This alert was triggered when a user attempted to access an external URL that is listed in the organization's blacklist or threat intelligence feeds. The firewall or proxy successfully blocked the outbound request, preventing the connection. Note: The blacklist only covers known threats. It does not guarantee protection against new or unknown malicious domains.
Using TryHackMe SOC simulator to triage Suspicious Outbound Connection The objective of this lab is to show use of a real SOC environment. Using the SOC dashboard, I will take ownership of alerts based on their severity, triage the alert, assign whether the alert is True positive or False positive, write a case report, and finally designate whether the alert needs escalation. Skills Acquired
Email Security: Identify and respond to phishing attempts and malicious attachments.
Incident Response: Quickly address and escalate security incidents.
Log Analysis: Use Splunk to investigate and interpret security events.
Threat Intelligence: Correlate and validate threats using multiple intelligence sources.
Network Analysis: Monitor and examine network traffic with Wireshark.
File Analysis: Evaluate suspicious files using PowerShell and sandbox environments.
Documentation: Produce clear, concise incident reports.
Problem-Solving: Apply strong critical thinking and troubleshooting skills.
Collaboration: Work efficiently with SOC and security teams.
Continuous Learning: Keep current with evolving security threats and best practices.
**Tools Utilized ** : Monitored and managed security alerts and incidents.
Splunk Enterprise: Performed log analysis and event searches.
Virtual Machines for Sandboxing: Safely analyzed suspicious files in isolated environments.
VirusTotal: Verified files and URLs against threat intelligence.
Wireshark: Analyzed network traffic for anomalies or malicious activity.
PowerShell: Conducted file analysis and automated repetitive security tasks.
Steps
Take ownership of an alert.
After taking ownership of the alert, I reviewed its description and proceeded with a detailed investigation using Splunk Enterprise.
I continued triaging incoming alerts, several of which contained malicious URL/IP Address. These files were safely analyzed within a provided virtual machine sandbox. Using the PowerShell more command, I examined the contents of the attachments to gather additional details. Further research confirmed that wireshark can be used to capture remote access, enabling command-and-control activity, data exfiltration, persistence, and potential lateral movement within the environment.
Documentation and result:
Estsblished a True Positive.
