I saw an alert from my SIEM system, this is an alert for a phishing email and my duty to investigate this email to determine if it is malicious or not. I could see the severity as high and the Date as June, 13, 2021 02:13 pm, this timestamp will be instrumental in our investigation.

image showing details about the alert

What rule triggered the alert? The presence of a Macros in a Document instead of a VBA shows some phishing going on. I also observed the Server address {24}.{213}. {228}.{54}, source ip address as {trenton} {@} [tritowncomputers.com}, finally. the Endpoint address is for [email protected].

With this information , I can begin my investigation.

1. created a case

1. started a Playbook

1. observed the prompt from the playbook, ensuring i didn't miss any step as seen below

From our SIEM Monitoring bar, we see the source address as follows: