Analysis

WAF Alert Details Alert ID: WAF-DIRECTORY-SCAN-7842 Alert Time: 2024-02-09 16:45:22 EST Severity: MEDIUM (62/100) Source: Cloudflare WAF Rule: “Directory Enumeration Scan Detected” MITRE ATT&CK: T1594 – Search Victim-Owned Websites Alert Details: Detection: Directory/file enumeration against company website Target: www.company.com Source IP: 185.143.221[.]89 (Romania) Time Window: 16:30 – 16:45 EST Requests: 2,847 Pattern: Sequential directory/file brute-forcing … Read more

| Step | Action | Tools Used | Findings | |——|——–|————|———-| | 1. Alert Validation | Verify MDI alert | Microsoft Defender for Identity | Confirmed malicious GPO modification | | 2. Immediate Action | Remove logon script from GPO | Group Policy Management Console | Script removed; GPO reverted | | 3. Script Analysis … Read more

I’m ready. Here are the first 5 detailed SOC incident reports based on your prompts. 1. T1595 – Active Scanning (Palo Alto Detection) Palo Alto Alert Details Alert ID: PAN-THREAT-78945-ACTIVESCAN Alert Time: 2024-02-08 09:15:22 EST Severity: MEDIUM (65/100) Source: Palo Alto Networks Threat Prevention Logs Rule: “Reconnaissance – Port Scan Detected” MITRE ATT&CK: T1595.001 – … Read more

**Ticket:** SOC-2024-080 **Summary:** T1037 – Malicious Logon Script Added to Default Domain Policy **Status:** RESOLVED **Resolution:** MALICIOUS – Widespread Execution Contained **Priority:** P1 – CRITICAL **Labels:** T1037, logon-scripts, gpo, mdi, domain-compromise **Components:** Identity-Management, Group-Policy, Incident-Response — **INCIDENT ANALYSIS REPORT** **1. Initial Context:** * **Detection Source:** Microsoft Defender for Identity. * **Alert:** “Suspicious Group Policy Object … Read more

Palo Alto Alert Details Alert ID: PAN-THREAT-78945-ACTIVESCAN Alert Time: 2024-02-08 09:15:22 EST Severity: MEDIUM (65/100) Source: Palo Alto Networks Threat Prevention Logs Rule: “Reconnaissance – Port Scan Detected” MITRE ATT&CK: T1595.001 – Active Scanning (Port Scan) Alert Details: Threat Type: Port Scan Application: nmap / masscan Direction: External to Internal Source IP: 203.0.113.89 (DigitalOcean – … Read more

SenseOn Alert Details Alert ID: SENSEON-RECON-HOSTINFO-7842 Alert Time: 2024-02-08 11:42:18 EST Severity: HIGH (78/100) Source: SenseOn Platform (EDR + UEBA) Rule: “Suspicious Host Information Enumeration via WMI/PowerShell” MITRE ATT&CK: T1592 – Gather Victim Host Information Alert Details: Detection: Multiple host enumeration commands executed from single endpoint within 5-minute window. Host: HR-WS-045 (Human Resources) User: mjohnson … Read more

Recorded Future Alert Details Alert ID: RF-IDENTITY-LEAK-7842 Alert Time: 2024-02-08 08:15:33 EST Severity: HIGH (82/100) Source: Recorded Future Identity Intelligence Module Rule: “Corporate Credentials Found on Dark Web” MITRE ATT&CK: T1589 – Gather Victim Identity Information Alert Details: Identity Intelligence Finding: – Source: Dark Web Market (Russian-language forum) – Post Date: 2024-02-07 22:00 EST – … Read more

Splunk Alert Details Alert ID: SPLUNK-NETWORK-RECON-7842 Alert Time: 2024-02-08 13:22:45 EST Severity: MEDIUM (68/100) Source: Splunk Enterprise Security Correlation Rule Rule: “Internal Network Reconnaissance – DNS Query Anomaly” MITRE ATT&CK: T1590 – Gather Victim Network Information Alert Details: Correlation Rule: “Excessive DNS Queries for Internal Hostnames” Time Window: 13:15 – 13:22 EST (7 minutes) Source … Read more

OSINT Alert Details Alert ID: OSINT-ORG-INFO-7842 Alert Time: 2024-02-08 10:05:12 EST Severity: MEDIUM (62/100) Source: Silent Push (OSINT Monitoring Platform) Rule: “Corporate Information Exposure on External Platforms” MITRE ATT&CK: T1591 – Gather Victim Organization Information Alert Details: OSINT Findings Summary: 1. LinkedIn Platform: – 45 employees posted about “new ERP system implementation” – 12 employees … Read more

Digital Shadows Alert Details Alert ID: DS-CLOSED-SOURCES-7842 Alert Time: 2024-02-09 09:22:15 EST Severity: HIGH (78/100) Source: Digital Shadows SearchLight Platform Rule: “Sensitive Company Data Found on Closed Sources” MITRE ATT&CK: T1597 – Search Closed Sources Alert Details: Finding Type: Closed Source Monitoring (Dark Web, Forums, Telegram) Detection Time: 2024-02-09 09:15 EST Content Discovery Date: 2024-02-08 … Read more