Hey there,
Here we are going to do a [SIEM] alert, for those who don't know what a [SIEM] is, [SIEM] stands for Security Information and Event Manager, it's a technology -a crucial for modern cybersecurity- that helps organizations to detect, analyze and respond (triage), that aggregate activity from various sources across their entire IT infrastructure. This enables real-time monitoring, analysis, and response to security alerts that are generated by the applications.
We are going to focus on the LetsDefend SIEM simulator, and would looks like this:
Now, let's take ownership of the alert that the [SIEM] has detected: Phishing URL Detected - EventID: 86
The Investigation Channel tab will open and we will see this screen:
Have this info for easy access like a note.
Critical Security Note:
Always exercise caution when handling URL addresses - they may direct to malicious resources.
This information is important to our investigation, so I highly recommend to copy/paste this information, I use free tools to take notes like: Obsidian, Notion, OneNote, even the NotePad is useful.
Then we proceed to [Create Case] below the [Action] in the [Investigation Channel].
Click on [Continue] and proceed.
Now it will show us with the [Incident Details], but we have more details from the previous page, before we continue here we need to open at least two more browser practice tab for making easer and comfortable analysis.
[If you prefer to use one browser tab is ok].
Now we will have a dedicated browser tab for the [Log Management],
and one for the [Endpoint Security].
Now lets click on the [Start Playbook] blue button to start the investigation.
It first dictates to collect data for the investigation, you can see that we already have this info collected even before it was asked!, just take a look on your notes.
The alert info gives the:
Source address: 172.16.17.49
Destination Address: 91.189.114.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88
With these data collected, now we proceed, click on [Next].
Now the [Playbook] asked us to search into the [Log Management], we already have this opened, now is the time to look into it.
The [Playbook] does not specify required parameters, but here we are going to use the [Event Time], we can find the [Event Time] in the notes that we already collected.
Event Time:
Mar, 22, 2021, 09:23 PM
We also can change the viewing from [Pro] to [Basic]:
This is just to view more detailed information [Pro], or just the information that we need and be easily readable [Basic].
I'll switch to [Basic] because is more simple, yet useful for me and in this case.
Go now to the blue [Show Filter] button and click on [Select Date] input field.
Put the [Event Time], but first I recommend to change first the year, because if you change it after selecting the month and the day, it will not give you the chance to change the year.
*Note: You can't select just one day, select a day before or a day after.
Example:
Ok, now it will show us this info:
We can see that the [SRC Address] and the [DST Address] are from the ones we are investigating [remember the data collected] and we also see below the [RAW] a magnifying glass with a [+] in it, click on it and lets see what we can find.
Don't close this pop-up, we will need it in the next step.
Now go back to the [Playbook] and click on [Next].
The next step on the [Playbook] is to analyze the URL Address that we have found in our investigation using any of the free services that shown, but I recommend VirusTotal, URLHouse, URLScan and Hybrid Analysis, AnyRun you need a company email to register and to use it.
In this case we are going to use VirusTotal and paste the [URL Address] the seach field on the top of the page and hit [Enter].
We see that the [URL Address] is definitely [Malicious], and now we get back at the [Playbook] and click on the [Malicious] button.
The [Playbook] ask if anyone as accessed the [IP/URL/Domain] to answer the following:
When was it accessed?
What is the source address?
What is the destination address?
Which user tried to access?
What is the User Agent?
is the request blocked?
Now we know where to look, and we go to the [Log Management] again.
Answering these questions:
When was it accessed?
We have the date and the time: Mar, 21, 2021, 09:23 PM
What is the source address?
We see it in the [SRC.ADDRESS] section: 172.16.17.49
What is the destination address?
The same before but below the [DST.ADDRESS] section: 91.189.114.8
Which user tried to access?
To know which user was, we can use the [Endpoint Security] and put the [SRC.ADDRESS] or in our notes under the [Source Address], the user is EmilyComp.
What is the User Agent?
This is also can be found in our notes:
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Is the request blocked?
Again we can see this info in our notes under [Device Action]:
Allowed.
Let's head back to the [Playbook] and click on [Accessed].
Now it asked us to [Contain] the infected host machine, under the [Endpoint Security] search for [EmilyComp], and click on [Containment], it changes to [Host Contained].
Now click on [Next] to finish the [Playbook].
Here we can add artifacts of our findings:
Source Address : 172.16.17.49
Destination Address : 91.189.114.8
Request URL : The Malicious Requested URL
Click on [Next] and submit comprehensive case notes, now go to [Next] again.
Finish the [Playbook] by clicking [Confirm] and now we are back to the SIEM Monitoring page where we see our alert, go to [Action] and click on the check mark to [close alert].
Here it ask if this was a [True Positive] or a [False Positive], This was a [True Positive] because the alert correctly identified the security threat.
Well this is the end for this SIEM alert on the LetsDefend page, hope you all find this useful and understandable.
If you have any question you are free to comment!
Top comments (0)