SIMULATION

EXERCISE FOR SOC

WOKRFLOW USING
SPLUNK, QRADAR,
ELK STACK,
LOGRHYTHM AND
OTHERS
BY IZZMIER IZZUDDIN
SIMULATION 1: SOC WORKFLOW USING SPLUNK

Scenario: A financial institution with critical infrastructure managed by the SOC. They use
Splunk as their SIEM tool, alongside endpoint detection and response (EDR) tools.

INCIDENT TIMELINE:

1. Initial Trigger: Splunk detects a high-volume data transfer from a critical server
during off-hours.
2. Secondary Alert: Suspicious DNS requests and unusual traffic patterns to an
external domain.
3. Tertiary Event: A phishing email with malware is reported by an employee.
4. Potential Breach: Indicators suggest lateral movement and possible ransomware
payload deployment.

LOGS

File Transfer Logs (Critical Server)

Timestamp, Source_IP, Destination_IP, User, File_Path, Bytes_Transferred, Protocol

2025-01-10T02:45:12Z, 10.0.0.5, 192.168.1.10, admin, /Vault/Finance_Reports_2024.xlsx,
25MB, SMB
2025-01-10T02:46:01Z, 10.0.0.5, 192.168.1.10, admin, /Vault/Client_List.csv, 10MB, SMB

Firewall Logs (DNS and External Traffic)

Timestamp, Source_IP, Destination_IP, Protocol, Bytes

2025-01-10T03:10:30Z, 10.0.0.5, 8.8.8.8, DNS, 512B
2025-01-10T03:11:00Z, 10.0.0.5, 203.0.113.120, HTTPS, 15MB

Authentication Logs

Timestamp, User, IP_Address, Action, Status

2025-01-10T02:30:15Z, admin, 10.0.0.5, Login, Successful
2025-01-10T04:00:30Z, admin, 192.168.1.10, Privilege Escalation, Successful

Email Logs

Timestamp, Sender, Recipient, Subject, Attachment, Link

2025-01-09T23:58:10Z, [email protected], [email protected], Urgent
Invoice, Invoice_123.zip, http://malicious-link.com

WORKFLOW
Effective communication is vital to the SOC's operations. Below are simulated interactions
for each team member:

Initial Alert (L1 Analyst)

• Medium: SOC Slack Channel

• Message:

[02:50] L1 Analyst: Team, Splunk flagged a large data transfer from 10.0.0.5 (Critical
Server) to 192.168.1.10.
I'm validating the source now. Logs attached.

Escalation to L2

• Medium: Ticketing System and Email

• Message:

Subject: Escalation: Suspicious Data Transfer Detected on Critical Server

Details:
- Source: 10.0.0.5
- User: admin
- Files: Finance_Reports_2024.xlsx, Client_List.csv
Recommended Action: Investigate potential insider threat or compromise.

Coordination with L3 and SOC Manager

• Medium: Incident Response Meeting

• Discussion Points:
o L3 Analyst: "Indicators suggest C2 activity from 10.0.0.5. Recommending
isolation."
o SOC Manager: "Approved. Coordinate with IT to block 203.0.113.120 at the
firewall and isolate affected systems."

Detailed Analysis (Step-by-Step)

L1 Analyst Workflow

1. Log Analysis:
o Splunk Query for Large Data Transfers:

index=file_transfer_logs Bytes_Transferred>10MB

Output:
 Timestamp Source_IP Destination_IP File_Path
Bytes_Transferred
2025-01-10T02:45:12 10.0.0.5 192.168.1.10
/Vault/Finance_Reports_2024.xlsx 25MB

2. Initial Assessment:
o Confirm that the server (10.0.0.5) is not scheduled for off-hours activity.
3. Action:
o Escalate findings to L2 with relevant logs.

L2 Analyst Workflow

1. Threat Intelligence Lookup:

o Use Splunk to identify external connections:

index=firewall_logs Source_IP=10.0.0.5 Destination_IP!="internal_subnets"

Output:

Timestamp Source_IP Destination_IP Protocol Bytes

2025-01-10T03:11:00 10.0.0.5 203.0.113.120 HTTPS 15MB

o Insight: 203.0.113.120 flagged as a Command-and-Control (C2) server.

