4 April 2025

SOC Monitoring
Author: Security Operations Center
 Table of Contents
1. USER LOGIN FAILURE INVESTIGATION GUIDE................................................................................2
2. IP BASED COMMUNICATION (R2LS) INVESTIGATION GUIDE....................................................3
3. IP BASED COMMUNICATION (L2R) INVESTIGATION GUIDE.......................................................4
4. VPN USER LOGIN OUTSIDE UAE INVESTIGATION..........................................................................4

CYBER GATE DEFENSE LLC. | Date: April 4, 2025 | Document Classification: CONFIDENTIAL 1
 1. USER LOGIN FAILURE INVESTIGATION GUIDE
Objective

 This document outlines the steps to investigate the account failure alerts.
The goal of the attacker is one of the below,
 To compromise the credentials to get foothold into the network.
 Using valid account could allow attacker for lateral movement and evade the
detection.

The below are the possible reasons or root cause for the alert.

 The user might have provided wrong credentials.

 Attacker performs the brute force attack to obtain the credentials.
 The user machine might save wrong password on one machine followed by successful login
on another machine.

Requirements for account related alerts and reporting

 SIEM Logs (Authentication server logs)
 EDR
 VPN Concentrators / PAM device

Analysis and correlation

 Investigate the windows login failure event ID and error code such as bad username, bad
password to understand the reason for failure. (Mention your observations as point-1 of
analysis)
 The logon type should be checked to understand the access methods such as Interactive
logon, RDP access, PAM access, Network access, etc. (Mention your observations as point-2
of analysis)
 User account type should be checked such as admin, service account, end user accounts,
VPN account etc. (Mention your observations as point-3 of analysis)
 User account privileges should be identified. (RUN THE COMMAND FROM THE VDI
TERMINAL) (Mention your observations as point-4 of analysis)
 Correlate the user accounts for successful logon events. (Mention your observations as
point-5 of analysis)
 Correlate the user accounts with recent password change, password reset, expired
password, expired account, account locked out and disabled account. (RUN THE COMMAND
FROM THE VDI TERMINAL) (Mention your observations as point-6 of analysis)
 Correlate the login failure with unauthorized services such as failure occurs on specific
destination server (eg; Printer server) but login success occurs on domain controllers.
(Mention your observations as point-7 of analysis)
 The process path and process name should be checked that determines the authentication
application which makes authentication attempts such as lsass.exe, mimikatz.exe, AZURE
connect, PSExec, etc. (Mention your observations as point-8 of analysis)
 If the suspicious executables or scripts causes the login failure, Investigate EDR and verify
the hash of the file, file path and determine the legitimacy of the file. (Mention your
observations as point-9 of analysis)
 Login attempt or remote access on enterprise machine for file upload, modification, etc.
(Mention your observations as point-10 of analysis)
 If the file is malicious, identify the entry point such as email, downloaded files, etc.

Countermeasures
 Ensure the user aware of the login failures form same and different source machines.
 Kindly check the system has cached credentials or stale passwords that needs to be
removed (e.g. Credential manager, scheduled jobs, etc.).

CYBER GATE DEFENSE LLC. | Date: April 4, 2025 | Document Classification: CONFIDENTIAL 2
 When the failures are caused for specific services/servers only (Eg.; Printer server)
then user have authorization issue

 Ensure the user have access to the printer or shared service.

When the failures are observed as remote desktop services

 Kindly check and ensure the users are authorized to remotely access the destination
server.

When the failures are caused by suspicious applications or scripts

 Isolate the machine from the network, run an on-demand scan on the detected endpoint
and ensure the machine is clean before connecting back to the network.
 If the machine has been installed with password cracking software or potentially unwanted
application, that must be deleted from the machine.

2. IP Based Communication (R2Ls) INVESTIGATION GUIDE

Objective

 This document outlines the steps to investigate the IP Based communication alerts. (R2L)

Analysis and correlation

 Initially check the logs (Log source type-Firewall/Email/Proxy) and actions. (Mention your
observations as point-1 of analysis)
 Perform the historical analysis on source IP to check whether any abnormal events
captured. (Mention your observations as point-2 of analysis)
 Check the Destination IP in Asset Inventory (Belongs to any application/server/firewall)
(Mention your observations as point-3 of analysis)
 Check the ports detected from Critical/Nonstandard ports. (Mention your observations as
point-4 of analysis)
 Check the number of hits for both Allowed and denied events. (Mention your observations
as point-5 of analysis)
 Check the IP/Hostname and reputation geolocation on timeline analysis. (Mention your
observations as point-6 of analysis)
 Check destination IP is unique or multiples if multiple check whether the IP detected from
same (Mention your observations as point-7 of analysis)
 subnet/process names/hostnames and other factors. (Mention your observations as point-8
of analysis)

Countermeasures
 Kindly block the external IP’s in perimeter firewall if her is no any business purpose.
 Harden the security posture by disabling the unnecessary or unwanted ports from being
accessed to publicly.
 Kindly perform AV/PUA scan with updated signatures and ensure the machines are clean
before connecting to network. (If the traffic is succeeded or allowed)

