Effective Threat — Investigation For Soc Analysts Pdf ((top))

Mastering Efficiency: The Definitive Guide to Threat Investigation for SOC Analysts

Phase I: Triage and Scoping

The initial phase determines if an alert warrants a full investigation. effective threat investigation for soc analysts pdf

Tunnel Vision: Don't focus so hard on one alert that you miss a larger, more subtle campaign happening simultaneously. Lateral Movement: Has this anomalous process touched other

Step 3 – Artifacts

Analyzing network firewall and web proxy logs for C&C communication. Command and Control (C&C) communications

Network & Proxy Logs: Analysts review firewall and web proxy logs to identify reconnaissance (port scanning), Command and Control (C&C) communications, and data exfiltration.

• Lateral Movement: Has this anomalous process touched other machines? (Look for net use, SMB logs, RDP event IDs 1149 and 4624).
• Persistence: Are there scheduled tasks, run keys, or WMI event subscriptions tied to this file?
• Data Exfiltration: Check network logs for large outbound transfers to new external IPs (look for base64 encoded DNS requests or HTTPS POSTs to non-standard ports).