Scribd
Upload
4 views5 pages

SOC Blueprint

The document provides a structured approach for responding to scenario-based interview questions in cybersecurity, using the D.R.I.L. method: Detect, Respond, Investigate, Learn. It includes a technical checklist for incident investigation and templates for reporting incidents, both short notes and detailed reports. The reporting section emphasizes the importance of documenting findings, timelines, technical analysis, and recommendations for future improvements.

Uploaded by

Vignesh Vig
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4 views5 pages

SOC Blueprint

The document provides a structured approach for responding to scenario-based interview questions in cybersecurity, using the D.R.I.L. method: Detect, Respond, Investigate, Learn. It includes a technical checklist for incident investigation and templates for reporting incidents, both short notes and detailed reports. The reporting section emphasizes the importance of documenting findings, timelines, technical analysis, and recommendations for future improvements.

Uploaded by

Vignesh Vig
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

✅ 1.

HOW TO FORM YOUR RESPONSE IN INTERVIEWS


(For scenario-based questions like: "How do you handle unusual traffic?" or "How do you
respond to a ransomware attack?")

🔹 D.R.I.L. — A Structure for Answering Interview Questions


Step Description Example

D – Detect How do you detect or "First, I validate the alert from SIEM or EDR. I
validate the alert? check if it's genuine using logs, process trees,
or network patterns."

R– What are your immediate "I isolate the host from the network to prevent
Respond containment actions? further damage."

I– What logs, artifacts, or "I pivot on the source IP, review Sysmon logs
Investigate forensics do you check (event ID 1, 3), and analyze related
and how? commands/processes."

L – Learn & How do you wrap up, "I document everything in a report, extract
Log document, and learn IOCs, create new detection rules, and share
from the incident? learnings with the team."

🗣️ You Can Say in Interview:


"I usually follow a structured flow when investigating: Detect, Respond,
Investigate, Learn. First, I validate the alert and understand if it's real. Then I
contain the source if needed. Next, I collect all the logs — EDR, Sysmon,
firewall — to deeply investigate. Finally, I document all findings, extract IOCs,
and update rules to improve detection."
✅ 2. TECHNICAL CHECKLIST FOR INVESTIGATION
(Use this when you’re actually working in a SOC or home lab)

🧪 Incident Investigation Checklist (General)


Area Things to Check Tools

Validate Alert - Check SIEM logs (Splunk, Sentinel) SIEM


- Confirm alert correlation rules

Host Forensics - Sysmon Logs (Event IDs 1, 3, 11, Sysmon, Windows


13) Logs
- Running processes
- Registry entries
- File paths

Process Analysis - Command line EDR, ProcMon


- Parent-child process
- Suspicious binaries (certutil,
PowerShell)

Network Traffic - Lateral movement (445, 3389) Zeek, Suricata, Netstat


- External IP connections
- Beaconing patterns

Persistence - Scheduled Tasks Autoruns, Regedit


Mechanisms - Registry Run Keys
- WMI Event Consumers

Malware Analysis - File Hashes Any.Run,


- Sandbox test HybridAnalysis
- Signature match

Threat Intelligence - Known IOCs OTX, VirusTotal


- MITRE ATT&CK mapping
- VirusTotal checks

User Activity - Logon/logoff history Event Logs (4624,


- Failed login attempts 4625)
- Lateral admin use
✅ 3. REPORTING — TEMPLATES FOR NOTES & FINAL
REPORT
You'll usually write:

●​ A short internal note (for low-priority alerts or FP/TP)​

●​ A detailed incident report (for high-priority or confirmed compromise)​

📝 A. Short Note Template (for FP/TP tracking)


Alert Name: Lateral Movement via SMB ​
Date: 2025-06-03 ​
Analyst: Arun Kumar ​
Status: [False Positive / True Positive]​

Summary:​
Received an alert indicating lateral SMB traffic from host 10.1.1.23 to
10.1.1.45.​

Investigation Steps Taken: ​
- Validated alert in Splunk.​
- Checked Sysmon Event ID 3 (network connection).​
- Process tied to legitimate IT update process (patch system).​

Conclusion: ​
False positive. Legitimate internal patch activity.​

Recommendations: ​
- Tuning SIEM to whitelist known IT maintenance IPs.

📄 B. Full Incident Report Template (for confirmed incidents)


# Incident Report​

## 1. Summary ​
- **Incident Name:** Lateral Malware Spread via PsExec ​
- **Date & Time Detected:** 2025-06-03 14:00 IST ​
- **Reported By:** SIEM Alert (Splunk Correlation Rule) ​
- **Analyst:** Arun Kumar ​
- **Severity:** High ​
- **Status:** Closed​

## 2. Timeline​
| Time (IST) | Action |​
|------------|--------|​
| 14:00 | SIEM alert triggered: SMB traffic from Host-A to Host-B |​
| 14:10 | Host-A isolated via Defender ATP |​
| 14:30 | Process traced: powershell.exe invoking PsExec |​
| 15:00 | Malware hash submitted to VirusTotal - flagged |​
| 16:00 | IOC sweep performed across all endpoints |​
| 17:00 | 3 infected machines isolated and remediated |​

## 3. Technical Analysis​
- **Initial Infection Vector:** Likely phishing (user downloaded ZIP) ​
- **Tools Used by Attacker:** PsExec, SMB, RDP ​
- **Persistence Methods:** Scheduled task + registry Run key ​
- **C2 Communication:** Detected via abnormal DNS requests (beaconing) ​
- **Lateral Movement:** PsExec from 10.1.1.23 to 10.1.1.45, 10.1.1.51​

## 4. IOCs​
| Type | Value |​
|--------------|------------------------|​
| File Hash | `d41d8cd98f00b204e9800998ecf8427e` |​
| Domain | `evil-domain.com` |​
| IP Address | `45.76.23.198` |​
| File Name | `invoice.exe` |​

## 5. Impact​
- 3 endpoints affected ​
- No critical data loss ​
- No exfiltration detected​

## 6. Mitigation & Response​
- Blocked PsExec via GPO ​
- Added hash to EDR blocklist ​
- Reset local admin passwords ​
- Patched vulnerable services​

## 7. Lessons Learned​
- Improve attachment sandboxing ​
- Review SMB access policies ​
- Continuous hunt for lateral movement patterns​

## 8. Recommendations​
- Enforce stricter email filtering ​
- Enable LSA protection on endpoints ​
- Use tiered admin accounts for RDP

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy