Step 1: I took ownership of the alert to ensure clear accountability throughout the investigation.
Step 2: I created a case for the alert on the investigation channel to centralize all relevant information.
Step 3: I started the incident response playbook to guide my investigation.
Step 4: From the "Log Management" tab, I determined that the source IP is external.
Step 5: I checked the reputation of the source IP address on the following threat intelligence platforms:
Virustotal
AbuseIPDB
Letsdefend TI
Based on the findings from these sources, I confirmed that the source IP address is malicious.
Step 6: I proceeded to traffic analysis.
I observed that port 3389 (RDP) on the destination was under attack. By reviewing the raw logs, I identified Event ID 4625, which corresponds to account logon failure on Windows systems.
Upon investigation, I found that only one unique destination IP (belonging to "Matthew") was attacked. Therefore, my answer to this question is no.
Step 7: I continued managing and analyzing the logs.
These are all failed logon attempts.
I then found one successful logon. This confirmed that the brute force attack was successful.
Step 8: I determined that the compromised device must be isolated immediately, as it can pose a risk to the network.
Step 9: Containment was successfully executed. The device is now isolated.
Step 11: I documented my findings in the analyst notes:
The attack was targeted at Matthew’s machine via RDP from IP 218[.]92[.]0[.]56 using a brute force method. Logs confirmed 14 failed logon attempts followed by a successful logon to the “Matthew” host device, making this a confirmed compromise. Containment was performed to prevent further spread of damage.
Step 12) I finished the playbook
Step 13) I close the alert
Top comments (0)