Example 1 Β· The Impossible Travel Alert β What the Analyst Sees
The scenario unfolds in an organization using Azure AD with Conditional Access and impossible travel detection enabled.
The alert fires at 09:17 AM:
ALERT β Impossible Travel Detected
User: jparker@contoso.com
Login 1: 09:14:02 β Source IP: 204.12.88.41 β Location: Omaha, Nebraska, USA
Login 2: 09:17:38 β Source IP: 203.18.44.107 β Location: Melbourne, Victoria, AUS
Distance: 14,087 km Β· Time delta: 3 min 36 sec
Implied velocity: 234,783 km/h Β· Threshold: 900 km/h
Risk score: CRITICAL Β· Action: Block session and require step-up MFA
The analyst's investigation steps:
- Confirm the alert is valid: Check whether jparker uses a VPN that could explain the Melbourne IP (corporate VPN exit nodes are in the US; Melbourne is not a known exit node).
- Check session 1 (Omaha): Is this jparker's known work IP? Matches their corporate office subnet β this session is almost certainly legitimate.
- Check session 2 (Melbourne): Unknown IP, ISP is a consumer broadband provider in Australia. Not a known IP for jparker. This session is the attacker.
- Terminate session 2 and force password reset: The attacker's session is ended. jparker is notified and performs a password reset with verified identity.
- Investigate how session 2 obtained the credential: Review phishing logs for jparker's email in the prior 48 hours. A credential harvesting email was received and clicked two days before. The attacker obtained the password via a phishing page and used it two days later.
Key lesson: The impossible travel detection triggered within 3 minutes of the attacker logging in. Without the automated rule, the compromise would have been invisible until the attacker took an action that caused a more obvious IoC β potentially weeks or months later.
Example 2 Β· Resource Consumption β The 3 AM Spike
A financial services company has network flow monitoring with a threshold alert: any outbound transfer exceeding 5 GB within a one-hour window triggers a review.
Tuesday at 03:22 AM β alert fires:
ALERT β Unusual Outbound Traffic Volume
Source: 10.14.2.88 (FINANCE-DB-01 β internal database server)
Destination: 185.234.219.42 β Country: Netherlands β Not in approved destination list
Protocol: HTTPS (port 443) Β· Volume: 47.3 GB transferred over 94 minutes
Time window: 03:12 AM β 04:46 AM local time
Normal 03:00β05:00 outbound average from this host: 180 MB
What the forensic investigation reveals:
- FINANCE-DB-01 contains the accounts receivable and customer PII database β 47 GB maps closely to a full export of the production database.
- Authentication logs show a service account (svc-backup) logged into FINANCE-DB-01 at 03:09 AM. This account normally runs backups to an internal NAS β not to external IPs.
- The firewall allowed the outbound HTTPS connection because port 443 outbound was permitted as a general rule. No application-layer inspection was in place.
- The service account credentials were found in a configuration file on a developer workstation that was compromised 6 weeks earlier via a malicious email attachment.
- Reviewing the attacker's 6-week timeline: initial access via dev workstation β lateral movement to a server with broader permissions β credential discovery in config file β patient wait β single-night exfiltration.
Key lesson: The bandwidth alert was the first IoC detected despite a 6-week compromise. The organization had the attacker on their network for over a month with no visibility. The resource consumption IoC, though late, still allowed response before the data was weaponized. Post-incident changes: restrict service account outbound access at the firewall level; implement privileged access workstations for service account usage; monitor configuration files for credential storage.
Example 3 Β· Missing Logs β The Gap That Confirmed the Breach
A healthcare organization discovers that patient records appear on a dark web forum. They begin an investigation to determine when and how the data was exfiltrated.
The forensic timeline reconstruction:
Review authentication logs for EHR-SERVER-01 (Electronic Health Records):
[2024-10-14 00:00 β 23:59] β 847 authentication events logged. Normal.
[2024-10-15 00:00 β 08:47] β 312 authentication events logged. Normal.
[2024-10-15 08:47 β 14:22] β *** 0 authentication events *** β GAP
[2024-10-15 14:22 β 23:59] β 403 authentication events logged. Normal.
Review file access audit logs for /records directory:
[2024-10-15 08:47 β 14:22] β *** 0 file access events *** β SAME GAP
The 5-hour 35-minute gap in both authentication and file access logs on October 15 is the IoC. No system failure occurred on that date β the logs were deleted.
The SIEM had been ingesting authentication logs in real time. Reviewing the SIEM:
SIEM authentication log for EHR-SERVER-01, 2024-10-15 08:47β14:22:
08:47:14 β LOGON β user: Administrator β source: 192.168.44.22 (unknown internal host)
08:47:44 β AUDIT: Windows Event Log β Security channel cleared by Administrator
08:48:01 β [2,847 authentication events during this window β not visible in local logs]
14:21:38 β LOGOFF β user: Administrator
The SIEM retained the events that were deleted from the local logs. The attacker cleared the Windows Security Event Log at 08:47:44 AM β the action itself was forwarded to the SIEM 30 seconds before the clearing command completed. The SIEM shows 2,847 events (including mass file reads of the records directory) that the local server no longer has.
