Skip to content

Lab 4.1: Alert investigations

Est. Time: 30 minutes

Goals:

  • Work a SOC ticket in the Discover tab
  • Fill out a Jira ticket on the issue for the “customer”

Instructions

  1. In this lab, we’re going to investigate a simple event that you already have an understanding of: The Net User event.
  2. Start by executing the net user command on your VM (not as the Helpdesk user) to generate a new alert.
  3. Once the alert has been generated in Jira, let’s pretend this is a real ticket that has just come in from a customer device. Work the Jira ticket like you would if this was a true production SOC.
    1. Remember the basics of the process:
      1. Claim the ticket and mark it as being in progress.
      2. Investigate the logs in Elastic.
      3. Provide screenshots and assessments of the activity, then determine the action to be taken if any.
        1. Customers usually won’t see every ticket, but it’s good practice to write your tickets professionally in case something is escalated to them.
        2. Don’t ever comingle customer data, keep the tone professional, give good explanations, etc.
  4. Once you have completed your investigation, or if you need some hints, check out the example of how I did this process below.

  5. Here is what I did:

    1. Claimed the Jira ticket

    2. From the ticket description I took the host and the process PID and went to Elastic discover.

    3. Searching within 30 minutes, either side of the alert triggering timestamp, gave me this:

      1. If you can’t find your events, look at the timestamp fields. Is your Jira alert using the same timezone as your logs? My Jira ticket is in UTC, and my Elastic is in EST!
        1. Generally you will want consistency here. Should you be working in a production SOC I would recommend that all of your timestamps be UTC.
      2. You’ll also notice that I’m only seeing one event. I switched my dataview to “logs-*” so that my screenshots don’t confuse the “customer”.
        1. From there I also pivoted to the parent process id; what else did this process do!? I want to know!

      1. You can see here that I was running some other commands (-exec bypass & hostname) to stage this PowerShell window for other lab development.
        1. Lastly here is what I put in my SOC ticket:

    Additional References

Hardmode

Did you nail this lab right away? If so, here’s an additional challenge for you:

  1. Trigger and investigate your EQL detection for registry persistence
  2. I encourage you to share that investigation ticket with the class after the lab via Discord