Analyst Note Sample – LetsDefend Event ID 278 - Victor Coil | Security Operations & Detection Engineering

Analyst Note Sample – LetsDefend Event ID 278

Additional Info:
Investigation Date: 2/11/2026

Retrospective Note:
As of 6/18/2026, if revisiting this today, I’d add that the 4th bullet in the synopsis, the investigation was done via an EDR solution, and would list the exact commands run by the attacker and the timestamps at which they were executed.
Would also point out that I remotely RDP’d into the host on the 6th bullet point and checked the script contents on the live host.
Add in the queries run on the SIEM to support the 7th and 8th bullet points. Covering that no exfiltration traffic was seen going out of the victim host, as well as any lateral movement.
And finally, the rationale for the closure: why it was a true positive. With that being said, I confirmed unauthorized access via SSH brute-force attacks, followed by credential enumeration and decoding activity, which was tied to the alert trigger.

========== Title(s) ==========

SOC302 - Suspicious Base64 Encoding/Decoding Commands Detected

========== Alert Details ==========

EventID : 278
Event Time : Jul, 17, 2024, 12:18 PM
Rule : SOC302 - Suspicious Base64 Encoding/Decoding Commands Detected
Level : Incident Responder
Hostname : Wilburn
Ip Address : 172.16.17.74

Command Line :
decoded = base64.b64decode(encoded)

Trigger Reason :
Detects suspicious use of Base64 encoding or decoding commands which could be used for data obfuscation.

========== Raw logs/Headers ==========

N/a 

=============================================

  
==== OSINT/SandboxAnalysis/ThreatIntel/Artifacts/References ====

https://www.virustotal.com/gui/ip-address/143.244.44.163/detection
0/94
As of date 2/11/2026, no vendors mark the IP as malicious but relations show history of connection to malicious files

https://www.abuseipdb.com/check/143.244.44.163
IP has a history of maliciousness

Internal Threat intelligence returned no results, recommend adding artifacts

Decoded File hash:

md5sum decoded_file.txt 
d15ebd5d4016e9099d2ba47107887f3a  decoded_file.txt
sha1sum decoded_file.txt 
3c535e4050cf5f711fae9d6793366bee8e828e29  decoded_file.txt
sha256sum decoded_file.txt 
364929ca5c536a03370f0cb8d2207ae466046a8cbe1424cad268c0feb0a63159

========== Historical Analysis ==========

L1 Note :
Minutes before the alert, I saw a Brute Force attempt with different users from the IP 143.244.44.163 towards the system. However, I could not determine whether this attack was successful or not.

========== Queries Ran ==========

Queries ran from Malicious IP revealed Brute Force attack. No call back seems to be returned

========== Synopsis ==========

> L1 Analyst hand over notes pointed out that a brute force attack was detected before this event was triggered.
> Verification of the brute force attack on the date of the event confirms that a successful login occurred on the Wilburn host at the IP address of (172.16.17.74) via the SSH protocol from the attacker IP 143.244.44.163 at Jul, 17, 2024, 06:44 AM for the analyst account
> Performed OSINT on offending IP, taking note of history
> Investigation of the endpoint shows enumeration activity performed by the unauthorized individual. Activity included looking at system architecture and OS versioning, groups present on the system, interrogating the passwd database and file searches for keywords such as passwords and important strings.
> EDR shows terminal history showing the intruder using python to decode a file with base64 encoded content
> After investigating the endpoint, the decoded content seems to be IPs, Usernames, and passwords
> SIEM and EDR telemetry shows no extraction of the sensitive data found but the individual was still able to access it
> Telemetry indicates that the Wilburn system is the only one affected. No sign of lateral movement or attacker expansion on network.
> Isolated affected system. Recommend user password rotation and SSH key change

========== Closure Code ==========

True Positive