Post

------------ Events and Experiences ------------

This is a comprehensive Incident Handling Journal list of entries, growing with time.

Posted
By Zaki
4 min read

Over time, I have kept a journal of incidents, tools, and takeaways. This post shares a polished snapshot of those entries. It is finalized for now, but not finished. I will keep adding to it as I grow. The goal is to show how I work through investigations and how I have practiced using tools that map to the NIST Incident Response Lifecycle, along with a few other frameworks.

Journal Entry 001 – Phishing Investigation

Date: 2025-05-13 Entry: 001 What I did: Investigated and documented a suspected phishing email reported by an employee. It was very straightforward but i feel a humble start. Tools used: Outlook, VirusTotal

What happened:

  • An employee reported an email that looked like it came from HR about “updated benefits enrollment”
  • The message used a lookalike sender address and a button linking to a fake sign-in page
  • The link redirected to a domain that was recently registered and not owned by the company
  • A few other users received the same message through a broad internal distribution list

Investigation steps:

  • Pulled the full email headers in Outlook and confirmed the sender was spoofed
  • Checked the URL and domain reputation in VirusTotal, which flagged it as suspicious
  • Searched the mailbox for similar messages to confirm scope and find other recipients
  • Captured indicators of compromise, including the sender address, subject line, and URL

Containment and follow-up:

  • Blocked the sending domain and URL at the email gateway
  • Warned employees not to click and to report similar emails
  • Reset credentials for the user who clicked and forced MFA re-registration as a precaution
  • Logged the incident and scheduled a short phishing awareness reminder

Notes: Quick reporting helped limit exposure. This was a good example of how small steps like checking headers and validating links can quickly confirm whether an email is legitimate.

Journal Entry 002 – Suricata Rule and Malware Detection

Date: 2025-05-15 Entry: 002 What I did: Wrote a Suricata rule to identify suspicious outbound traffic. This aligns with Detection and Analysis. Tools used: Suricata, Wireshark

The 5 W’s:

  • Who: Internal host infected with malware
  • What: Outbound traffic to a known malicious IP
  • When: 2025-05-01
  • Where: Internal subnet 192.168.1.x
  • Why: Attempted command-and-control (C2) communication

Notes: I created custom rules to flag the behavior. Wireshark confirmed the traffic. The host was isolated and cleaned. This reinforced the value of deep packet inspection and writing detection logic that matches real behavior.

Journal Entry 003 – Splunk Query and Dashboarding

Date: 2025-05-18 Entry: 003 What I did: Practiced querying brute-force login attempts in Splunk. This fits under Detection and Analysis. Tools used: Splunk

Tool work summary:

  • Queried failed login events by src_ip and user
  • Used visualizations to track patterns over time
  • Set up alerting for excessive failures
  • Built a dashboard for easier monitoring

Notes: Splunk made correlation and alerting straightforward. This practice helped me turn raw logs into useful signals for security operations.

Journal Entry 004 – File Hash Investigation

Date: 2025-05-21 Entry: 004 What I did: Investigated a SHA256 file hash and reviewed sandbox results. This aligns with Detection and Analysis. Tools used: VirusTotal, Any.run, Hybrid Analysis

Tool work summary:

  • VirusTotal: hash flagged by 39 vendors
  • Any.run: showed ransomware-like behavior
  • Hybrid Analysis: tracked file behavior and external calls

Notes: This investigation showed how these tools support each other. Checking multiple sources helped me build a clearer risk assessment. I also got more practice enriching indicators of compromise (IOCs).

Journal Entry 005 – IP Allow List Automation

Date: 2025-05-24 Entry: 005 What I did: Wrote a Python script to clean an IP allow list by removing unauthorized entries. This aligns with Preparation and Containment. Tools used: Python, VS Code

Tool work summary:

  • Read and parsed a text-based allow list
  • Compared entries against a defined remove_list
  • Wrote the cleaned list back to the file to ensure unauthorized IPs were removed

Notes: This automation replaced a manual process that is easy to get wrong. It improved consistency and reduced risk when maintaining network access controls. It also sets a good base for future scheduled jobs or SOAR integration.

Final Reflections

This journal captures my hands-on learning in a structured and repeatable way. Mapping the work to the NIST IR Lifecycle helped me understand incident response as a process, from identifying issues to responding and learning from them.

What I gained:

  • More confidence using tools like Suricata, Splunk, Wireshark, Nmap, and VirusTotal
  • Better ability to write detection rules and queries
  • A stronger habit of documenting investigations clearly
  • A clearer understanding of how to isolate threats, identify attackers, and respond in a consistent way

I will keep building on this journal over time and use it both as a learning record and as a portfolio piece.

Thanks for reading. If you want to see more practical incident response case studies, I will share more in future posts. You can also connect with me on LinkedIn.

Portfolio, Journal
incident-response nist tools journaling blue-team portfolio data entry project
This post is licensed under CC BY 4.0 by the author.