Ali Alwashali

DFIR CTI TH

less than 1 minute read

Qradar 101 Challenge

I have released a challenge based on Qradar SIEM consisting of 24 questions. The challange is hosted at Cyberdefenders platform. I tried as much as possible to be realistic in the scenario and mimic a real world incident. Almost all the questions can be solved by digging into sysmon logs.

Dataset

  • Sysmon - swift on security configuration
  • Powershell logging
  • Windows Eventlog
  • Suricata IDS
  • Zeek logs (conn, HTTP)

The scenario

A financial company was compromised, and they are looking for a security analyst to help them investigate the incident. The company suspects that an insider helped the attacker get into the network, but they have no evidence.

The initial analysis performed by the company’s team showed that many systems were compromised. Also, alerts indicate the use of well known malicious tools in the network. As a SOC analyst, you are assigned to investigate the incident using QRadar SIEM and reconstruct the events carried out by the attacker.

Qradar101 - SIEM Case Investigation

You May Also Enjoy

A tour inside a SOC analyst mind

7 minute read

As a mentor in a SOC, I often receive questions from junior analysts about the best way to approach analysis. To help them develop their skills, I sometimes ...

Analyzing SOC Data Using Jupyter Notebook

5 minute read

Detection Controls usually focus on telemetry collection, and in most cases lack data analytic capabilities. Hence, It would be necessary to export the data ...

Remote Full Packet Capture

5 minute read

Tool such as TCPDump captures full packet data and store to desk, it doesn’t provide a way to capture and stream the packets to a remote destination. I have ...