Investigation timeline
-
process_start on WS-ACME-01 high
{ "cmdline": "powershell -enc JABj...", "process_name": "powershell.exe", "user": "CORP\\jsmith" }Demo rule · alert #1 -
network_connect on WS-ACME-01 critical
{ "protocol": "tcp", "remote_ip": "185.220.101.45", "remote_port": 4444 }Demo rule · alert #1 -
process_start on WS-ACME-01 medium
{ "cmdline": "cmd /c whoami", "process_name": "cmd.exe", "user": "CORP\\admin" }Demo rule · alert #1 -
network_connect on WS-ACME-01 low
{ "protocol": "udp", "remote_ip": "8.8.8.8", "remote_port": 53 }Demo rule · alert #1 -
agent_status on WS-ACME-01 low
{ "message": "heartbeat ok", "status": "ok", "version": "1.2.0" }Demo rule · alert #1 -
network_threat on WS-ACME-01 high
{ "action": "blocked", "reason": "known_c2", "remote_ip": "45.33.32.156" }Demo rule · alert #1 -
process_start on WS-ACME-01 critical
{ "cmdline": "mimikatz privilege::debug", "process_name": "mimikatz.exe", "user": "SYSTEM" }Demo rule · alert #1 -
inventory_scan on WS-ACME-01 low
{ "duration_ms": 12400, "packages_scanned": 847 }Demo rule · alert #1 -
action_result on WS-ACME-01 low
{ "action_type": "full_scan", "findings": 0, "status": "completed" }Demo rule · alert #1 -
network_delta on WS-ACME-01 medium
{ "closed_connections": 12, "new_connections": 3 }Demo rule · alert #1