2. File Analysis:
o Decompress and inspect Invoice_123.zip from phishing email.
o Result: Identified as an initial payload dropper.
3. Action:
o Notify L3 for forensic imaging of 10.0.0.5 and further analysis.

L3 Analyst Workflow

1. Forensic Imaging and Malware Analysis:

o Create a disk image of 10.0.0.5 and extract suspicious files.
o Analyse payload using sandbox tools.
2. Hunt for Lateral Movement:
o Query for privilege escalation events:

index=auth_logs Action="Privilege Escalation"

Output:

Timestamp User IP_Address Action Status

 2025-01-10T04:00:30 admin 192.168.1.10 Privilege Escalation Successful

3. Action:
o Block lateral movement by disabling admin credentials.

SOC Manager Workflow

1. Containment Decisions:
o Approve actions:
§ Isolate 10.0.0.5.
§ Block 203.0.113.120.
§ Notify all employees about phishing emails.
2. Reporting and Remediation:
o Generate an incident report for stakeholders:
§ Root Cause: Phishing email led to credential theft and data
exfiltration.
§ Remediation: Patch systems, improve monitoring, and conduct
employee training.
SIMULATION 2: SOC WORKFLOW USING QRADAR

Scenario: A healthcare organisation managing sensitive patient records. SOC is

responsible for monitoring potential security threats. They use IBM QRadar as their SIEM
tool.

INCIDENT TIMELINE:

1. Initial Alert: QRadar generates an offense for suspicious brute force login attempts
on the patient records database.
2. Secondary Alert: Indicators of successful login and unauthorized database
queries.
3. Tertiary Event: External connections to an unrecognised IP with data exfiltration
patterns.
4. Potential Threat: Suspected ransomware staging after identifying lateral
movement.

LOGS

Brute Force Login Attempts

Timestamp, Username, Source_IP, Destination_IP, Status

2025-01-10T01:15:10Z, admin, 192.168.1.50, 10.0.0.20, Failed
2025-01-10T01:15:12Z, admin, 192.168.1.50, 10.0.0.20, Failed
2025-01-10T01:15:15Z, admin, 192.168.1.50, 10.0.0.20, Successful

Database Query Logs

Timestamp, User, Query_Type, Table, Rows_Affected

2025-01-10T01:16:30Z, admin, SELECT, Patients, 5000
2025-01-10T01:17:00Z, admin, DELETE, Patients, 0

Network Activity Logs

Timestamp, Source_IP, Destination_IP, Protocol, Bytes

2025-01-10T01:18:00Z, 10.0.0.20, 203.0.113.80, HTTPS, 10MB
2025-01-10T01:18:30Z, 10.0.0.20, 203.0.113.80, HTTPS, 25MB

File Integrity Monitoring Logs

Timestamp, File_Path, Action, User, Status

2025-01-10T01:20:15Z, /db_backup/patient_records.bak, Delete, admin, Successful

WORKFLOW
L1 Analyst Workflow

1. Detecting the Offense:

o QRadar generates an offense for a high number of failed login attempts.
o Event Rule:

Rule Name: Excessive Failed Logins

Threshold: >5 failed logins within 2 minutes

o Offense Details:
§ Source IP: 192.168.1.50
§ Destination IP: 10.0.0.20 (Patient Database Server)
2. Initial Steps:
o Validate the offense in QRadar by investigating associated logs.
o Run a quick search in QRadar Log Activity:

SELECT * FROM events WHERE Destination_IP='10.0.0.20' AND

Event_Name='Failed Login'

3. Escalation:
o After confirming successful login, escalate the offense to L2 for deeper
analysis.
o Communication:

[01:25] L1 Analyst: Team, QRadar flagged a potential brute force attack on

10.0.0.20.
User 'admin' logged in successfully after multiple failed attempts. Logs
attached for review.

L2 Analyst Workflow

1. Deep Analysis with QRadar:

o Investigate database queries made by admin:

SELECT * FROM events WHERE User='admin' AND

Destination_IP='10.0.0.20' AND Event_Type='Database Query'

Output:

Timestamp User Query_Type Table Rows_Affected

2025-01-10T01:16:30 admin SELECT Patients 5000

o Insight: Query indicates potential data exfiltration.

