Hi, Looking for a short description of how to use the forensic investigation work bench to determine if an alert that I received actually has some "Bad Meat" behind it. What are the steps that you suggest taking?

asked 07 Jan '13, 19:38

Svardi's gravatar image

Svardi ♦♦
264
accept rate: 0%


The Investigation can be launched on a threat flagged by the Securonix product or some alert that you receive from an external source. Typically, the investigation will bring up a system or a user or an IP address that is suspicious.

Step 1: Select the time frame for your investigation. Typically this will be the last week of activities. You may even expand this to a longer period (example: last month)

Step 2: Start from the point of interest. If you start from a system on which a suspicious activity is detected, you probably want to see the IP addresses that were used on that system in a time frame and see all activities done on the system. If you see an account activity that looks suspicious, you may want to drill into the account and see all transactions done by the account across other systems.

Step 3: Once you have narrowed down your points of interest, your forensic investigation must include the collection of all artifacts to support your incident and a hand off of all evidence to the appropriate team.

link

answered 05 Apr '13, 12:53

tgulati's gravatar image

tgulati ♦♦
2061411
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×3
×1

Asked: 07 Jan '13, 19:38

Seen: 978 times

Last updated: 09 Apr '13, 22:03