Investigation Guide

Guide to investigating SIEM alerts with centralized logging implemented

First Steps: Information Gathering

  1. Check the alert information. What rule was set off? What is the process? What is the parent process?

Analysis of Basic Info

  1. If you're not sure what the rule does by the title, take a look at the query. If the alert seems like it's off, check that the log does, in fact, match the given query. It may not and you may have an issue with your SIEM queries.

Verify Processes

  1. If a process has a file associated with it (ex. update.exe), run that file hash through a tool like VirusTotal to verify its legitimacy.

  2. If a process has a working directory, confirm that directory with research or testing. For example, if it's a Chrome installation, research will help determine where Chrome should be installing, or you can download Chrome and install it (preferably on a virtual machine built for testing).

Paring Down

Investigations can start broad. A preferred way to start an investigation is with the hostname of the device that the activity was occurring on. While lateral movement may have occurred, suspicious activity on a single host is a solid indicator of compromise. Then, step by step, pare down the search query to more and more specific fields as you hone in on suspicious activity (or a lack of). A suggested investigation path is:

  1. Filter by hostname(s)

  2. Filter out automatic or familiar processes

  3. Filter for username(s)

  4. Filter for unfamiliar or suspicious processes

PreviousElastic Stack Build GuideNextCommon Processes: Alerts

Last updated