 2. Network Traffic Analysis:
o Correlate logs for external connections:

SELECT * FROM events WHERE Source_IP='10.0.0.20' AND

Destination_IP!='internal_subnets'

Output:

Timestamp Source_IP Destination_IP Protocol Bytes

2025-01-10T01:18:00 10.0.0.20 203.0.113.80 HTTPS 25MB

o Threat Intel Lookup: Confirm that 203.0.113.80 is linked to a known threat

actor.
3. Escalation to L3:
o Notify L3 of data exfiltration indicators and suspected insider compromise.

L3 Analyst Workflow

1. Forensic Analysis:
o Conduct forensic imaging of 10.0.0.20 for malware and ransomware staging
files.
o Results: Ransomware binary (ransomware.exe) found in the /tmp directory.
2. Threat Hunting:
o Proactively search for similar patterns on other servers.
o QRadar Query:

SELECT * FROM events WHERE Event_Type='Failed Login' AND Event_Count

>5

Output:

Timestamp Source_IP Destination_IP Event_Count

2025-01-10T02:00:00 192.168.1.55 10.0.0.30 10

o Insight: Another server (10.0.0.30) is under attack.

3. Action:
o Isolate 10.0.0.20 and 10.0.0.30.
o Disable admin credentials.
o Block 203.0.113.80 at the firewall.

SOC Manager Workflow

1. Incident Coordination:
o Schedule a meeting to discuss incident scope and next steps.
 o Communicate with stakeholders:

Subject: Incident Update: Suspected Data Exfiltration

Key Points:
- Brute force attack on Patient Database Server.
- Data exfiltrated to 203.0.113.80.
- Containment actions initiated.

2. Remediation Planning:
o Conduct root cause analysis: Determine if admin credentials were leaked via
phishing.
o Plan for network segmentation and improved monitoring.
SIMULATION 3: SOC WORKFLOW USING ELASTIC SECURITY (ELK STACK)

Scenario: A fintech organisation specializing in mobile banking services. The organisation

has recently reported suspicious account activities, and the SOC team, using Elastic
Security as the SIEM tool, is tasked with investigating potential insider threats and
advanced persistent threats (APTs).

INCIDENT TIMELINE:

1. Initial Alert: Elastic Security detects unusual login patterns across multiple
accounts using the same source IP.
2. Secondary Alert: A privileged user is found accessing critical financial systems
outside normal working hours.
3. Tertiary Event: Detection of large outbound data transfers to an external FTP
server.
4. Escalation: Possible compromise of customer account information.

LOGS

Authentication Logs

Timestamp, Username, Source_IP, Destination_IP, Status

2025-01-10T02:15:10Z, user1, 192.168.2.100, 10.1.0.5, Successful
2025-01-10T02:15:20Z, user2, 192.168.2.100, 10.1.0.5, Successful
2025-01-10T02:15:30Z, user3, 192.168.2.100, 10.1.0.5, Successful
2025-01-10T02:16:10Z, admin, 192.168.2.150, 10.1.0.10, Failed
2025-01-10T02:16:15Z, admin, 192.168.2.150, 10.1.0.10, Successful

System Access Logs

Timestamp, User, Action, System_Accessed, Status

2025-01-10T02:18:00Z, admin, View Records, Financial Database, Successful
2025-01-10T02:20:00Z, admin, Export Data, Financial Database, Successful
2025-01-10T02:25:00Z, admin, Delete Logs, Security Server, Successful

Network Traffic Logs

Timestamp, Source_IP, Destination_IP, Protocol, Bytes

2025-01-10T02:30:00Z, 10.1.0.10, 198.51.100.200, FTP, 50MB
2025-01-10T02:35:00Z, 10.1.0.10, 198.51.100.200, FTP, 100MB
File Integrity Monitoring Logs

Timestamp, File_Path, Action, User, Status

2025-01-10T02:28:15Z, /financial_records/transactions.csv, Modify, admin, Successful
2025-01-10T02:29:30Z, /financial_records/transactions.csv, Copy, admin, Successful

WORKFLOW

L1 Analyst Workflow

1. Detecting the Alert:

o Elastic generates a detection rule alert:
Rule: "Multiple Logins from the Same Source IP in a Short Timeframe."
§ Source IP: 192.168.2.100
§ Destination: 10.1.0.5 (Customer Accounts Server)
2. Quick Triage:
o Check the raw logs in Elastic's "Discover" view:

event.action: "login" AND source.ip: "192.168.2.100" AND event.outcome:

"success"

Output: Successful logins to multiple accounts from the same source IP.

