SOC L1 Alert Triage
Learn more about SOC alerts and build a systematic approach to efficiently triaging them.
easy
60 min
To access material, start machines and answer questions login.
An alert is a core concept for any SOC team, and knowing how to handle it properly ultimately decides whether a security breach is detected and prevented, or missed and devastating. This is an entry level but essential room for SOC L1 analysts to understand the concept and lifecycle of alerts, from event generation to correct resolution.
Learning Objectives
- Familiarise with the concept of SOC alert
- Explore alert fields, statuses, and classification
- Learn how to perform alert triage as an L1 analyst
- Practice with real alerts and SOC workflows
- Prepare for SOC Simulator and SAL1 certification
Prerequisites
- Understand common attacks on networks, Windows, and Linux
- Know SOC roles and duties, especially of L1 analysts
SOC Dashboard
You were granted access to the SOC dashboard in the TryHackMe SIEM, and you will need it to complete most of the tasks. Open the attached website in a separate window, familiarise yourself with it, and move on to the next task!
| Access | Granted |
| URL | SOC dashboard |
I am ready to start!
Imagine yourself as a SOC intern, looking at the monitor of your mentor, a SOC L1 or L2 analyst, and seeing hundreds of alerts appear, moving between statuses and eventually disappearing from some dashboard or console. You notice lots of alerts named "Email Marked as Phishing", a few "Unusual Gmail Login Location", and one scary "Unapproved Mimikatz Usage" inside a red column. What are these alerts, how are they formed, and what should we do with them? Let's find out!
From Events to Alerts
First, an event must occur, like user login, process launch, or file download. Then, the system, like your OS, a firewall, or a cloud provider must log the event. After that, all system logs must be shipped to a security solution like SIEM or EDR. The SOC team can receive millions of logs per day from thousands of different systems, where most of the events are expected, but some require attention. Alert, a notification generated by a security solution when a specific event or sequence of events occurs, is what saves SOC analysts from manual log review by highlighting only suspicious, anomalous events. With alerts, analysts triage just dozens of alerts per day instead of millions of raw logs.
Alert Management Platforms
| Solution | Examples | Description |
|---|---|---|
| SIEM System |
Splunk ES, Elastic |
SIEM have solid alert management capabilities and are a perfect choice for most SOC teams |
| EDR or NDR |
MS Defender, CrowdStrike |
While EDR and NDR provide their own alert dashboards, it is preferred to use SIEM or SOAR |
| SOAR System |
Splunk SOAR, Cortex SOAR |
Bigger SOC teams can use SOAR to aggregate and centralise alerts from multiple solutions |
| ITSM System |
Jira, TheHive |
Some teams may have a custom ticket management (ITSM) setup using a dedicated solution (The GIF above is taken from Trello, a simple tool that can be adapted to ITSM needs) |
L1 Role in Alert Triage
SOC L1 analysts are the first line of defence, and they are the ones who work with alerts the most. Depending on various factors, L1 analysts may receive zero to a hundred alerts a day, every one of which can reveal a cyberattack. Still, everyone in the SOC team is somehow involved in the alert triage:
- SOC L1 analysts: Review the alerts, distinguish bad from good, and notify L2 analysts in case of a real threat
- SOC L2 analysts: Receive the alerts escalated by L1 analysts and perform deeper analysis and remediation
- SOC engineers: Ensure the alerts contain enough information required for efficient alert triage
- SOC manager: Track speed and quality of alert triage to ensure that real attacks won't be missed
What is the number of alerts you see in the SOC dashboard?
What is the name of the most recent alert you see?
Now that you know how alerts are generated, it's time to review their content. While the details differ for every SIEM or security solution, the alerts generally have a few main properties you must understand before taking them. Don't worry if you find some confusing, as you will hear more about some in the upcoming tasks.
