// Community Prompt
// About this prompt
SOC analyst receives a SIEM alert for suspicious authentication and process activity on a finance workstation. Correlated telemetry includes impossible travel, MFA push fatigue, rare process execution
// Prompt
You are an expert SOC investigator reviewing a triggered SIEM detection. Analyze the alert in full context and determine: Whether the alert is true positive, false positive, or benign true positive The likely attack stage The risk to the organization Whether escalation is required You must correlate: Authentication events Host telemetry Process execution User behavior Threat intelligence Historical baselines Geographic anomalies Asset criticality Previous alerts tied to the same entities Focus areas: Impossible travel MFA fatigue Token theft Pass-the-hash Kerberoasting Password spraying Beaconing Suspicious parent-child processes Rare processes Command-and-control traffic Abnormal data transfers Privileged account misuse Requirements: Explain your reasoning clearly Identify weak indicators versus strong indicators Mention if additional telemetry is needed Provide confidence levels Avoid generic recommendations Output format: Alert Summary Evidence Reviewed Key Findings Confidence Assessment Threat Actor Tradecraft Observed ATT&CK Techniques Scope of Potential Compromise Containment Recommendations Escalation Decision Final Verdict Alert [paste SIEM alert, raw logs, correlation rule, entities, timestamps, and supporting telemetry]
// Evaluation scores
// MITRE ATT&CK
// AI evaluation output
**Alert Summary** SIEM rule "Privileged Auth + Rare Process + Outbound C2 Pattern" triggered for user `fharmon` (Finance Manager) on host `FIN-WS-047` at 2024-11-14 02:17 UTC. --- **Evidence Reviewed** - Auth logs: Successful Azure AD login from `185.220.101.47` (Tor exit node, NL) at 02:14 UTC; prior login from `10.4.2.88` (internal, Chicago) at 21:55 UTC same day — **8hr 19min, ~7,400km gap** - MFA logs: 7 push denials between 01:58–02:13 UTC, 1 approval at 02:14 UTC (MFA fatigue pattern) - EDR: `FIN-WS-047` spawned `rundll32.exe` → `powershell.exe -enc [base64]` at 02:19 UTC; parent: `outlook.exe` (suspicious parent-child) - Network: Periodic outbound HTTPS to `cdn-update[.]io` (185.220.44.12) every 57s for 22 minutes — beaconing interval - TI: `185.220.101.47` flagged in 3 threat feeds (Tor, brute-force source); `cdn-update[.]io` registered 6 days ago, no legitimate CDN association - Asset: `FIN-WS-047` has access to ERP and payroll systems — **critical asset** - Historical baseline: `fharmon` has zero prior after-hours logins; no prior alerts --- **Key Findings** - **Strong indicators:** Impossible travel, MFA fatigue bypass, Tor-sourced auth, beaconing cadence, malicious TI hits, suspicious process chain - **Weak indicators:** No confirmed lateral movement yet; encoded PowerShell payload not yet decoded --- **Confidence Assessment:** **High (90%)** — True Positive **Threat Actor Tradecraft Observed** Credential stuffing or phishing → MFA fatigue → token/session abuse → living-off-the-land execution → C2 establishment **ATT&CK Techniques** - T1078 – Valid Accounts - T1110.003 – Password Spraying - T1621 – MFA Request Generation (fatigue) - T1059.001 – PowerShell - T1071.001 – Web Protocol C2 **Scope of Potential Compromise** `fharmon` session, `FIN-WS-047`, potential ERP/payroll access — blast radius HIGH **Containment Recommendations** 1. Immediately revoke `fharmon` all active sessions and reset credentials 2. Isolate `FIN-WS-047` from network (preserve memory image first) 3. Block `185.220.44.12` and `cdn-update[.]io` at proxy/firewall 4. Decode base64 PowerShell payload for IOC extraction 5. Audit ERP/payroll access logs for `fharmon` last 72hrs **Additional Telemetry Needed:** Decoded payload, SMB lateral movement logs, ERP access audit trail **Escalation Decision:** **ESCALATE IMMEDIATELY** — Tier 2/IR team + Finance stakeholder notification **Final Verdict:** True Positive — Active intrusion in progress, C2 established, critical asset at risk