:45:22 ESTSeverity: HIGH (82/100)Source: ForeScout CounterACTRule: “Unauthorized USB Device – BadUSB Characteristics”MITRE ATT&CK: T1200 – Hardware Additions Alert Details: Device Detection: – Host: RND-WS-056 (Research & Development) – User: cpark (Chris Park, Research Scientist) – Time: 13:42 EST – USB Port: Front panel USB Device Details: – … Read more

T1133 – External Remote Services (Okta Detection)

May 31, 2026 by SOC Journal

Okta Alert Details Alert ID: OKTA-EXTERNAL-REMOTE-7842Alert Time: 2024-02-11 07:30:45 ESTSeverity: HIGH (88/100)Source: Okta Identity CloudRule: “Suspicious VPN Login – New Location + Impossible Travel”MITRE ATT&CK: T1133 – External Remote Services Alert Details: User: awilson@company.com (Alex Wilson, IT Administrator) Application: Palo Alto GlobalProtect VPN Time: 07:28 EST Risk Signals: 1. New Location: – City: Moscow, Russia … Read more

T1190 – Exploit Public-Facing App (Imperva WAF Detection)

May 31, 2026 by SOC Journal

Imperva WAF Alert Details Alert ID: IMPERVA-WAF-EXPLOIT-7842Alert Time: 2024-02-11 11:08:22 ESTSeverity: CRITICAL (95/100)Source: Imperva Web Application FirewallRule: “SQL Injection Attempt – Authentication Bypass”MITRE ATT&CK: T1190 – Exploit Public-Facing Application Alert Details: Attack Details: – Target: https://portal.company.com/login.php – Source IP: 45.134.225[.]78 (DigitalOcean – Netherlands) – Time: 11:05 – 11:08 EST – Requests: 347 in 3 minutes … Read more

T1189 – Drive-by Compromise (Zscaler Detection)

May 31, 2026 by SOC Journal

Zscaler Alert Details Alert ID: ZSCALER-DRIVEBY-7842Alert Time: 2024-02-11 14:22:35 ESTSeverity: HIGH (85/100)Source: Zscaler Internet Access (ZIA) + Cloud SandboxRule: “Drive-by Compromise – Exploit Kit Activity”MITRE ATT&CK: T1189 – Drive-by Compromise Alert Details: Transaction Details: – User: rsmith@company.com (Robert Smith, Sales) – Device: SLS-WS-089 (Windows 10) – Time: 14:18-14:22 EST – Action: BLOCKED (Advanced Threat Protection … Read more

T1608 – Stage Capabilities (Zscaler Detection)

May 31, 2026 by SOC Journal

Zscaler Alert Details Alert ID: ZSCALER-STAGE-CAP-7842Alert Time: 2024-02-11 09:45:18 ESTSeverity: HIGH (78/100)Source: Zscaler Internet Access (ZIA)Rule: “Suspicious File Download – Potential Payload Staging”MITRE ATT&CK: T1608 – Stage Capabilities Alert Details: Transaction Details: – User: jdoe@company.com (John Doe, Marketing) – Device: MKT-WS-023 (Windows 11) – Time: 09:42 EST – Action: BLOCKED (Advanced Threat Protection) URL: hxxps://cdn.pastebin[.]com/raw/AbCdEfGh … Read more

T1588 – Obtain Capabilities (Anomali TIP Detection)

May 31, 2026 by SOC Journal

Anomali TIP Alert Details Alert ID: ANOMALI-CAPABILITY-ACQ-7842Alert Time: 2024-02-10 13:30:45 ESTSeverity: HIGH (75/100)Source: Anomali Threat Intelligence PlatformRule: “Known Malware Framework Offered for Sale”MITRE ATT&CK: T1588 – Obtain Capabilities Alert Details: Threat Intelligence Finding: Commercial access to Cobalt Strike licensed to new actor Source: Dark Web Marketplace “exploit[.]market” Listing Date: 2024-02-09 Seller: “license_king_84” Product: “Cobalt Strike … Read more

T1587 – Develop Capabilities (Threat Intelligence Detection)

May 31, 2026 by SOC Journal

Threat Intelligence Alert Details Alert ID: TI-CAPABILITY-DEV-7842Alert Time: 2024-02-10 08:15:22 ESTSeverity: MEDIUM (68/100)Source: Recorded Future Threat IntelligenceRule: “New Malware Targeting Industry Sector”MITRE ATT&CK: T1587 – Develop Capabilities Alert Details: Threat Intelligence Finding: New malware variant under development targeting our industry Source: Underground Russian Forum “exploit[.]in” Post Date: 2024-02-09 Thread: “Developing custom payload for [Industry] sector … Read more

T1586 – Compromise Accounts (Azure AD Detection)

May 31, 2026 by SOC Journal

Azure AD Alert Details Alert ID: AAD-COMPROMISE-ACCT-7842Alert Time: 2024-02-10 16:45:33 ESTSeverity: CRITICAL (98/100)Source: Azure AD Identity ProtectionRule: “Impossible Travel + Suspicious Inbox Rule”MITRE ATT&CK: T1586 – Compromise Accounts Alert Details: Identity Protection Risk Detection: User: jwilson@company.com (Jennifer Wilson – VP of Finance) Risk Level: HIGH (98%) Detection Time: 2024-02-10 16:30 EST Risk Events: 1. Impossible … Read more