You're reading from Effective Threat Investigation for SOC Analysts The ultimate guide to examining various threats and attacker techniques using security logs

Product type Paperback

Published in Aug 2023

Publisher Packt

ISBN-13 9781837634781

Length 314 pages

Edition 1st Edition

Concepts

Cybersecurity

Author (1):

Mostafa Yahia

View More author details

Table of Contents (22) Chapters

Preface

1. Part 1: Email Investigation Techniques

2. Chapter 1: Investigating Email Threats FREE CHAPTER

3. Chapter 2: Email Flow and Header Analysis

4. Part 2: Investigating Windows Threats by Using Event Logs

5. Chapter 3: Introduction to Windows Event Logs

6. Chapter 4: Tracking Accounts Login and Management

7. Chapter 5: Investigating Suspicious Process Execution Using Windows Event Logs

8. Chapter 6: Investigating PowerShell Event Logs

9. Chapter 7: Investigating Persistence and Lateral Movement Using Windows Event Logs

10. Part 3: Investigating Network Threats by Using Firewall and Proxy Logs

11. Chapter 8: Network Firewall Logs Analysis

12. Chapter 9: Investigating Cyber Threats by Using the Firewall Logs

13. Chapter 10: Web Proxy Logs Analysis

14. Chapter 11: Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs

15. Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats

16. Chapter 12: Investigating External Threats

17. Chapter 13: Investigating Network Flows and Security Solutions Alerts

18. Chapter 14: Threat Intelligence in a SOC Analyst’s Day

19. Chapter 15: Malware Sandboxing – Building a Malware Sandbox

20. Index

Why subscribe?

21. Other Books You May Enjoy

Investigating threats using Google

While Google is not a TIP, it is helpful for investigating threats artifacts such as domain names, filenames, and user agents. By enclosing the suspicious value within double quotes ("") during a search, you may get interesting search results. For example, during the investigation, you find a suspicious user agent of a web communication traffic, and after searching for it on Google, you find a threat report saying that the user agent string was used by a threat actor for its C&C communications. Similarly, you may find suspicious web communications with a web domain, which you want to investigate by using Google, and after searching, you find it doesn’t have a GUI and exists in one of the threat intelligence reports, indicating that the domain is the C&C server of a specific threat actor. See Figure 14.22:

Figure 14.22 – Investigating a suspicious domain using Google

As you can see in the preceding screenshot, by investigating the suspicious domain, hueref[.]eu, using the Google search engine, we found a threat report, tweet, and malware sandboxing report that indicate that the domain is a C&C domain.

By the end of this section, you should have learned how to investigate the threats by using the Google search engine.