False Positive Incident Report (Template) Examples:

Alert Description - Block malicious IPs at firewall

- False positive identified, no threat detected. - Isolate affected devices
- Reset compromised credentials
Incident Details
- Run antivirus scans
- Investigation Outcome: [Brief explanation of why the alert was a false positive].
- Impact: No impact or compromise observed. Escalation
- Decision: Escalate or close the incident
Recommendations
- Reasoning: Based on severity (e.g., data breach escalates, low impact does not)
- No action required at this time.
- [If applicable] Review and adjust the detection rule to prevent future false positives.
Escalation Scenario
- Incident closed; no escalation required. Alert 1: Suspicious Email Received
Splunk Query
index=main sourcetype=mail "user=jdoe" | table _time, sender, subject, url
True Positive Incident Report (Template)
Result
Alert Description
- Timestamp: 2025-03-30 10:00 UTC - Sender: admin@company.com
- Definition: Brief summary of the detected attack. (Example: "Phishing email with embedded
- Subject: "Urgent Update Required" - URL: hxxp://maliciousdomain.com/update
malware link" or "Brute force login attempt on VPN")
5Ws
Who
Incident Report
- Details about the attacker and victim. (Includes: Source IPs, usernames, hostnames) Alert Description: Phishing email with a malicious link detected
What 5Ws
- Type of attack (e.g., phishing, malware, brute force) - Specifies the method used - Who: Attacker spoofing admin@company.com, targeting user jdoe
When - What: Phishing email designed to deliver malware
- Timestamps from logs (e.g., Splunk) - Single event or range if multiple incidents - When: 2025-03-30 10:00 UTC
Where - Where: Email server mail.company.local
- Device or log source showing the attack. (Examples: Workstation, server, firewall) - Why: To trick the user into clicking and initiating malware download
Why Incident Details
- Attacker’s objective or intent. (Examples: Gain access, steal data, disrupt service) - Likely Attacker Intent: Gain initial access to the victim’s system
Incident Details - Impact: Successful - User clicked the link, triggering further events
Likely Attacker Intent - MITRE ATT&CK Technique: T1566 - Phishing
- Goal of the attack (e.g., initial access, ransomware deployment) IOCs
Impact - Domain: maliciousdomain.com - URL: hxxp://maliciousdomain.com/update
- Outcome of the attack (e.g., successful compromise, contained) - Sender: admin@company.com (spoofed)
MITRE ATT&CK Technique Recommendations
- Specific TTP (Tactic, Technique, Procedure) from MITRE framework - Block maliciousdomain.com at the firewall to prevent further access
- Examples: T1566 (Phishing), T1078 (Valid Accounts) - Educate users on recognizing phishing emails with suspicious links
Indicators of Compromise (IOCs) Escalation: No escalation needed - Initial detection handled locally
Definition: Evidence of the attack
Examples: Key Topics and Quick Facts
- IPs (e.g., 192.168.1.100) - Domains (e.g., maliciousdomain.com) - Usernames (e.g., jdoe) 1. Networking Fundamentals
- Processes (e.g., powershell.exe) - File hashes (e.g., SHA256) - TCP/IP and OSI Models:
Recommendations - Layers:
Purpose: Actions to mitigate and prevent further damage - OSI: Physical, Data Link, Network, Transport, Session, Presentation, Application
 - TCP/IP: Link, Internet, Transport, Application - Wireshark: Packet analysis (filter: `ip.addr == x.x.x.x`)
- Key Protocols: TCP (reliable), UDP (fast), IP (routing) - Sysmon: Endpoint monitoring (Windows) - Auditd: Linux auditing
- Common Ports:
