How To Investigate a SIEM Alert - Nico's Knowledge Base

# Introduction to SIEM Alerts https://app.letsdefend.io/monitoring # Detection SIEM Alerts are notification generated by the system based on predefined rules and correlation algorithms. These are typically customized to meet an organization's specific security requirements. ## Monitoring - Main Channel - Severity - Date - Rule Name - EventID - Type - Action ## Taking Ownership - Investigation Channel - Designed for managing and responding to active alerts - create cases to investigate - Playbooks - methods and approaches for investigating alerts are different - we don't always know the exact steps/best steps to take dealing with alerts - clear, step-by-step process is helpful for new analysts (and tired ones) - Closed Alerts - after playbook is completed and inquiries are dealt with, return to monitoring page to close the alert - needs to be analyzed to determine whether alert is true or false positive # Case Creation and Playbook Initiation 1. Take ownership by clicking the button in the main channel 2. create a case 1. navigate to investigation channel 2. select the alert to create a case for 3. click create a case 3. Launch the Playbook # Email Analysis ## Navigate to Email Security Tab - use search to find email related to investigation ## Using Detailed Search - Sender - Recipient - Subject - Sender IP Address - Attachment Name - Email Body - Date - Action ## Examine Email Content - Suspicious content? - Attachments? Steps 1. Click on email to view content 2. review 1. body 2. attachments 3. sender information 4. other 3. view attachments if any ## Analyze URLs/Attachments Use VM to download attachments/files provided by alerts Steps 1. download attachments from email to VM 2. analyze via tools such as 1. Anyrun 2. VirusTotal 3. URLHouse 4. URLScan 5. HybridAnalysis ## Check if Mail was Delivered to User **Determine the Email Delivery status** - Look for entries that indicate whether the email was delivered or not. Common terms you might see include " **Allowed** ", " **Deleted** " or " **Quarantined** ". Delete email # Network and Log Analysis Critical step to determine if user has executed the file they downloaded Find IP of Affected Host 1. Go to Endpoint Security 2. Host Information - IP Address **Navigate to the Log Management Page:** - Navigate to the "Log Management" page on the LetsDefend platform. Switch to "Basic" mode by clicking the button in the top right hand corner of the screen. **Search for the IP Addresses:** - In the search bar, enter the IP address of the hostname in question. This will allow you to see all connections made from that host. **Analyze Log Entries:** - Examine the log entries displayed. Focus on the "SRC ADDRESS" and "DEST ADDRESS" columns to identify any suspicious connections. - Review network actions to identify any unusual outbound connections or data transfers within the alert's time frame that may suggest communication with a C2 server. **Determine Access Status:** - Click the Raw Data button to view the raw log of the specified entry. Determine whether the malicious file or URL was accessed. ## Threat Intel LetsDefend provides a Threat Intel tab to analyze Indicators of Compromise (IOCs). This tab aggregates data from various threat intelligence sources to identify malicious IP addresses, domains, or URLs. **Navigate to the Threat Intel Tab:** - Head to the Threat Intel tab on the LetsDefend platform. This tab consolidates threat intelligence data for easy access during investigations. **Search for the IOC:** - In the search bar on the Threat Intel tab, type the suspicious IP address or URL you found in Log Management. LetsDefend will query its threat intelligence database to determine if the IOC is associated with any known malicious activity. **Review the Results:** - Review the results of the threat intelligence query. LetsDefend will provide information on whether the IOC has been flagged as malicious or if it has a history of involvement in cyber threats. # Endpoint Analysis Endpoint security operates as an Endpoint Detection and Response (EDR) system, collecting log data and providing insight into activity on the host machine. Like EDRs such as Carbon Black, SentinelOne, CrowdStrike, and most others EDRs, LetsDefend Endpoint Security allows you to connect to machines, collect detailed logs, and even isolate compromised machines. ## Process and Network Action Analysis **Analyze Processes:** - Check the list of running processes. Look for any unfamiliar or suspicious processes that could indicate malicious activity. - Dive deeper into the details of any identified suspicious processes. - Broaden your investigation to include related processes, examining both parent and child processes to uncover hidden links. - Analyze the suspicious process HASH on Threat Intel platforms. **Network Actions:** - Check network activity during the alert's time frame. - Note any unusual inbound or outbound connections that may indicate communication with a C2 server. - Cross-reference these indicators of compromise (IOCs) on threat intel platforms. ## Terminal and Browser History Analysis Looking for visits to websites known to be malicious, or links clicked to download dangerous files **Terminal and Browser History:** - Check the terminal history to identify suspicious commands executed on the host. - Examine the browser history to identify any visits to malicious websites or download links. ## Containment Quickly implementing containment measures is vital in preventing further damage to the system. - Prevent data loss - Prevent Unauthorized access - Prevent lateral movement - Prevent data extortion # Result ## Closing The Alert The alert needs to be analyzed to determine if it is a true positive or a false positive. A true positive means the alert is legitimate and requires further action, whereas a false positive means that the alert is a false alarm. Document findings in Analyst Note secton. Include reasoning, relevant data/observations, and steps taken. ## Answers and the Official Incident Report Review the details of your analysis in the "Closed Alerts" section. Here, you'll find the answers you provided to the playbook questions, confirming your accurate assessment of the situation. ## Case Management and Alert Review Case management feature allows you to review closed alerts. You can see the details of the alert you closed and the options you have chosen when analyzing the alert.