Skip to main content
Skip table of contents

Incident Category Descriptions and Sample Playbooks

LogRhythm NDR has the following incident categories:

  • Initial Compromise
  • Infection
  • Command and Control
  • Service Attack
  • Recon and Discovery
  • Collection and Exfiltration
  • Suspicious Access
  • Privilege Escalation
  • Ransomware
  • Lateral Movement 

These categories were originally based on the NIST incident categories, but were taken further because of the modern threat landscape and the LogRhythm NDR detection capabilities.

Initial Compromise

This incident usually indicates one of the following conditions:

  • Detected some vector used to get initial foothold into the network
  • Execution of adversary controlled-code detected
  • Adversary trying to have persistent presence (over system restarts and other failures) 
  • Attempt to evade detection or avoid other defenses

  

The following information would be provided:

  • Internal host/user
  • User information
  • Host information
  • External domain information
  • Affected internal resources 

Infection

This incident usually indicates one of the following conditions:

  • Initial infection detected.
  • Suspicious file was downloaded.
  • Malware installed and callbacks to CNC servers are seen.
  • Malware is attempting to spread laterally through the environment (for example, ransomware).


The following information would be provided:

  • Victim is an internal host/user.
  • Attacker is an external domain or an internal user that is infected.
  • User information.
  • Host information.
  • External domain information.
  • File information.
  • Affected internal resources.


SOC actions:

  • Review the download activity for the incident and prior to it (file logs).
  • Review web browsing activity (HTTP, SSL) for suspicious domains.
  • Review the software activity in the software log.
  • Review the internal activity (for example, encryption of files in case of a ransomware attack).
  • Cross-check for any alerts from endpoint tools like antivirus.
  • Confirm if the activity was initiated by the user by contacting them. 

Command and Control

This incident usually indicates the following condition:

  • Detection of C&C


The following information would be provided:

  • Internal host/user
  • User information
  • Host information
  • External domain information
  • Affected internal resources

Service Attack

This incident usually indicates one of the following conditions:

  • Exploit against the specific service detected.
  • (Distributed) Denial of Service attack is detected.


The following information would be provided:

  • Victim is an internal host.
  • Attacker is an external host or a list of hosts.
  • User information.
  • Host information.
  • External IP information (WHOIS, country).
  • Affected service information.

  

SOC actions:

  • Review the provided service/activity logs (check service name logs).
  • Confirm if the activity is in line with the service typical activity.
  • Verify if reported vulnerability is applicable to the target host/service. 
  • Confirm if the potential attacker(s) IPs do not belong to the partner organization.
  • Contact the service owner.

Recon and Discovery

This incident usually indicates one of the following conditions:

  • Network host/port/sweep scan is detected. 
  • Vulnerability scan is detected.
  • Application scan is detected.


The following information would be provided:

  • Victim is an internal host or a list of hosts.
  • Attacker is an internal/external host.
  • User information.
  • Host information.
  • External IP information (WHOIS, country).
  • Affected service/application information.


SOC actions:

  • Review the provided activity logs. Normally, the event would indicate the range and count of hosts/ports scanned or the list of application activity performed.
  • Confirm if the activity is in line with the source activity. For example, it could be an internal vulnerability scan. Such an activity is expected and should be whitelisted.
  • Contact the attacker’s user for internal or block at the perimeter for the external actor.

Collection and Exfiltration

This incident usually indicates one of the following conditions:

  • Sensitive files and other information being collected, prior to exfiltration.
  • Host/user performs internal downloads AND external uploads AND.
  • Score and the amount of data transferred raises suspicion AND.
  • Such activity hasn’t been attributed to that host/user before.


The following information would be provided:

  • Victim is an internal host/user.
  • Attacker is an external domain destination of the exfiltration.
  • User information.
  • Host information.
  • External domain information. 
  • File information for internal download (if available).
  • Connection data indicating the download/upload flows.


SOC actions:

  • Review upload/download flows and verify if this activity is expected.
  • Confirm with the user/their manager for clarification.

Suspicious Access

This incident usually indicates one of the following conditions:

  • Bruteforce attack detected
  • User compromise detected
  • Access to the unusual resources that hasn’t been seen before


The following information would be provided:

  • Victim is an internal host/user.
  • Attacker is an external/internal host/user.
  • User information.
  • Host information.
  • External domain information.
  • Account break-in attempts.
  • Connection data indicating the new suspicious connection flows.


SOC actions:

  • Review password attack evidence.
  • Review new activity.
  • If in doubt, contact the user for clarification.
  • Reset the user credentials and quarantine their host.

Privilege Escalation 

This incident usually indicates one of the following conditions:

  • Access to privileged data detected by an unauthorized user.
  • Access to critical services is detected by an unauthorized user.


The following information would be provided:

  • Victim is an internal host/user.
  • Attacker is an external/internal host/user.
  • User information.
  • Host information.
  • External domain information.
  • Access attempts indicating success/failure.
  • Connection data indicating the new suspicious connection flows.


SOC actions:

  • Review the flow of events. Since LogRhythm NDR is limited to the network activity in terms of visibility, the picture might be incomplete. However, the sequence of events should indicate an anomaly in the user’s behavior. For example, after many denied attempts to access the service, the access is granted. This could be due to the exploitation of the service or user credentials that LogRhythm NDR was unable to see (for example, due to the encryption being used).
  • If in doubt, contact the user for clarification.

Ransomware

This incident usually indicates the following condition:

  • Ransomware – A malicious actor is encrypting files. No command and control channel is necessary for this attack pattern, although such a pattern is often used.


The following information would be provided:

  • Internal host/user
  • User information
  • Host information
  • External domain information
  • Affected files and internal resources

Lateral Movement

This incident usually indicates the following condition:

  • Lateral movement detected in search of key data and assets


The following information would be provided:

  • Internal host/user
  • User information
  • Host information
  • Target information
  • Affected internal resources
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close