3. Escalation:
o After identifying a potential account compromise, escalate the alert to L2:

[02:45] L1 Analyst: Detected multiple logins from 192.168.2.100 to customer

accounts.
Potential credential stuffing attack. Escalating for further analysis.

L2 Analyst Workflow

1. Correlating Events:
o Investigate privileged user activity in Elastic using the "Timeline" feature:

user.name: "admin" AND event.category: "file" AND event.outcome:

"success"

Output:

Timestamp User Action File

2025-01-10T02:28:15 admin Modify /financial_records/transactions.csv
 2. Network Activity Analysis:
o Query network traffic for suspicious external connections:

destination.ip: "198.51.100.200" AND protocol: "FTP"

Output: Data exfiltration detected to external FTP server.

3. Action:
o Isolate the server (10.1.0.10) to prevent further data loss.
o Notify L3 for forensic investigation.

L3 Analyst Workflow

1. Deep Dive Investigation:

o Retrieve forensic evidence from the isolated server.
o Use Elastic's "Endpoint Security" module to analyse suspicious files.
o Findings: A scheduled task executing an unknown script (data_exfil.py).
2. Threat Hunting:
o Proactively search for similar attack patterns across the environment:

event.module: "authentication" AND source.ip: "192.168.2.*"

Output: Suspicious login attempts from 192.168.2.200 targeting another

critical system.

3. Action:
o Suspend the admin account.
o Update detection rules to include anomaly thresholds for login patterns.

SOC Manager Workflow

1. Incident Reporting:
o Summarise findings and remediation steps for the board:

Subject: Incident Report - Data Exfiltration Attempt

Summary:
- Credential stuffing led to admin account compromise.
- 150MB of data exfiltrated to external FTP server.
- Immediate actions taken to contain the threat and prevent recurrence.

2. Remediation Planning:
o Enforce 2FA for privileged accounts.
o Deploy additional monitoring for external data transfers.
3. Team Coordination:
o Organise a post-incident review meeting to improve response processes.
SIMULATION 4: SOC WORKFLOW USING LOGRHYTHM SIEM

Scenario: A multinational e-commerce company experiencing sudden slowdowns in web

services. The SOC team suspects a Distributed Denial of Service (DDoS) attack
coordinated by a botnet and must investigate, contain, and remediate the attack using
LogRhythm SIEM.

INCIDENT TIMELINE:

1. Initial Alert: LogRhythm generates a high-priority alert for a surge in incoming traffic
from multiple IPs targeting the web application server.
2. Secondary Alert: Resource exhaustion observed on critical servers, leading to
delayed services.
3. Tertiary Event: Suspicious outbound traffic from internal systems to unknown IP
addresses.
4. Escalation: Potential compromise of internal systems being leveraged for lateral
movement.

LOGS

Web Server Logs

Timestamp, Source_IP, Destination_IP, HTTP_Method, Status_Code, Bytes

2025-01-10T10:00:10Z, 203.0.113.10, 192.168.1.10, GET, 200, 512
2025-01-10T10:00:15Z, 203.0.113.11, 192.168.1.10, GET, 503, 128
2025-01-10T10:00:20Z, 203.0.113.12, 192.168.1.10, GET, 200, 1024
2025-01-10T10:00:25Z, 203.0.113.13, 192.168.1.10, GET, 503, 64
2025-01-10T10:01:00Z, 203.0.113.14, 192.168.1.10, GET, 200, 2048

