SOC Journal

PhishMe Alert Details Report Time: 2024-01-19 14:32:18 ESTReport Method: PhishMe (Cofense) Reporter Button in OutlookUser: swilliams (Sarah Williams, Finance Department)Reporting Confidence: High (User marked “Definitely Phishing”)Report ID: PHISHME-REPORT-4587 Reported Email Details: From: security@microsoft-support[.]net Reply-To: support@account-verify[.]online Subject: URGENT: Your Microsoft 365 Account Requires Immediate Verification Received: 2024-01-19 14:25 EST To: swilliams@ourcompany.com CC: None Headers Analysis: – Return-Path: bounce-7842@newsletter[.]hosting-service[.]co – SPF: softfail … Read more

EDR Alert Details: Unauthorized Hardware Detection Alert Time: 2024-01-18 10:15:34 ESTAlert Source: CrowdStrike Falcon EDRAlert ID: FALCON-ALERT-HW-7842Severity: HIGH (87/100)MITRE ATT&CK: T1200 – Hardware Additions Affected System: Alert Description: Detection: Unauthorized USB Mass Storage Device Installation with Malicious Payload Execution Rule: “Hardware-Based Persistence Attempt” Confidence: 98% Event Chain: 10:14:22 – Unknown USB Device Connected (VID_0781&PID_55A3) 10:14:35 – Driver Installation: “Generic Mass … Read more

SIEM Alert Alert Source: Splunk SIEM Correlation RuleAlert Time: 2023-10-28 03:15:47 UTCSeverity: HighRule: “Multiple RDP Connections from Unusual External IP”Alert ID: SIEM-CORR-8923 Alert Details: SIEM Correlation Rule Triggered: T1133 – External Remote Services Time Range: 03:00-03:15 UTC Correlated Events: 1. VPN Authentication: User jsmith successfully authenticated via Pulse Secure VPN from IP 89.248.165[.]23 (Moscow, Russia) 2. RDP Connection: User jsmith … Read more

WAF Alert Alert Source: AWS WAF / Cloudflare WAFAlert Time: 2023-10-27 08:45:22 UTCSeverity: CriticalApplication: Public Customer Portal (customer.ourcompany.com)Alert Title: “SQL Injection Attempt Bypassing Authentication”Alert ID: WAF-ALERT-45678 Alert Details: WAF Rule: SQLi_Bypass_Attempt_1 Source IP: 45.134.225[.]67 (DigitalOcean, Netherlands) HTTP Method: POST Target URL: /api/v1/auth/login User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Request Headers: – Content-Type: application/json – X-Forwarded-For: 45.134.225[.]67 Request Body/Payload: { … Read more

EDR Alert Alert Source: Microsoft Defender for Endpoint (MDE)Alert Time: 2023-10-26 14:32:18 UTCSeverity: HighDevice: FIN-0789 (Windows 10, Finance Department)User: jane.doe@company.comAlert Title: “Suspicious script execution indicative of drive-by download”Alert ID: INC-2023-2678 Alert Details: Detection: TrojanDownloader:PowerShell/CobaltStrike Path: C:\Users\jane.doe\AppData\Local\Temp\update_check.ps1 Parent Process: msedge.exe (PID: 7845) Command Line: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File “C:\Users\jane.doe\AppData\Local\Temp\update_check.ps1” Process Tree: svchost.exe (services) -> msedge.exe (PID: 7845, visited: hxxps://adobe-flash-update[.]online) -> cmd.exe … Read more

Report Method: User in the Finance department clicked the “Report Phish” button in their Outlook add-in (Microsoft Report Phishing Add-in / PhishMe (Cofense) Reporter Button). Email Details: Email Body: Dear Employee, Our security system has detected unusual login attempts on your corporate account. To protect your data, we require you to reconfigure your Multi-Factor Authentication (MFA) settings immediately. … Read more

2. Updated Workflow: How it was Handled Step A: Automated Ingestion & Ticket Creation Step B: Technical Header & Metadata Analysis Step C: URL & Payload Detonation Step D: Global Search & Containment 3. Detailed Jira Comment of the Analysis Jira Comment – Incident Analysis [INC-2026-8821]Status: Resolved | Priority: HighAnalyst: Walter White (Tier 1) Analysis Details: Remediation Steps: Closing … Read more