Time to put your skills to work! You'll investigate a real phishing attack - exactly what SOC analysts do every day.
○Module 1: Your First Day
○Module 2: Internet Basics
○Module 3: Detective Tools
●Module 4: Your First Case← You are here
○Module 5: Incident Response
○Module 6: The Future is XSIAM
📖 What You'll Learn
Investigate a phishing email step-by-step
Use WHOIS, proxy logs, and auth logs
Make decisions during an active incident
💡Click "Claim This Alert" to begin your investigation
Palo Alto Networks Cybersecurity Academy
⚡Your First Case
Section 1 of 6
⬇️Scroll down to see the content and continue
Palo Alto Networks Cybersecurity Academy
📨
Alert Received
200 alerts in queue
⚠️SECURITY ALERT: Suspicious Email Reported
Alert ID: SEC-2024-0847
Type: Phishing Email
Reported By: Sarah Thompson (Marketing)
Time: 9:23 AM
Status: Unassigned
📧
Email Analysis
Searching email security system...
🛡
Safe Analysis Environment
This is a forensic copy of the suspicious email, displayed in a secure sandbox. Nothing you click here will actually execute - you're safely analyzing the evidence. Click on the highlighted elements to reveal what makes them suspicious.
Analysis Progress:0 of 3 elements analyzed
🔍Email Forensic Viewer
Read-Only Copy
From:IT Support <support@acme-verify.com>
To:All Employees
Subject:URGENT: Your password expires in 24 hours - Action Required!
Date:Today, 8:47 AM
Dear Employee,
Your corporate password will expire in 24 hours. To avoid being locked out of your account, please verify your credentials immediately.
Failure to act may result in loss of access to all company systems.
Based on your analysis, what is the MOST suspicious indicator that this is a phishing email?
Please analyze all 3 suspicious elements first (sender, subject, and the red button in the email).
🔍
WHOIS Domain Lookup
Querying WHOIS database for acme-verify.com...
📄 WHOIS LOOKUP: acme-verify.com
Domain Name:acme-verify.com
Registrar:NameCheap Inc.
Registration Date:Yesterday (1 day ago)
Registrant:REDACTED FOR PRIVACY
Country:Russia
⚠️ Critical Finding: Fake Domain
This domain was registered just yesterday, from Russia, with privacy protection enabled. Legitimate IT departments don't create new domains - they use the company's existing domain. This is definitely a phishing attack.
📜
Web Proxy Log Search
Searching proxy logs for acme-verify.com...
📁 Web Proxy Logs - acme-verify.com
09:12:34 | sarah.thompson | GET acme-verify.com/verify | 200 OK
09:15:22 | lisa.chen | GET acme-verify.com/verify | 200 OK
09:41:18 | mike.torres | GET acme-verify.com/verify | 200 OK
09:41:45 | mike.torres | POST acme-verify.com/login | 200 OK
⚠️ Finding: 3 Users Clicked the Link
Sarah and Lisa visited the page (GET request) but didn't submit anything. However, Mike Torres has a POST request - he submitted data to the fake login page!
Someone in Russia is using Mike's credentials RIGHT NOW! They logged in just 6 minutes after Mike entered his password on the phishing site. They're already accessing his email and downloading files.
🤔 You've confirmed this is a real incident. What should you do next?
⚡ Executing Phishing Response Playbook...
🔒 Containment
⏳Reset Password - "Changing the locks"
⏳Kill Active Sessions - Force re-authentication
⏳Block Attacker IP - Prevent return access
⏳Quarantine Phishing Email - Protect other users
🗑 Eradication
⏳Scan for Malware - Check endpoint for backdoors
🔄 Recovery
⏳Restore Account Access - Re-enable with fresh credentials
MTTR: Mean Time to Respond52 minutesFrom detection to response
📋
Investigation Timeline
MTTD36 minTime to Detect
MTTR52 minTime to Respond
Click each event to review what you discovered:
8:47 AM
📧 Phishing Email Sent
Attacker sends email to all employees
Click to review
9:12 AM
👁 Sarah Clicks Link
Views page but doesn't enter credentials
Click to review
9:15 AM
👁 Lisa Clicks Link
Views page but doesn't enter credentials
Click to review
9:23 AM
🔔 Alert Generated MTTD: 36 min
System detects suspicious email, creates alert
Click to review
9:41 AM
🔒 Mike Enters Credentials
Submits username and password to fake site
Click to review
9:47 AM
🚨 Attacker Logs In
Russian IP uses Mike's stolen credentials
Click to review
10:15 AM
✅ Incident Resolved MTTR: 52 min
Containment, eradication, and recovery complete
Click to review
Explore the timeline: 0/7 events reviewed
36 min
MTTD - Mean Time to Detect
From phishing email to alert
52 min
MTTR - Mean Time to Respond
From detection to response
199
Alerts Still Waiting
Manual analysis is slow...
28 min
Attacker Access Time
From login to lockout
📝
Knowledge Check
⚡
Silver Level
Incident Responder Certificate
Security Operations Fundamental Series - Module 4
Your Name
Successfully completed the phishing investigation training
🏆 Congratulations!
You've successfully completed your first phishing investigation! You learned how to:
Analyze suspicious emails for phishing indicators
Use WHOIS to investigate suspicious domains
Search web proxy logs to find who clicked malicious links
