SOC Journal

Recorded Future Alert Details Alert ID: RF-IDENTITY-LEAK-7842Alert Time: 2024-02-08 08:15:33 ESTSeverity: HIGH (82/100)Source: Recorded Future Identity Intelligence ModuleRule: “Corporate Credentials Found on Dark Web”MITRE ATT&CK: T1589 – Gather Victim Identity Information Alert Details: Identity Intelligence Finding: – Source: Dark Web Market (Russian-language forum) – Post Date: 2024-02-07 22:00 EST – Data Type: Employee credentials (email … Read more

SenseOn Alert Details Alert ID: SENSEON-RECON-HOSTINFO-7842Alert Time: 2024-02-08 11:42:18 ESTSeverity: HIGH (78/100)Source: SenseOn Platform (EDR + UEBA)Rule: “Suspicious Host Information Enumeration via WMI/PowerShell”MITRE ATT&CK: T1592 – Gather Victim Host Information Alert Details: Detection: Multiple host enumeration commands executed from single endpoint within 5-minute window. Host: HR-WS-045 (Human Resources) User: mjohnson (Michelle Johnson, HR Generalist) IP: … Read more

Palo Alto Alert Details Alert ID: PAN-THREAT-78945-ACTIVESCANAlert Time: 2024-02-08 09:15:22 ESTSeverity: MEDIUM (65/100)Source: Palo Alto Networks Threat Prevention LogsRule: “Reconnaissance – Port Scan Detected”MITRE ATT&CK: T1595.001 – Active Scanning (Port Scan) Alert Details: Threat Type: Port Scan Application: nmap / masscan Direction: External to Internal Source IP: 203.0.113.89 (DigitalOcean – Singapore) Destination Range: Internal IP … Read more

SIEM Alert Details Alert ID: SIEM-RECON-PORTSCAN-7842Alert Time: 2024-02-01 08:22:15 ESTSeverity: MEDIUM (65/100)Source: Splunk Enterprise Security Correlation RuleRule: “Internal Port Scan Detected – Horizontal Sweep”MITRE ATT&CK: T1595 – Active Scanning (Sub-technique T1595.001: Scanning IP Blocks) Alert Details: Correlated Events: Threat Intelligence Context: SOC Investigation Process Phase 1: Alert Validation & Initial Triage (08:22-08:40 EST) Tools: Splunk … Read more

SIEM Alert Details: Wireless Intrusion Detection Alert ID: SIEM-WIDS-ROGUEAP-7842Alert Time: 2024-01-30 14:18:32 ESTSeverity: HIGH (85/100)Source: Aruba Wireless Intrusion Detection System (WIDS) + Splunk CorrelationRule: “Rogue Access Point with Corporate SSID Spoofing”MITRE ATT&CK: T1669 – Wi-Fi NetworksSub-technique: T1669.001 – Evil Twin Attack Alert Details: Primary Detection Source: Aruba WIDS Sensor (Location: Building 1, Floor 3) Secondary Detection: Cisco Identity Services Engine (ISE) RADIUS … Read more

SIEM Alert Details Alert ID: SIEM-DEFAULT-CREDS-7842Alert Time: 2024-01-29 22:45:18 ESTSeverity: HIGH (82/100)Source: Splunk Enterprise Security CorrelationRule: “Default Credential Usage Detected on Network Device”MITRE ATT&CK: T1078 – Valid Accounts (Default Credentials) Alert Details: Correlated Events: 1. Network Authentication Attempt: – Time: 22:40 EST – Device: HVAC-Controller-04 (Building Automation System) – IP: 192.168.30.45 – Protocol: SSH – Username: admin – Password: (attempt matching … Read more

SIEM Correlation Alert Details Alert ID: SIEM-CORR-7842-T1199Alert Time: 2024-01-28 03:15:47 ESTSeverity: HIGH (85/100)Source: Splunk Enterprise Security Correlation SearchRule: “Contractor Account Anomaly: VPN from Unusual Location + Immediate RDP”MITRE ATT&CK: T1199 – Trusted Relationship Correlated Events: Event 1: VPN Authentication – Time: 03:00 EST – User: tsmith (Tom Smith – Contoso Solutions Contractor) – Source IP: 89.248.165[.]23 (Moscow, Russia) – VPN Gateway: … Read more

CrowdStrike Falcon Alert Details Alert ID: CS-ALERT-7842-SUPPLYCHAINAlert Time: 2024-01-26 09:42:18 ESTSeverity: CRITICAL (92/100)Detection: “Software Updater Executing Suspicious Child Process”MITRE ATT&CK: T1195 – Supply Chain Compromise, T1059.001 – PowerShell Host Information: Alert Details: Detection Logic: Living Off the Land (LotL) Behavior – Legitimate Updater Spawning Unusual Child Process Process Chain: Parent Process: C:\Program Files\ChartTool\Updates\ChartToolUpdater.exe – Publisher: “ChartTool Inc.” (Valid certificate, expires … Read more

Alert Details: EDR + DLP Correlation Alert EDR Alert (Microsoft Defender for Endpoint): Alert ID: MDE-USB-WORM-7842Alert Time: 2024-01-24 11:18:42 ESTSeverity: HIGH (82/100)MITRE ATT&CK: T1091 – Replication Through Removable MediaDetection: “Worm-like behavior via removable media” Details: Host: RND-WS-023 (R&D Department) User: drajput (Deepak Rajput, Research Scientist) Process: C:\Windows\Temp\usb_sync.exe Parent: explorer.exe Command Line: usb_sync.exe /autorun /silent /propagate File Activity: – Created: C:\Windows\Temp\usb_sync.exe … Read more

Email Details: Reported Via: PhishMe (Cofense) Reporter Button in OutlookReporting User: asmith (Alex Smith, HR Department)Report Time: 2024-01-22 09:45 ESTConfidence: High (User commented: “Suspicious sender, not our IT team”) Sender: payroll-update@hronboarding[.]netSubject: ACTION REQUIRED: Your Payroll Direct Deposit Information Needs VerificationReceived: Today, 09:30 AM Email Body: Dear Employee, The HR and Payroll Department has identified inconsistencies in your direct deposit information for the … Read more