: Updating defenses and logging lessons learned. 2. Phase 1: Alert Triage and Validation
: Look for high volumes of subdomains queried in a short window, which frequently signals DNS tunneling or domain generation algorithms (DGAs).
Note the exact timestamps of system isolations or credential revocations to assist post-incident reviews. Incident Containment Strategies effective threat investigation for soc analysts pdf
MITRE ATT&CK tags should be validated against the authoritative MITRE STIX data rather than hardcoded lists.
Stealing data, destroying systems, or deploying ransomware. MITRE ATT&CK Framework : Updating defenses and logging lessons learned
This guide serves as a comprehensive operational blueprint for SOC analysts to execute rapid, accurate, and effective threat investigations. 1. The Core Architecture of Threat Investigation
Examine the raw log data generated by your SIEM, EDR, or NDR platform. Document the following core variables: Note the exact timestamps of system isolations or
Evidence collection turns suspicion into fact by gathering logs, process trees, network artifacts, and then digging deeper. Useful sources include:
Transmitting the weaponized payload via email, web, or USB.