Unauthorized Access Investigation
This scenario covers a privileged account used outside expected patterns: PAM log correlation, administrator verification, and account containment.
Scenario
A PAM system or SIEM generates an alert for a privileged account login from an unexpected source, time, or location. The alert arrives in Energy SOAR with the account name, source IP address, and timestamp as observables.
Create the case
Open Alerts and locate the alert. Click Preview, check the Similar cases tab, then select the Unauthorized Access template from the Import alert as dropdown and click Yes, Import.
The case is created with the following tasks:
Task |
Group |
Action |
|---|---|---|
Search logs |
Identification |
Search PAM and SIEM logs for the account: all login events, commands run, and resources accessed during the session. |
Disable affected user accounts |
Containment |
Suspend the privileged account immediately if the login cannot be attributed to a known administrator or scheduled process. Reset the account credentials after investigation. |
Before closing the case |
Enrichment |
Record findings, update TTPs, and tag the source IP as an IOC if confirmed malicious. |
For cases with a confirmed attack, consider also opening a Privileged access case to run the extended four-task playbook that includes PAM log correlation, administrator verification, communication to security teams, and correlation rule updates.
Add observables and run analyzers
Open the Observables tab and click Add Observable. Add the source IP address
(type ip) and the account name (type other). Select the IP observable, click
Run Analyzers, and run GeoIP and threat intelligence analyzers to determine whether
the source is known malicious infrastructure.
Close the case
After all tasks are complete, click Close case. Select True Positive if the access was confirmed unauthorized. Set Impact to Yes if the account was used to read, modify, or exfiltrate data. Enter a Summary and click Close case.