MDR Platform Investigation Workflow
This demonstration walks through the initial stages of a security investigation using an MDR (Managed Detection and Response) platform that functions as an advanced SIEM. The platform ingests logs from multiple sources including Windows and Linux endpoints, cloud providers like Azure and AWS, and network appliances via syslog. The session emphasizes the critical importance of documentation during investigations, showing how analysts use investigation managers to create case files, timestamp findings, and maintain detailed notes that allow others to reconstruct the investigation process. The instructor stresses that thorough documentation is essential not just for compliance and potential legal proceedings, but for ensuring no investigative angles are left unexplored.
Analyzing System Enumeration Alerts
The demonstration focuses on triaging a specific alert for system enumeration detection involving the execution of ipconfig.exe from an administrator account. The analysis reveals this is likely not reconnaissance against a public-facing asset, but rather indicates an attacker who has already breached internal defenses and is now mapping the internal network. The instructor explains how to examine alert details including file authenticity, integrity levels, and execution context to determine whether legitimate Microsoft binaries are being used in a living-off-the-land attack. Key investigative techniques include using logon IDs and terminal session IDs to pivot and identify related activities within the same session, while being mindful of the volume of logs generated by servers when setting time windows for investigation.