Firewall Logs

Timestamp, Source_IP, Destination_IP, Action, Bytes, Protocol

2025-01-10T10:05:00Z, 203.0.113.10, 192.168.1.10, Allow, 512, TCP
2025-01-10T10:05:05Z, 203.0.113.11, 192.168.1.10, Allow, 256, TCP
2025-01-10T10:05:10Z, 203.0.113.12, 192.168.1.10, Allow, 1024, TCP
2025-01-10T10:05:15Z, 203.0.113.13, 192.168.1.10, Allow, 128, TCP
2025-01-10T10:10:00Z, 192.168.1.10, 198.51.100.200, Allow, 1500, TCP

System Logs

Timestamp, User, Action, System, Status

2025-01-10T10:15:00Z, admin, Login, WebServer01, Successful
2025-01-10T10:15:10Z, admin, Execute, WebServer01, Successful
2025-01-10T10:20:00Z, admin, Access Restricted Files, WebServer01, Denied
2025-01-10T10:25:00Z, admin, Access Restricted Files, WebServer01, Successful

WORKFLOW

L1 Analyst Workflow

1. Detecting the Alert:

o LogRhythm SIEM generates a correlated alert:
Rule: "Unusual Traffic Surge from Multiple IPs to Web Application Server."
§ Destination IP: 192.168.1.10
§ Source IPs: Multiple external IPs (203.0.113.*).
2. Quick Investigation:
o Examine web server logs in LogRhythm:

SELECT * FROM web_logs

WHERE Destination_IP = '192.168.1.10'
AND HTTP_Method = 'GET'

Findings: Over 10,000 GET requests within 10 minutes.

3. Escalation:
o Notify L2 for deeper analysis:

[10:30] L1 Analyst: High traffic from multiple IPs causing service disruption.
Potential DDoS. Escalating to L2 for immediate attention.

L2 Analyst Workflow

1. Correlation Analysis:
o Aggregate firewall and web logs to identify patterns:

SELECT Source_IP, COUNT(*)

FROM firewall_logs
WHERE Action = 'Allow'
GROUP BY Source_IP
HAVING COUNT(*) > 1000

Output: Top attacking IPs:

203.0.113.10: 5000 requests

203.0.113.11: 4500 requests

2. System Compromise Investigation:

o Query system logs for suspicious admin activity:
 SELECT * FROM system_logs
WHERE User = 'admin'
AND Action IN ('Access Restricted Files')

Findings: Admin account accessed sensitive files after multiple denials.

3. Action:
o Block malicious IPs via the firewall.
o Isolate WebServer01 for forensic analysis.
o Escalate to L3 with findings.

L3 Analyst Workflow

1. Forensic Analysis:
o Investigate WebServer01 for signs of compromise.
o Use LogRhythm's forensic capabilities to review file changes and command
executions.
o Discovery: Malware (ddos_control.exe) deployed to coordinate botnet
traffic.
2. Threat Hunting:
o Hunt for similar threats across other servers using a YARA rule:

rule DDoSMalware
{
strings:
$a = "ddos_control.exe"
condition:
$a
}

Output: No matches on other systems.

3. Action:
o Remove malware and patch vulnerabilities on WebServer01.
o Create a detection rule for similar malicious executables.

SOC Manager Workflow

1. Incident Management:
o Provide real-time updates to stakeholders:

Subject: Incident Update - DDoS Attack Mitigation

Summary:
- High traffic detected targeting `WebServer01`.
 - Admin account compromise suspected.
- Mitigation steps: IPs blocked, server isolated, malware removed.

2. Team Coordination:
o Assign roles for post-incident analysis.
o Schedule an emergency meeting to discuss long-term mitigation.
3. Post-Incident Review:
o Recommend WAF deployment to filter malicious requests.
o Enforce stricter access controls for privileged accounts.
SIMULATION 5: SOC WORKFLOW USING ELASTIC SIEM

Scenario: A financial institution detects suspicious database queries and unauthorised

access attempts targeting its customer data. Elastic SIEM is used to monitor, detect, and
investigate the potential insider threat or external compromise.

INCIDENT TIMELINE:

1. Initial Alert: Elastic SIEM detects anomalous login activity from a privileged user
account outside business hours.
2. Secondary Alert: Unusual SQL queries targeting sensitive customer data.
3. Escalation: Detection of large data exfiltration attempts to an unknown external
server.

