Task 8, Day 2 Log analysis One man’s false positive is another man’s potpurri.

Because of reasons and obligations I’m already 4 days behind and AoC just started. Here we go…

Detection Engineering rules defined in SIEM to identify malicious or suspicous activity from event logs. Analysis of SIEM events tke place in SOC. SOC has superpower of calling users or processing change requests to confirm user actions to eliminate false positives.

Kryptonite to SOC superpower:

  • Org doesn’t have change request process
  • Performed activity was outside scope of CR or different than approved CR
  • Activity triggered an alert (copying file to certain location, uploading file to website, failed login, etc.)
  • Insider threat performed unauthorized action, intentially or unintentionally
  • User performed malicious activity because of social engineering

Context

Context of user, department, tools, etc. helps analyst make right judgement. Networking team may use Wireshark (doodoo doodoo doo) but use of it by HR or Finance would be out of place.

Correlation

Correlate past and future events to create timeline to tell story of what is happening. Important to note artifacts important enough to connect dots; IPs, machine names, user names, hashes, file paths, etc. Always ensure evidence supports hypothoses.

Using elastic

Hamburger menu > Discover > set date/time range. Add columns from field on left. Best practice to have named accounts to do any admin activity so there is accountability and attribution for each activity performed. Seeing generic service admin accounts should raise suspicion. Note: Powershell uses Base64. Encoded commands can thus be decoded through Cyber Chef.

The Task

Answer questions based on info from elastic and Cyber Chef.

Investigating with ELK 101 room.