Investigating Cyber Threats – Playbooks for the L1 SOC Analysts

πŸ” Phishing Emails Alert:

1- Heck Email Headers (SPF, DKIM, Message-ID, Sender && Return-path)
2- Inspect Email content
3- Verify SMTP IP in Virustotal, AbuseIPDB, X-Force, Talos intelligence
4- Investigate Attachments at Virustotal, urlscan,, joesandbox, Hybrid-Analysis
β†ͺ️ Note: If Attachment is a domain, check registration time
5- Confirm if the user opened the Attachment

🦠 Malware Investigation:

1- Check File hash in threat intelligence
2- AV Action, ensure not deleted/cleaned/quarantined; create L2 ticket if needed
3- Examine File path to determine device infection source
4- Check Malware category – Contact user for known results like Ransomware

πŸ€– Brute Force Analysis:

1- Determine login operation origin (local or remote) by checking Source IP
2- Inspect destination IP/Service to identify targeted service
3- Review Logon Type to understand login method
4- Analyze Login Failure Reason to verify user legitimacy
5- Check IDS/IPS & WAF Logs for automation tool usage
6- Confirm successful or unsuccessful login

βš”οΈ DoS/DDoS Attack Alert:

1- Check source IP(s) to determine local or remote origin
β†ͺ️Note: If remote, check threat intelligence; if local, create L2 ticket to check the host
2- Verify if Destination IP still operational manually
3- Run “netstat -an” command for strange connections
4- Run ping command to detect dropped packets
✍ MaliciousNetworkBehaviour:

🚫 Proxy Logs Investigation (Communication to bad IP/domain):

1- Check Proxy Category to determine domain type
2- Review device action
3- Examine Destination IP/domain at AbuseIPDB, Virustotal, urlscan
β†ͺ️Note: For a domain, check registration time
4- Confirm Destination Port
5- Check User-agent
6- Verify Bytes Sent && Bytes Received
7- Inspect request method
8- Scrutinize Referer Header
9- Validate Content-Type Header
β†ͺ️Note: Detection also possible through SIEM Graph

πŸ“Š Windows Event Log Analysis (Login & Logout):

1- Check event id/name
2- Verify login type to understand login method
3- Confirm workstation for DNS Name
4- Review status and sub-status for failure

πŸ›‘ Unknown Process Installation Investigation:

1- Check process name for anomalies
2- Examine process id to identify parent or child process
β†ͺ️Note: If a child process, check creator process id to identify the parent process
3- Confirm creator process name to determine the process path
4- Check process hash in threat intelligence
5- Verify token elevation to understand the user’s app privilege

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top