LOGS

Login Activity Logs

Timestamp, User, Source_IP, Event, Status

2025-01-10T01:45:00Z, jsmith, 10.0.0.15, Login, Successful
2025-01-10T02:10:00Z, jsmith, 10.0.0.15, Login, Failed
2025-01-10T02:30:00Z, jsmith, 203.0.113.20, Login, Successful
2025-01-10T02:45:00Z, admin, 203.0.113.21, Login, Successful

SQL Query Logs

Timestamp, User, Query, Database, Rows_Affected

2025-01-10T02:45:10Z, jsmith, SELECT * FROM customer_data, finance_db, 2000
2025-01-10T02:45:15Z, jsmith, UPDATE customer_data SET balance=0 WHERE id=105,
finance_db, 1
2025-01-10T02:50:00Z, jsmith, SELECT * FROM customer_data WHERE balance>10000,
finance_db, 500
2025-01-10T02:55:00Z, admin, DROP TABLE audit_logs, finance_db, 1

Network Traffic Logs

Timestamp, Source_IP, Destination_IP, Bytes, Protocol, Action

2025-01-10T03:00:00Z, 203.0.113.20, 192.168.1.10, 2000, TCP, Allow
2025-01-10T03:05:00Z, 192.168.1.10, 198.51.100.200, 10,000, TCP, Allow
2025-01-10T03:10:00Z, 203.0.113.21, 198.51.100.201, 1500, TCP, Allow

WORKFLOW

L1 Analyst Workflow
 1. Detecting the Alert:
o Elastic SIEM generates a "Suspicious Login Activity" rule:
§ User: jsmith
§ Source IP: 203.0.113.20 (outside geolocation of normal operations)
§ Event: Successful login outside business hours.
2. Quick Investigation:
o Check correlated alerts:
Findings:
§ Unusual SQL query activity.
§ Sudden increase in outbound data transfer.
3. Escalation:

[03:15] L1 Analyst: Alert for unauthorised SQL queries and data transfer. Escalating
to L2 for detailed investigation.

L2 Analyst Workflow

1. Correlation Analysis:
o Review login activity across the SIEM:

event.category: "authentication" AND

event.outcome: "success" AND
source.geo.country != "Malaysia"

Findings:

§ Login from 203.0.113.20 flagged as an anomaly.

2. Query Database Logs:

user.name: "jsmith" AND event.action: "query"

Findings:

o High volume of queries targeting sensitive data (customer_data).

3. Network Traffic Analysis:

destination.ip: "198.51.100.200" AND network.bytes > 1000

Findings:

o Data exfiltration detected to external IP 198.51.100.200.

4. Actions:
o Temporarily suspend jsmith account.
o Block external IP 198.51.100.200 on the firewall.
 o Escalate to L3 for forensic investigation.

L3 Analyst Workflow

1. Forensic Investigation:
o Download logs for jsmith and perform timeline analysis.
o Investigate commands executed by the admin account.
Findings:
o DROP TABLE audit_logs executed by admin.
o Privileged account admin likely compromised.
2. Threat Hunting:
o Search for similar malicious behaviour across accounts:

event.category: "authentication" AND

user.name != "jsmith" AND
destination.ip: "198.51.100.200"

Findings:

§ No other compromised accounts detected.

3. Action:
o Remove malicious actors’ access.
o Reinforce monitoring on privileged accounts.

SOC Manager Workflow

1. Incident Management:
o Communicate with stakeholders:

Subject: Insider Threat Mitigation Update

Summary:
- User `jsmith` detected performing unauthorised SQL queries and data
exfiltration.
- Immediate remediation: Access blocked, data exfiltration stopped.

2. Coordination:
o Organise a debrief meeting.
o Assign teams for post-incident review.
3. Recommendations:
o Enforce Multi-Factor Authentication (MFA) for all privileged accounts.
o Review database access policies.
SIMULATION 6: SOC WORKFLOW USING MICROSOFT SENTINEL

Scenario: A retail organisation experiences suspicious behaviour indicating a potential

ransomware attack. Initial signs include unusual file modifications, spikes in CPU
utilisation, and outbound connections to known malicious IPs. The SOC team
uses Microsoft Sentinel to detect and respond to the incident.