- 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 53 (DNS), 80 (HTTP), 443 (HTTPS), 3389 (RDP) 5. MITRE ATT&CK Framework
- TCP Three-Way Handshake: SYN → SYN-ACK → ACK - Tactics: Initial Access, Execution, Persistence, Privilege Escalation, Defence Evasion, C2, Exfiltration
- Subnetting Basics: - Techniques:
- CIDR: /24 = 256 IPs, /30 = 4 IPs (2 usable) - T1566: Phishing (malicious email links) - T1059: Command Scripting (PowerShell malware)
- IPv4 vs. IPv6: IPv4 (32-bit, e.g., 192.168.1.1), IPv6 (128-bit, e.g., 2001:0db8::1) - T1071: C2 via protocols (HTTP/HTTPS) - T1110: Brute Force (VPN attempts)
- Network Attacks: - T1078: Valid Accounts (stolen creds) - T1530: Data from Local System (file access)
- Port Scanning: Identifies open ports (e.g., Nmap) - DDoS: Overwhelms services - NIST CSF
- MiTM: Intercepts communication (e.g., ARP spoofing) - DNS Poisoning: Fake DNS records - Identify - Risk assessment - Protect - Security controls - Detect - Threat monitoring
- Respond - Incident handling - Recover - System restoration
2. Operating Systems - Cyber Kill Chain
- Windows: - Reconnaissance - Gather info - Delivery - Send attack - Exploitation - Use vulnerabilities
- Event Logs: Security (logons), System (crashes), Application (app errors) - C2 - Command and control - Actions - Achieve goal (e.g., theft)
- Tools: Event Viewer, Task Manager, PowerShell
- Active Directory: Manages domain users/devices (LDAP, port 389) 6. Indicators of Compromise (IOCs) and Attack (IOAs)
- Linux: - IOCs:
- File System: /etc (config), /var/log (logs), /home (users) - IPs, domains, file hashes (MD5, SHA-1), URLs - Pyramid of Pain: Easy (IPs) to hard (TTPs)
- Commands: - IOAs: Behavioural (e.g., odd login times)
- `ls` (dir), `cat` (view file), `chmod` (permissions), `ps` (processes) - Difference: IOCs = artifacts, IOAs = actions
- Logs: /var/log/syslog or /var/log/messages 7. Phishing and Email Security
- Authentication: - Tactics: Impersonation, typo-squatting, spoofing
- Windows: NTLM, Kerberos - Linux: PAM (Pluggable Authentication Module) - Defences:
- SPF: Allowed senders - DKIM: Email signature
3. Cybersecurity Foundations - DMARC: SPF/DKIM combo, action (e.g., quarantine)
- CIA Triad: Confidentiality, Integrity, Availability - Analysis: Check `From:` vs. `Return-Path`
- Least Privilege: Minimum access needed
- Common Vulnerabilities: 8. Web and Endpoint Security
- Log4Shell: RCE in Log4j (Java) - EternalBlue: SMB exploit (WannaCry) - Web Attacks:
- Encryption: - XSS: Injects scripts (client-side) - SQL Injection: DB manipulation (server-side)
- Symmetric: Same key (e.g., AES) - Asymmetric: Public/private keys (e.g., RSA) - Path Traversal: Unauthorized files (e.g., `../../etc/passwd`)
- Hashing: One-way (e.g., SHA-256) - Encoding: Base64 (reversible, not secure) - Endpoint Attacks:
- RDP/SSH: Brute force or stolen creds - Mimikatz: Credential dumping
4. SOC Operations and Tools - Persistence: Registry, scheduled tasks
- SIEM Basics:
- Splunk: Key SAL1 tool 9. Command and Control (C2)
- Basic Query: `index=main sourcetype=xyz | table field1, field2` - Types:
- Fields: src_ip, dest_ip, user, process_name, _time - Forward Shell: Attacker initiates - Reverse Shell: Victim connects (bypasses firewalls)
- Alert Triage: - Detection: Unusual outbound (e.g., port 4444)
- True Positive (TP): Confirmed threat (e.g., malware)
- False Positive (FP): Benign (e.g., admin task) 10. Miscellaneous
- Escalation: TP with high impact to IR team - Cloud Basics: SaaS (Gmail), IaaS (AWS EC2) - Virtualization: VM vs. host (e.g., VirtualBox)
- Common Tools: - Scripting: Recognize Python, Bash, PowerShell syntax