Triage Template

This template can be used to triage security events:

Description:
Date:
Time Quarantined:
Source IP:
Destination IP:
IP Address:
User:
File Path:
Filenames:
SHA-1:
SHA-256:
MD5:
Analysis:

Triage Example 1

Description: msedge.exe on LENOVO by marcos
Date: Jun. 20, 2025
Time Quarantined: 10:57:39
Source IP: N/A
Destination IP: N/A
IP Address: xx.xxx.xxx.xxx
User: marcos
File Path: \Device\HarddiskVolume3\Users\marcos\Downloads\Zika.exe
Filenames: Zika.exe
SHA-1: 86165eb8eb3e99b6efa25426508a323be0e68a44
SHA-256: 1a904494bb7a21512af6013fe65745e7898cdd6fadac8cb58be04e02346ed95f
MD5: 40228458ca455d28e33951a2f3844209

Analysis: Malicious executable file (Zika.exe) detected on LENOVO host's user "marcos" with IP address of xx.xxx.xxx.xxx. File was detonated in AnyRun VM, receiving a threat score of 100%. Malicious file was quarantined and then deleted by analyst.

CLOSED | TRUE POSITIVE | DELETED

Triage Example 2

Description: wscript.exe on LENOVO by marcos
Date: Jun. 18, 2025
Time Quarantined: 13:27:21
Source IP: N/A
Destination IP: N/A
IP Address: xx.xxx.xxx.xxx
User: marcos
File Path: \Device\HarddiskVolume3\Windows\System32\wscript.exe
Triggering Indicator: "C:\WINDOWS\System32\WScript.exe" "C:\Users\marcos\Downloads\Pleh.vbs"
Filenames: wscript.exe, Pleh.vbs
SHA-1: e13989a5ba4dba2cbc7c2a779b06f381266c32c7
SHA-256: dc98a3995c8c9db2897b3dcd603d0a55e9d6b42cb3900f9b5666dbb461172197
MD5: 55cde934290e89ae29f92ff118b6280c

Analysis: Malicious script execution detected and prevented on LENOVO host's user "marcos" with IP address of xx.xxx.xxx.xxx. Script attempted to tamper with Falcon sensor. VBS script file is detected as a malicious worm with a score of 47/61 on VirusTotal. File has been quarantined and deleted by analyst.

CLOSED | TRUE POSITIVE | DELETED