3. IP Based Communication (L2R) INVESTIGATION GUIDE

Objective

CYBER GATE DEFENSE LLC. | Date: April 4, 2025 | Document Classification: CONFIDENTIAL 3
  This document outlines the steps to investigate the IP Based communication alerts. (R2L)

Analysis and correlation

 Initially check the logs (Log source type-Firewall/Email/Proxy) and actions. (Mention your
observations as point-1 of analysis)
 Perform the historical analysis on source IP to check whether any abnormal events
captured. (Mention your observations as point-2 of analysis)
 Check the Destination IP in Asset Inventory (Belongs to any application/server/firewall)
(Mention your observations as point-3 of analysis)
 Check the ports detected from Critical/Nonstandard ports. (Mention your observations as
point-4 of analysis)
 Check the number of hits for both Allowed and denied events. (Mention your observations
as point-5 of analysis)
 Check the IP/Hostname and reputation geolocation on timeline analysis. (Mention your
observations as point-6 of analysis)
 Check destination IP is unique or multiples if multiple check whether the IP detected from
same subnet/process names/hostnames and other factors. (Mention your observations as
point-7 of analysis)

Countermeasures

 Kindly block the external IP’s in perimeter firewall if her is no any business purpose.
 Harden the security posture by disabling the unnecessary or unwanted ports from being
accessed to publicly.
 Kindly perform AV/PUA scan with updated signatures and ensure the machines are clean
before connecting to network. (If the traffic is succeeded or allowed)

4. VPN USER LOGIN OUTSIDE UAE INVESTIGATION

Objective

 This document outlines the steps to investigate the successful VPN login outside UAE.

The goal of the attacker is one of the below,

 To compromise the VPN credentials to get foothold into the network.
 Using valid account could allow attacker will evade the detection.

Note: Customer having SSO account with multifactor authentication using mobile pass
application.

The below are the possible reasons or root cause for the alert.
 The user might have connected the FTA environment through third party private VPN or
proxy.
 User might have permission to login outside specific country.
 User might have possibly travelled to other country.

Requirements for account related alerts and reporting

CYBER GATE DEFENSE LLC. | Date: April 4, 2025 | Document Classification: CONFIDENTIAL 4
  SIEM Logs
 VPN Concentrators (F5)
 FortiGate
 Cisco FMC
 Palo Alto

VPN Workflow
User or Login Attributes (source IP: 83.110.16.31 | Source Country: UAE | User:
Rafiudeen.Navjudeen)  FortiGate-“Perimeter firewall” (policy: Allow)  Cisco FMC-“IPS”
(policy: Allow)  F5 “ainfmgmlblevp1” (Authenticate| Assign Virtual IP (Field mapped as
VIP: 172.30.23.87) | Assign (Session ID (field mapped as VPN_ID(Custom): e9ad8a50) – VPN
connection Established

Scenario
 User (Rafiudeen Navajudeen) logged in from public IP – 83.110.16.31

 The traffic will hit perimeter firewall (FortiGate) and IPS (Cisco FMC) for policy and
signature-based validation.
 User account will be authenticated, and Virtual IP (172.30.23.87) will be assigned from
the allocated VPN address space that can be observed from F5 device
“ainfmgmlblevp1”.

 The below configuration status from user machine confirms the same (The below snapshot
is for reference that you can verify with your VPN connection status)

CYBER GATE DEFENSE LLC. | Date: April 4, 2025 | Document Classification: CONFIDENTIAL 5
  Also, Session ID (e9ad8a50) will be assigned to monitor and track the session.

 Then user accesses the VDI machine “Eg;10.42.146.65”. from allocated VM cluster or
pool.

Analysis
 Start your investigation with filtering remote IP as “source or destination IP” and
remove everything from filter to see all traffic associated with public IP as shown below,

 Arrange the required fields “VIP” (Assigned virtual IP) and “VPN_ID” (VPN Session ID)

CYBER GATE DEFENSE LLC. | Date: April 4, 2025 | Document Classification: CONFIDENTIAL 6
  Then filter VPN_ID (custom) value “e9ad8a50” and remove everything from the filter to
identify the user who has logged in from that source IP.

 The output will provide lot of information including hostname, OS, policies, etc. that can
be mentioned in the report to add more context.

Note: If the user information is not captured in the F5 seems possible login attempt and not
successful login, please don’t report that as a security incident.

Countermeasures
 Kindly check whether user have permission or exception from login outside UAE.
 If expected, please state the business purpose to ignore the expected user login activity
from “country Name”
 If user don’t have permission, please enquire the user have connected the FTA network
through third party proxy or private VPN.
 Ensure the user have travelled to detected country and connected FTA network.
 If user accessed using third party application, please educate user to not connect FTA
network using third party private VPN or proxy. (For those who are connecting VPN with
their own machine not a corporate machine. For example, “Vendor”)
 If the detected machine is corporate device, please check and uninstall the proxy and VPN
applications if any.
 Kindly reset the password for the detected VPN user if the activity is neither proxy nor user
travel.

CYBER GATE DEFENSE LLC. | Date: April 4, 2025 | Document Classification: CONFIDENTIAL 7
 YOUR
TRUSTED
DEFENDER
S

CYBER GATE DEFENSE LLC. | Date: April 4, 2025 | Document Classification: CONFIDENTIAL 8