README.md

Cyber Threat Intelligence: SOC Alert Analysis

Description

This project, conducted during my internship at CYBLACK x LetsDefend SOC Academy, focuses on the integration and analysis of Cyber Threat Intelligence (CTI) within Security Operations Center (SOC) environments. The aim was to enhance incident response capabilities by evaluating SOC alerts and their associated threat intelligence.

Throughout the internship, I explored various SOC alert scenarios, dissecting them to understand their implications and potential responses. By leveraging CTI, I aimed to improve threat detection and mitigation strategies, providing valuable insights into how organizations can bolster their cybersecurity posture.

Organization

- CYBLACK

Utilities Used

• AnyRun
• VirusTotal
• Talos

Environments Used

• LetsDefend

Program walk-through:

Incident Alert:

Understanding the Alert:

The alert suggest that this event was triggered because of a request to a (TI) flagged URL. The URL seems to be a shortened link, which can be marked suspicious or malicious.

Create a Case for the event:




First we'll use ANYRUN to run analysis on the URL to determine if it is malicious:










Next we'll check the destination IP address for any IOC:

From this Analysis we can conclude that the URL and Destination IP address are not malicious. No vendors has flagged the IP address as being a malicious one.

Next we'll add Artifacts and create Analysis Note for our findings

Then we can close the alert:

Conclusion:

In this project, I identified that the SOC alerts was false positive. This highlights the need for thorough analysis in cybersecurity operations to improve threat detection and ensure efficient resource allocation.