Key lesson: The missing log gap on the local system would have been invisible without the SIEM remote copy. The SIEM preserved the exact attacker activity that the attacker attempted to erase. Remote log forwarding is not optional β it is the difference between a forensic investigation that can reconstruct the breach timeline and one that cannot.
Example 4 Β· Blocked Content β The System That Couldn't Update
An endpoint detection platform flags a workstation because it has not reported an antivirus signature update in 11 days. The IT help desk investigates.
Network test from the affected workstation (MKTG-PC-047):
Test 1: ping 8.8.8.8 β Reply received. General internet connectivity: OK
Test 2: nslookup update.microsoft.com β Request timed out
Test 3: nslookup definitions.symantec.com β Request timed out
Test 4: nslookup malwarebytes.com β Request timed out
Test 5: nslookup www.google.com β Reply: 142.250.80.4. General DNS: OK
Test 6: nslookup www.cnn.com β Reply received. General browsing DNS: OK
General internet connectivity works. DNS resolution works for general sites. DNS resolution fails specifically for Microsoft update servers, Symantec signature distribution, and Malwarebytes β all security-related endpoints.
Investigation of the hosts file:
C:\Windows\System32\drivers\etc\hosts:
...(standard entries)...
127.0.0.1 update.microsoft.com
127.0.0.1 windowsupdate.com
127.0.0.1 definitions.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 malwarebytes.com
127.0.0.1 toolslib.net
127.0.0.1 bleepingcomputer.com
The hosts file has been modified to redirect all security update destinations to localhost (127.0.0.1), making them unreachable. This is a classic attacker persistence mechanism β the malware that infected the system modified the hosts file to prevent removal tools and update signatures from reaching the workstation. The infection has been running undetected for at least 11 days.
Key lesson: The blocked content IoC appeared before any other visible sign of compromise. The workstation was running normally for the user. Monitoring for update connectivity failures and regular review of the hosts file are detection mechanisms for this persistence technique.
Exam Scenario Β· IoC Classification Exercise
Scenario: A security analyst is reviewing the following five events from the past week. Classify each as an IoC, identify which category it represents, and state the appropriate immediate action.
(A) The domain admin account "DA-svc" shows a successful login at 02:44 AM on Sunday. The organization's change control records show no approved maintenance window for that time. No administrator claims to have performed this login.
Classification: Out-of-cycle logging (administrative activity outside expected schedule). Immediate action: Terminate the session, force password reset on DA-svc, review all actions taken by that session (what commands ran, what files were accessed, what accounts were modified), and investigate how the credential was obtained.
(B) A developer's workstation (DEV-PC-12) has not completed a Windows Update check-in for 17 days. The developer reports their machine works normally. Testing shows the workstation can browse the internet but cannot reach windowsupdate.com.
Classification: Blocked content (attacker persistence mechanism preventing patch delivery). Immediate action: Isolate the workstation from the network, image the disk for forensic analysis, rebuild the system from a known-good image, and scan the developer's code repository for any changes made from this workstation during the 17-day window.
(C) At 11:15 PM on a Tuesday, the network operations center observes outbound traffic from the corporate HR server to an IP address in Eastern Europe. The transfer volume is 22 GB over 45 minutes. The HR server normally generates less than 200 MB of outbound traffic per day.
Classification: Resource consumption (data exfiltration in progress or just completed). Immediate action: Block the destination IP at the firewall immediately, isolate the HR server, preserve memory and disk state for forensics, determine what data was in the 22 GB transfer (the HR server holds payroll and personnel records β all must be treated as compromised), and begin breach notification assessment.
(D) The SIEM alert queue shows that firewall logs are missing for a 90-minute window that corresponds exactly to the time period when the resource consumption event in (C) was occurring.
Classification: Missing logs (attacker deleted firewall log evidence during or after the exfiltration). Note: the firewall forwarded logs to the SIEM in real time, so the 90-minute window of logs exists in the SIEM even though the firewall's local storage shows a gap. This is the forensic record of the exfiltration event with full source, destination, and volume data.
(E) The company's legal counsel receives an email from an unknown party claiming to have 22 GB of employee personnel records. The email includes a 500-record sample as proof, and demands payment within 72 hours or the data will be published.
Classification: Published/documented data (double extortion ransomware setup β the data has already been exfiltrated and is being used as coercion leverage). This is the threat of publication, not publication itself β but the data is already in the attacker's control. Immediate action: Engage incident response counsel, do not pay, work with law enforcement, notify affected employees per applicable breach notification laws, and continue the forensic investigation to determine the full scope of the breach.