Malware Incident Investigation
This scenario covers a malware detection alert: log search, false positive verification, host isolation, and user account containment.
Scenario
An endpoint protection solution generates an alert reporting malware activity on a workstation. The SIEM forwards the alert to Energy SOAR with the affected hostname, process name, and file hash as observables.
Create the case
Open Alerts and locate the alert. Click Preview, review the Similar cases tab, then select the Malware template from the Import alert as dropdown and click Yes, Import.
The case is created with the following tasks:
Task |
Group |
Action |
|---|---|---|
Search logs |
Identification |
Search SIEM logs for the affected host: process execution, network connections, and file activity around the event time. |
Check if the malware is a false positive |
Verification |
Run analyzers on the file hash observable. Compare the detection against threat intelligence sources to confirm the verdict. |
Disable affected user accounts |
Containment |
Suspend the accounts of any users logged in to the infected host at the time of the event to prevent lateral movement. |
Isolate infected host |
Containment |
Remove the host from the network. Use the Run Responder action on the hostname observable to trigger an automated isolation responder if configured. |
Before closing the case |
Enrichment |
Tag confirmed IOCs with Is IOC, map TTPs in the TTPs tab, and attach forensic artefacts to the case. |
Add observables and run analyzers
Open the Observables tab and click Add Observable. Add the file hash (type
hash), the affected hostname (type hostname), and any C2 IP addresses or domains
observed in the logs. Select the hash observable, click Run Analyzers, and run the
configured threat intelligence analyzers to confirm whether the file is malicious.
Close the case
After all tasks are complete, click Close case. Select True Positive if malware was confirmed. Set Impact to Yes if data was exfiltrated or systems were compromised, or No if containment stopped the infection. Enter a Summary and click Close case.