| Phase | Action | Key Question | | :--- | :--- | :--- | | | Validate alert severity & false positives | Is this a real incident or noise? | | Scope | Identify affected hosts, users, & time range | What is the blast radius? | | Hunt | Query raw logs, EDR, and network data | What did the attacker do before/after? | | Correlate | Map activity to MITRE ATT&CK techniques | What is the TTP (Tactics, Techniques, Procedures)? | | Contain | Isolate systems, revoke tokens, block IOCs | How do we stop spread now? | | Remediate | Remove malware, patch, reset credentials | How to return to safe state? |
Security Operations Center (SOC) Teams Objective: To outline key methodologies, data sources, and best practices for conducting efficient and accurate threat investigations. | Phase | Action | Key Question |
Unfortunately, I couldn't find a direct link to a free PDF download on effective threat investigation for SOC analysts. However, I can suggest some alternatives: | | Correlate | Map activity to MITRE