Phishing alerts are one of the most common β and most time-consuming β tasks in a SOC.
But the problem is not the alert itself.
The problem is lack of structured workflow.
Without a clear process, analysts:
- Miss important signals
- Waste time switching tools
- Produce inconsistent results
So hereβs the exact step-by-step workflow I use to investigate a phishing alert.
π§ Step 1: Initial Triage
Start with the basics:
- Who reported the email?
- Internal or external sender?
- Subject line / urgency indicators
- Any attachments or links?
π Goal: Quickly understand if this is likely phishing or just noise
π Step 2: Extract Indicators (IOCs)
Pull all possible IOCs:
- Sender email address
- Domain
- URLs
- File hashes (attachments)
π This becomes your investigation base
π Step 3: Reputation Check
Check:
- VirusTotal
- MalwareBazaar
- URL reputation tools
Look for:
- Known malicious domains
- Newly registered domains
- Low reputation signals
π§ͺ Step 4: Email Analysis
Analyze headers:
- SPF / DKIM / DMARC status
- Sender spoofing
- Reply-to mismatch
Check for:
- Impersonation attempts
- Display name abuse
π₯οΈ Step 5: Endpoint Impact
Did the user:
- Click the link?
- Download attachment?
- Execute anything?
Check EDR:
- Process activity
- PowerShell / script execution
- Network connections
π Step 6: Account Activity
Check identity logs:
- Suspicious login attempts
- MFA prompts
- Impossible travel
π Especially important for credential phishing
π Step 7: Scope & Impact
Answer:
- Is it isolated or widespread?
- More users affected?
- Any lateral movement?
π¨ Step 8: Response Actions
Depending on severity:
- Block domain / URL
- Quarantine email
- Reset user credentials
- Isolate endpoint (if needed)
π Step 9: Documentation
Always document:
- Timeline
- Indicators
- Actions taken
- Final verdict
π This improves future detection
β‘ Final Thought
SOC work becomes easier when you stop reacting to alertsβ¦
β¦and start following repeatable workflows.
This is exactly why I started building structured workflows for investigations:
Itβs a growing library of step-by-step SOC workflows designed to reduce investigation time and improve consistency.
If you're a SOC analyst, I'd love to know:
π Do you follow a structured workflow or investigate ad-hoc?
Top comments (1)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.