INCIDENT TIMELINE

1. Initial Alert: Sentinel generates a "Mass File Modification" alert on a shared file
server.
2. Secondary Alerts:
o High CPU utilisation on a domain controller.
o Outbound traffic to a known malicious IP address.
3. Escalation: Sentinel detects PowerShell script execution attempting to disable
security tools.

LOGS

File Modification Logs

Timestamp, User, File_Path, Action

2025-01-10T14:20:00Z, user001, \\shared\files\doc1.docx, Modified
2025-01-10T14:20:15Z, user001, \\shared\files\doc2.docx, Modified
2025-01-10T14:20:30Z, user001, \\shared\files\*.docx, Modified
2025-01-10T14:25:00Z, user001, \\shared\files\backup.zip, Deleted

Process Execution Logs

Timestamp, Host, Process_Name, Command_Line, Status

2025-01-10T14:30:00Z, DC01, powershell.exe, "Disable-Module Defender", Success
2025-01-10T14:30:15Z, DC01, powershell.exe, "Remove-SecurityProduct -All", Failed
2025-01-10T14:35:00Z, FS01, ransomware.exe, "-encrypt C:\Shared\*", Success

Network Traffic Logs

Timestamp, Source_IP, Destination_IP, Bytes, Protocol, Action

2025-01-10T14:40:00Z, 192.168.1.10, 185.43.245.120, 5000, TCP, Allow
2025-01-10T14:42:00Z, 192.168.1.11, 203.0.113.50, 3000, TCP, Allow

WORKFLOW

L1 Analyst Workflow
 1. Detecting the Alert:
o Sentinel detects a Mass File Modification alert from an unusual user
(user001).
o Secondary alerts for PowerShell execution and outbound traffic to a
known malicious IP.
2. Quick Investigation:
o Check correlated logs:
§ File modifications from user001 target multiple documents.
§ Process logs reveal PowerShell scripts disabling security tools.
3. Escalation:

[14:45] L1 Analyst: Potential ransomware attack. Escalating to L2 for detailed

analysis.

L2 Analyst Workflow

1. Correlation Analysis:
o Query Sentinel logs for abnormal process activity:

ProcessName == "powershell.exe" AND CommandLine contains "Disable-

Module"

Findings:

§ PowerShell script executed on DC01 targeting security tools.

2. File Modification Investigation:

FileAction == "Modified" AND FilePath startswith "\\shared\files\"

Findings:

o Rapid modification and encryption on shared folders by user001.

3. Network Traffic Analysis:

DestinationIP in (185.43.245.120, 203.0.113.50)

Findings:

o Outbound connections to known malicious IPs.

4. Action:
o Quarantine user001 account.
o Isolate affected endpoints (FS01 and DC01).
o Escalate to L3 for further investigation.
L3 Analyst Workflow

1. Forensic Investigation:
o Memory dump from FS01 and DC01 analysed for ransomware binary.
o Review event logs for persistence mechanisms.
Findings:
o Malicious file ransomware.exe executed on FS01.
o Scheduled task created for persistence on DC01.
2. Threat Hunting:

DeviceProcessEvents
| where ProcessName contains "ransomware.exe"

Findings:

o No spread detected beyond FS01.

3. Root Cause Analysis:
o Initial compromise vector traced to phishing email targeting user001.
o Phishing email contained a malicious attachment (Invoice.pdf.exe).
4. Actions:
o Remove ransomware from infected systems.
o Revert encrypted files using backups.
o Deploy phishing awareness training.

SOC Manager Workflow

1. Incident Management:
o Draft communication to leadership:

Subject: Ransomware Incident Contained

Summary:
- Ransomware detected on `FS01`, initiated by user `user001`.
- Outbound connections to malicious IPs blocked.
- Files restored from backup; no data exfiltration detected.

2. Coordination:
o Schedule a post-incident review meeting.
o Assign teams to enhance phishing email detection.
3. Recommendations:
o Enable endpoint protection with PowerShell execution monitoring.
o Update firewall rules to block known malicious IPs.