DEV Community

Cover image for SOC Workflow: How I Investigate a Phishing Alert (Step-by-Step)
gaurav kundu
gaurav kundu

Posted on

SOC Workflow: How I Investigate a Phishing Alert (Step-by-Step)

#cybersecurity #threathunting #ai #phishing

Phishing alerts are one of the most common — and most time-consuming — tasks in a SOC.

But the problem is not the alert itself.

The problem is lack of structured workflow.

Without a clear process, analysts:

  • Miss important signals
  • Waste time switching tools
  • Produce inconsistent results

So here’s the exact step-by-step workflow I use to investigate a phishing alert.

🧠 Step 1: Initial Triage

Start with the basics:

  • Who reported the email?
  • Internal or external sender?
  • Subject line / urgency indicators
  • Any attachments or links?

👉 Goal: Quickly understand if this is likely phishing or just noise

🔗 Step 2: Extract Indicators (IOCs)

Pull all possible IOCs:

  • Sender email address
  • Domain
  • URLs
  • File hashes (attachments)

👉 This becomes your investigation base

🌐 Step 3: Reputation Check

Check:

  • VirusTotal
  • MalwareBazaar
  • URL reputation tools

Look for:

  • Known malicious domains
  • Newly registered domains
  • Low reputation signals

🧪 Step 4: Email Analysis

Analyze headers:

  • SPF / DKIM / DMARC status
  • Sender spoofing
  • Reply-to mismatch

Check for:

  • Impersonation attempts
  • Display name abuse

🖥️ Step 5: Endpoint Impact

Did the user:

  • Click the link?
  • Download attachment?
  • Execute anything?

Check EDR:

  • Process activity
  • PowerShell / script execution
  • Network connections

🔐 Step 6: Account Activity

Check identity logs:

  • Suspicious login attempts
  • MFA prompts
  • Impossible travel

👉 Especially important for credential phishing

📊 Step 7: Scope & Impact

Answer:

  • Is it isolated or widespread?
  • More users affected?
  • Any lateral movement?

🚨 Step 8: Response Actions

Depending on severity:

  • Block domain / URL
  • Quarantine email
  • Reset user credentials
  • Isolate endpoint (if needed)

📝 Step 9: Documentation

Always document:

  • Timeline
  • Indicators
  • Actions taken
  • Final verdict

👉 This improves future detection

⚡ Final Thought

SOC work becomes easier when you stop reacting to alerts…

…and start following repeatable workflows.

This is exactly why I started building structured workflows for investigations:

👉 https://socworkflows.com

It’s a growing library of step-by-step SOC workflows designed to reduce investigation time and improve consistency.

If you're a SOC analyst, I'd love to know:

👉 Do you follow a structured workflow or investigate ad-hoc?

Top comments (1)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.