Closure Comments Guide
When closing an incident, always ensure that the following questions are answered:
- What does the incident relate to? (this is especially important if the incident title is not clear).
- What has been investigated by CTS?
- What remediation/containment actions have been taken by CTS or the client? These include: user password resets, session revocation, device isolation, addition of indicators (hashes, IPs, domains/URLs), additions of sender emails to tenant block list.
- What is the conclusion of the incident, true-positive, false-positive, something suspicious/malicious?
Guidelines:
Closure comments are visible to clients; they should therefore be written clearly and only contain relevant information to the clients. Below are some guidelines to help craft the closure comments:
- Refrain from using the names of L1 and L2 analysts. It’s also advisable not to mention that the incident was escalated to L2, we can see this information in Fresh Service.
- If you must refer to someone, refer to us “CTS SOC“ (so always in the third person) or even better don’t mention CTS. E.g.: CTS observed… it was identified that… User sessions have been revoked.
- Keep it short and straight to the point. No filler words. Be liberal with the use of periods, as that increases readability.
Examples:
Phishing Incidents:
- Phishing email observed and was received by 6 users. Upon investigation, 3 of the users clicked on the phishing URL, and 1 user (XYZ@MMM.COM) entered their credentials. Suspicious logins were observed by this user from Portugal. The user sessions have been revoked, password has been reset, and modifications to MFA methods investigated. Phishing emails have been hard-deleted. Sender email has been added to the tenant block list indefinitely. True-positive and risk has been mitigated.
- Mass phishing attempts from compromised account "OOO@LLL[.]dk". Contained SharePoint URL file which then redirected to malicious site presenting a Microsoft login page. The malicious site appears to be down or non-weaponized, redirecting to non-existing domain "hxxp[://]3m[.]ma". One user, XYZ@MMM[.]dk appears to have visited the malicious site presenting the fake login page (jc20express) whom then had their password reset and session revoked. CTS SOC also investigated modifications to MFA methods, no newly added MFA methods were identified. Emails have been hard-deleted. Sender email has been added to the tenant block list for 7 days. Client was informed.
Quarantine Release Incidents:
- User has requested a quarantined email to be released. The investigation revealed no malicious entities in the email. Email is confirmed to be clean. The email has been released to the user.
- User has requested a quarantined email to be released. The investigation revealed a malicious URL in the email redirecting to a fake Microsoft login page hosted on https://XYZ[.]ma. CTS SOC investigated if other users have received the email. 5 other users received the emails; however no clicks were detected, as all email landed in the quarantine. The email release has been denied.
Identity-Related Incidents:
- Successful login from Romania observed for the user XXX. The user is based in Hungary, based on properties in Entra ID. Investigating the logins revealed that the login occurred from a managed and joined device. No malicious/suspicious activity.
- Successful login from New York observed for the user XXX. The user is based in Denmark, based on properties in Entra ID. Investigating the logins revealed that the login occurred from a non-managed. Logins from Denmark were observed 4 hours before the login from New York, indicating atypical travel and confirming the behavior as malicious. The password of the user has been reset, sessions revoked, and MFA methods investigated for additions, no newly added MFA methods identified. CTS SOC investigated cloud activity across Teams, Outlook and SharePoint during the time frame since the successful login from New York, no suspicious activity discovered.
AV/Malware Incidents:
- Manually retrieved and investigated the .lnk file. The file launches "AD Find Users, Contacts, and Groups" with the command line arguments: "C:\Windows\System32\rundll32.exe dsquery,OpenQueryWindow". The shortcut is clean and is not malicious. The hash of the file been added as an indicator to allow execution and disallow Defender from quarantining it in the future.
- XXX malware detected on YYY device, the execution of the malware was stopped by Defender and has subsequently also quarantined. CTS SOC confirmed during the investigation that the malware was manually downloaded by the user. No signs of persistence due to the execution being stopped. True-positive no risks remain.
- XXX malware detected on YYY device, the execution of the malware was initially prevented, however Defender later quarantined the file. CTS SOC isolated the device while investigating. The origin of the malware could not be determined. CTS SOC, investigated for signs of persistence and actions performed on the device after the execution of the malware, no signs of other malicious activity. The file has been confirmed to be quarantined and deleted from the device. The file hash been added to the indicators in Defender XDR. The device isolation has been lifted.