Phishing Scenario (SIEM + SOAR)

#ibm #working #demo #soar #threatprevention #siem

Table Of Content

Overview

This guideline will help you to setup & build an environment to showcase SOAR features

Phishing Scenario

Employee receive a phishing email, he opens and click on the word attachment file

Demo Workflow

Components

Phishing Attack Setup

Using Microsoft Exchange 2019 for mail server ✅ 2024-07-29
Using Gophish for phishing services ✅ 2024-07-29
Create customized ransomware / malicious payload for demo ✅ 2024-08-22
Using CVE-2021-40444 for malicious attachment in phishing mail ✅ 2024-07-29

Install & Setup Gophish

Download & Setup using this link
Email Phishing Template: Starbucks Phishing Email Template

Install & Setup Microsoft Exchange 2019

Using this link

Important

Following this Exchange 2019 onprem to grant SOAR Service Account privileges to scan others mailbox folder.

Qradar SIEM Setup

In this detection phrase, I will create 2 rules to detect phishing attack:

Detect suspicious phishing subject with attachment file.
Detect anomalous traffic to the machine which previously received/opened suspicious phishing email.

Resilient Setup

SOAR will be important components for incident response to phishing attack by leveraging orchestrating security product and collaboration teams, to setup SOAR, complete the following tasks:

Design Detect & Response to Suspicious Phishing Attack Playbook🔺
Exchange App Config ✅ 2024-09-06

Table Of Content

Overview

Phishing Scenario

Demo Workflow

Components

Phishing Attack Setup

Install & Setup Gophish

Install & Setup Microsoft Exchange 2019

Qradar SIEM Setup

Resilient Setup

Demo Video