Analysis | Knowledge Base

Cyber Analysis 101

To look for hashes in your environment, you should check devices using an enterprise EDR or a similar solution with visibility into each connected device. But first, it is recommended to research the hash via a reputation tool such as VirusTotal – Home.

To find IP addresses in your environment, use an enterprise SIEM solution to search. Generally, you will want to check the firewall logs. A search of the last 30 days is usually a good starting point. Again, you should do some research here using tools such as VirusTotal – Home and URL/IP Lookup | Webroot BrightCloud

To look for filenames in your environment, you should check devices using an enterprise EDR or a similar solution with visibility into each connected device. But first, it is recommended to research the hash via a tool such as IP Address Tools, Network Tools, DNS Tools | IPVoid or MX Lookup Tool – Check your DNS MX Records online – MxToolbox.

Proxy searches are most effective when searching via a user.

Knowledge Base | Tools

Axonius — Tool Overview
By

What is Axonius? Axonius is a Cyber Asset Attack Surface Management (CAASM) platform that aggregates and correlates device and user data from across the organization’s existing security and IT tools. Rather than replacing existing tools, Axonius continuously normalizes, deduplicates, and enriches aggregated asset data to provide a complete and accurate picture of the entire technology…

Read More Axonius — Tool Overview
Analysis | Concepts | Knowledge Base | Techniques | Threat Intelligence | Tools

Endpoint Analysis 101
By

Endpoint Analysis & Asset Investigation — L1 SOC Analyst Guide Overview This guide covers the initial steps for investigating endpoint alerts for the L1 Analyst onboarding. The focus is on determining whether a known malicious hash exists in the environment and identifying the affected device and its user. By the end of this section you…

Read More Endpoint Analysis 101
Analysis | Knowledge Base | Operations | Platforms | Techniques | Threat Intelligence | Tools

Standard Endpoint Investigation
By

Objective: Determine the distribution of a specific file across the environment to establish a baseline for the investigation. Exercise Note: For this instructional walkthrough, a Standard Reference MD5 Hash is utilized. This allows the Analyst to practice the workflow using a known, high-incidence file to ensure the system and parameters are responding as expected. Step…

Read More Standard Endpoint Investigation
Knowledge Base | Tools

DomainTools — Tool Overview
By

What is DomainTools? DomainTools is a domain and DNS-based cyber threat intelligence platform used by security teams to investigate suspicious domains, IP addresses, and internet infrastructure. It enables security practitioners to stop threats before they happen using internet intelligence data, detection and monitoring tools, and predictive risk scoring. For SOC analysts, DomainTools is primarily used…

Read More DomainTools — Tool Overview
Concepts | Knowledge Base

False Positive vs. True Positive
By

The distinction between a false positive and a true positive hinges on a single question: Did the tool or rule do what it was designed to do? True Positive A true positive occurs when a rule fires correctly, in accordance with its defined logic and conditions. The detection behaved exactly as intended based on how…

Read More False Positive vs. True Positive
Knowledge Base | Tools

Tanium — Tool Overview
By

What is Tanium? Tanium is an enterprise endpoint management and security platform that enables real-time visibility and control across every device in the environment. Unlike traditional security tools that rely on scheduled scans or passive data collection, Tanium queries endpoints directly and returns results in real time. For SOC analysts, this means the ability to…

Read More Tanium — Tool Overview

Similar Posts