Effective Threat Investigation For Soc Analysts Pdf Official
Adversaries rarely limit their activities to a single host. Pivoting allows analysts to uncover the true lateral extent of an intrusion. The MITRE ATT&CK Mapping Framework
SOC analysts face numerous challenges when investigating threats, including:
If an investigation reveals a harmless business process triggered the alert, tune the rule to prevent future noise:
: Search email gateway logs for inbound messages matching the sender domain, attachment hash, or subject line pattern found on the patient-zero machine.
Identify large outbound data transfers that could indicate data exfiltration.
Examine parent-child process relationships. For example, cmd.exe or powershell.exe spawned by w3wp.exe (IIS) or winword.exe (Word) is highly suspicious.
: Filtering out the noise to identify high-fidelity alerts.
Use this quick-reference table during time-sensitive investigations to identify the exact log sources needed. Artifact Type Key Windows Event IDs Linux Log Locations Primary Investigative Goal 4624 (Logon), 4625 (Failure) /var/log/auth.log Identify brute force attacks and compromised accounts. Process Creation 4688 (Requires auditing), Sysmon 1 Auditd configuration Uncover malicious command execution and scripting. Network Connections Netstat, /proc/net/ Track command-and-control (C2) and data exfiltration. Object Access 4663 (File/Folder access) /var/log/syslog Monitor unauthorized access to sensitive file shares. 8. Conclusion and Continuous Improvement
If the evidence points to a true positive, high-severity incident, execute immediate containment procedures. This may include isolating the host from the network via EDR, disabling compromised user accounts, or blocking malicious IPs at the perimeter firewall. 5. Investigating Common Attack Vectors
test
Adversaries rarely limit their activities to a single host. Pivoting allows analysts to uncover the true lateral extent of an intrusion. The MITRE ATT&CK Mapping Framework
SOC analysts face numerous challenges when investigating threats, including:
: Search email gateway logs for inbound messages matching the sender domain, attachment hash, or subject line pattern found on the patient-zero machine.
Examine parent-child process relationships. For example, cmd.exe or powershell.exe spawned by w3wp.exe (IIS) or winword.exe (Word) is highly suspicious.
Use this quick-reference table during time-sensitive investigations to identify the exact log sources needed. Artifact Type Key Windows Event IDs Linux Log Locations Primary Investigative Goal 4624 (Logon), 4625 (Failure) /var/log/auth.log Identify brute force attacks and compromised accounts. Process Creation 4688 (Requires auditing), Sysmon 1 Auditd configuration Uncover malicious command execution and scripting. Network Connections Netstat, /proc/net/ Track command-and-control (C2) and data exfiltration. Object Access 4663 (File/Folder access) /var/log/syslog Monitor unauthorized access to sensitive file shares. 8. Conclusion and Continuous Improvement
If the evidence points to a true positive, high-severity incident, execute immediate containment procedures. This may include isolating the host from the network via EDR, disabling compromised user accounts, or blocking malicious IPs at the perimeter firewall. 5. Investigating Common Attack Vectors
Loading the list
Lv.
Sorry, there was an error on renshuu! If it's OK, please describe what you were doing. This will help us fix the issue.
Use your mouse or finger to write characters in the box.