SOC Fundamentals

SIEM and Analyst Relationship Lesson:

Question 1:


The SIEM on LetsDefend has 3 different channels (Main Channel, Investigation Channel, Closed alerts). The Main channel is for all available alerts. The investigation channel is for alerts that you have taken responsibility for or were assigned. The closed alerts is for alerts that you have finished analyzing. One of these channels will allow you to access previously closed alerts.

Notes: This may seem pointless to include an answer for this simple of a question, but I will just go through and do all of them.

Answer Question 1

closed alerts 

Log Management Lesson:

Question 1:


Steps for solution

Step 1: Click on Practice within the LetsDefend website top access bar.


This will open the LetsDefend SIEM tool.


Step 2: Click on the Log Management tab within the left panel.


Step 3: Click on the New Search bar to open the search feature within log management.


Step 4: Set type to “raw_log”, leave operator as “contains” and set value to the question URL “https://github.com/apache/flink/compare”. Do not include single quotes from the site or double quotes from here.


Step 5: Click on the one event that should show up and note the source address from the question.


Log Managements Lesson:

Question 2:

Steps 1–3 from question 1:

Step 4: Set type to “destination_port”, leave operator as “contains” and set value to the question’s port number “52567”. Do not include single quotes double quotes from here.


Step 5: Click on the one event that should show up and note the type value for the answer.


Answer Question 1


172.16.17.54 

Answer Question 2

dns

EDR — Endpoint Detection and Response Lesson:

Question 1:

Step 1: Follow step 1 question 1 from Log Management Lesson above.

Step 2: Click the Endpoint Security tab on the left side panel.

Step 3: Click the “Search Anything” box in the upper left of the Endpoint Security tab.


Step 4: Copy the hash value of “83e0cfc95de1153d405e839e53d408f5” and paste it into the “Search Anything” box.


EDR — Endpoint Detection and Response Lesson:

Question 2:


Steps 1– 3: Follow the steps from the previous question

Step 4: Enter the host name of “Roberto” into the EDR Search anything box


Step 5: Click on the “Terminal History” tab withing the endpoint information.


Step 6: Look through the Command Line events for a command that ends with “Ps1.hta” and note the answer

Answer Question 1


EricProd 

Answer Question 2

C:/Windows/System32/mshta.exe C:/Users/roberto/Desktop/Ps1.hta 


Threat Intelligence Feed Lesson:

Question 1:

Step 1: Follow step 1 question 1 from Log Management Lesson above.

Step 2: Click on the “Threat Intel” tab within the left panel.


Step 3: Click on the Select Filters bar.


Step 4: Set data type to “Hash” and copy the questions hash which is “e1def6e8ab4b5bcb650037df234e2973" and input it into the search data by type.


Step 5: Note the “Data Source” information from the hash results which is the answer.

Answer Question 1

AbuseCH