Alert Properties
| â„– | Property | Description | Examples |
|---|---|---|---|
| 1 | Alert Time | Shows alert creation time. Alert usually triggers a few minutes after the actual event |
|
| 2 | Alert Name | Provides a summary of what happened, based on the detection rule's name |
|
| 3 | Alert Severity | Defines the urgency of the alert, initially set by detection engineers, but can be altered by analysts if needed |
|
| 4 | Alert Status | Informs if somebody is working on the alert or if the triage is done |
|
| 5 | Alert Verdict | Also called alert classification, explains if the alert is a real threat or noise |
|
| 6 | Alert Assignee | Shows the analyst that was assigned or assigned themselves to review the alert |
|
| 7 | Alert Description | Explains what the alert is about, usually in three sections on the right |
|
| 8 | Alert Fields | Provides SOC analysts' comments and values on which the alert was triggered |
|
What was the verdict for the "Unusual VPN Login Location" alert?
What user was mentioned in the "Unusual VPN Login Location" alert?
Okay, you can now read and understand the alert. What's next? Recall the second task, where you see hundreds of alerts but have to choose which to pick up first. The process of deciding which to take is called Alert Prioritisation, and it is crucial to ensure timely detection of a threat, especially with many alerts in the queue.
Picking the Right Alert
Every SOC team decides on its own prioritisation rules and usually automates them by setting the appropriate alert sorting logic in SIEM or EDR. Below, you may see the generic, simplest, and most commonly used approach:
- Filter the alerts
Make sure you don't take the alert that other analysts have already reviewed, or that is already being investigated by one of your teammates. You should only take new, yet unseen and unresolved alerts. - Sort by severity
Start with critical alerts, then high, medium, and finally low. This is because detection engineers design rules so that critical alerts are much more likely to be real, major threats and cause much more impact than medium or low ones. - Sort by time
Start with the oldest alerts and end with the newest ones. The idea is that if both alerts are about two breaches, the hacker from the older breach is likely already dumping your data, while the "newcomer" has just started the discovery.
Should you first prioritise medium over low severity alerts? (Yea/Nay)
Should you first take the newest alerts and then the older ones? (Yea/Nay)
Assign yourself to the first-priority alert and change its status to In Progress.
The name of your selected alert will be the answer to the question.
Finally, you are ready to review the chosen alert! The process is quite operationally heavy, but you will soon see why every step is important. Also, note that the alert review by SOC analysts can also be called alert triage, alert handling, alert processing, alert investigation, or alert analysis. During this module, we will stick to the Alert Triage option.
Initial Actions
The initial steps are designed to ensure that you take ownership of the assigned alert and avoid interfering with alerts being handled by other analysts, and confirm that you are fully prepared to proceed with the detailed investigation. You achieve it by first assigning the alert to yourself, moving it to In Progress, and then familiarising yourself with the alert details like its name, description, and key indicators.
Investigation
This is the most complex step, requiring you to apply your technical knowledge and experience to understand the activity and properly analyse its legitimacy in SIEM or EDR logs. To support L1 analysts with this step, some teams develop Workbooks (also known as playbooks or runbooks) - instructions on how to investigate the specific category of alerts. If workbooks are not available, below are some key recommendations:
- Understand who is under threat, like the affected user, hostname, cloud, network, or website
- Note the action described in the alert, like whether it was a suspicious login, malware, or phishing
- Review surrounding events, looking for suspicious actions shortly after or before the alert
- Use threat intelligence platforms or other available resources to verify your thoughts
Final Actions
Your decisions here determine whether you found or missed the potential cyberattack. Some actions like Escalation or Commenting will be explained in the following rooms, so don't worry if they sound complex right now. First, decide if the alert you investigated is malicious (True Positive) or not (False Positive). Then, prepare your detailed comment explaining your analysis steps and verdict reasoning, return to the dashboard and move it to the Closed status.
SOC Dashboard Notes
If you didn't receive a flag after your triage, it means that the values you set are wrong.
You can reset the SOC dashboard by clicking Restart on the top right in the TryHackMe SIEM.
Which flag did you receive after you correctly triaged the first-priority alert?
Which flag did you receive after you correctly triaged the second-priority alert?
Which flag did you receive after you correctly triaged the third-priority alert?
Congratulations on successfully triaging the alerts! Of course, closing the alert as True Positive won't prevent the attack, but it is a great start. Next, you will learn about proper alert commenting and case reporting, correct escalation procedures, and actions made by L2 analysts after the escalation. We hope you enjoyed the room!
I am ready to move on!
Created by
Room Type
Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!
Users in Room
8,561
Created
121 days ago
Ready to learn Cyber Security? Create your free account today!
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in