: Review firewall and web server logs for exploitation attempts (e.g., directory traversal, SQL injection, RCE strings) targeting public-facing assets.
Begin every investigation with a clear question. For example: "If this PowerShell script is malicious, what registry changes did it make to stay on the system?" This approach keeps your analysis focused and prevents you from getting lost in massive log files. 2. Phase-by-Phase Investigation Workflow
Identifying how the threat entered the environment (the initial access vector).
During this process, analysts identify IOCs and often map activity against structured models like the MITRE ATT&CK framework to better understand possible adversary tactics. This step involves building hypotheses—plausible explanations of what's happening. effective threat investigation for soc analysts pdf
Check authentication logs (Kerberos, NTLM, SSH) to see if the threat moved to other internal systems. Step 4: Root Cause Analysis (Patient Zero)
Throughout this guide, we reference Effective Threat Investigation for SOC Analysts by Mostafa Yahia (Packt Publishing, 2023), a definitive resource that covers phishing analysis, Windows event logs, firewall and proxy investigations, and threat intelligence platforms in depth.
This article is part of the SOC Analyst’s Field Manual series. For the full , including interactive checklists and case studies, visit [Your Security Portal URL]. : Review firewall and web server logs for
Work backward in time to locate the exact entry point.
The hardest for attackers to change. Focus investigations here for maximum impact. The Diamond Model of Intrusion Analysis
: Mapping a single technique allows you to look "left and right" in the matrix to predict the attacker’s next move or uncover their previous steps. The Cyber Kill Chain high-byte outbound transfers
Unusual DNS TXT queries, high-byte outbound transfers, unauthorized protocols. Log aggregation, correlation rules, cross-source timelines. Correlated multi-vector alerts. 4. Advanced Investigation Techniques
Opening a two-way channel for remote management.
| Pivot Point | What to Look For | Why It Matters | | :--- | :--- | :--- | | | High volume connections, Geo-location anomalies, reputation. | Identifies Command & Control (C2) communication. | | User Account | Multiple failed logins, login from impossible travel locations. | Indicates credential theft or brute force. | | File Hash | Unsigned files, files in temp directories. | Identifies malware droppers or payloads. | | Process ID (PID) | Parent/Child relationship anomalies. | Detects process injection or hijacking. |