Skip to main content
Policy to Packets
Policy to Packets
  1. Policy to Packets/
  2. Writeups/
  3. LetsDefend/
  4. SOC Alerts/

(Writeup) LetsDefend EventID: 75 - [SOC105 - Requested T.I. URL address]

LetsDefend False_Positive SIEM SOC Type_Threat_Intel VirusTotal Writeup
Table of Contents

Welcome
#

  • LetsDefend is a Blue Team Training platform.
  • This writeup documents a SOC alert investigation involving {{ alert type }}.

Alert Details
#

Key: Value
EventID: 75
Event Time: Mar, 07, 2021, 05:47 PM
Rule: SOC105 - Requested T.I. URL address
Level: Security Analyst
Source Address: 10.15.15.12
Source Hostname: MarksPhone
Destination Address: 67.199.248.10
Destination Hostname: bit.ly
Username: Mark
Request URL: https://bit.ly/TAPSCAN
User Agent: Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Device Action: Allowed

Initial Triage
#

Actions
#

  • Copied alert details to notes
  • Created case
  • Began analysis

Thoughts
#

“Is that specific bit.ly address a threat indicator, or is it bit.ly in general?”

Playbook
#

Step 1. Analyze Threat Intel Data
#

VirusTotal
#

Data Result Note
IP 2/93 It’s bit.ly the URL shortener. It’s utilized by benign and malicious traffic alike.
URL 1/94 You can find the ‘Final URL’ in the ‘Details’ tab.
Final URL 1/94 In the URL and in ‘Details’ you can find the app name and the developer’s website URL.
Developer URL 0/94 Gonna google about this application.

Google
#

“Searching for the app name pdf.tap.scanner gives us the very popular android application: ‘PDF Scanner app - TapScanner’… Non-malicious

Step 2. Add Artifacts
#

(The long url was snipped for the writeup page formatting.)

Value Comment Type
67.199.248.10 A bit.ly ip IP Address
https://bit.ly/TAPSCAN Alert Trigger E-mail Domain
-long_url_snipped- Redirect Final URL E-mail Domain

Step 3. Analyst Notes
#

“Verdict: False Positive. Closing Case.
Summary: Endpoint opened bit.ly link that linked to a popular PDF scanner on android. No indicators of application being malicious.
Validated via: VirusTotal.
Actions taken: None.”

Determination
#

Verdict
#

  • False Positive
  • Close Case

Reasoning
#

  • Legitimate bit.ly link to a popular pdf scanning app on the google play store

Final Thoughts
#

“Would be a good idea to review if the alert is happening on anything above 0 from TI, because I imagine some will regard any and all bit.ly links as malicious. If that’s the standard we want to keep, that’s fine. Just something to consider.”

Reed Eggleston
Author
Reed Eggleston
B.S. in Cybersecurity | SSCP | CySA+ | PenTest+ | Project+