IR Lifecycle
SOC Console - Security Onion
● ONLINE
47
Active Alerts
3
Critical
12
Alerts/Hour
| Time | Severity | Signature | Src IP | Dst IP |
|---|---|---|---|---|
| 14:23:45 | CRITICAL | ET MALWARE Suspicious PowerShell Download | 192.168.1.50 | 185.220.101.45 |
| 14:24:12 | HIGH | ET POLICY RDP Connection to External Host | 192.168.1.50 | 203.0.113.78 |
| 14:25:03 | CRITICAL | ET EXPLOIT Mimikatz Credential Dumping | 192.168.1.50 | 192.168.1.10 |
| 14:26:47 | MEDIUM | ET SCAN Suspicious Port Scan | 192.168.1.50 | 192.168.1.0/24 |
| 14:28:19 | CRITICAL | ET MALWARE DNS Tunneling Detected | 192.168.1.50 | 8.8.8.8 |
Analyst Terminal
● READY
Forensic Investigation Terminal
Connected to: WKS-192.168.1.50
Type 'help' for available commands.
analyst@forensics:~$
Containment Console
● STANDBY
Network Containment Console
Firewall: pfSense v2.6.0
Access: Full administrative privileges
Type 'help' for available commands.
root@firewall:~#
Communications
● DRAFTS
Draft Incident Notification:
Lessons Learned Documentation: