[THM Walkthrough] SOC L1 Alert Reporting
This is a full walkthrough with answers and explanations for the TryHackMe room "SOC L1 Alert Reporting".
Link to the room: https://tryhackme.com/room/socl1alertreporting.
[Task 2] Alert Funnel
What is the process of passing suspicious alerts to an L2 analyst for review?
1
Alert Escalation
Alert Escalation: If the True Positive alert requires additional actions or deeper investigation, escalate it to the L2 analyst for further review following the agreed procedures.
What is the process of formally describing alert details and findings?
1
Alert Reporting
Alert Reporting: Before closing or passing the alert to L2, you might have to report it. Depending on team standards and alert severity, instead of a short alert comment, you can be required to document your investigation in detail, ensuring all relevant evidence is included.
[Task 3] Reporting Guide
According to the SOC dashboard, which user email leaked the sensitive document?
1
m.boslan@tryhackme.thm
Check the details of the alert “Sensitive Document Share to External” in the SOC dashboard.
Looking at the new alerts, who is the “sender” of the suspicious, likely phishing email?
1
support@microsoft.com
Check the details of the alert “Email Marked as Phishing after Delivery” in the SOC dashboard.
Open the phishing alert, read its details, and try to understand the activity. Using the Five Ws template, what flag did you receive after writing a good report?
1
THM{nice_attempt_faking_microsoft_support}
Check the details of the alert “Email Marked as Phishing after Delivery” in the SOC dashboard, and fill the report.
[Task 4] Escalation Guide
Who is your current L2 in the SOC dashboard that you can assign (escalate) the alerts to?
1
E.Fleming
Check the “Assignee” column in the SOC dashboard.
What flag did you receive after correctly escalating the alert from the previous task to L2? Note: If you correctly escalated the alert earlier, just edit the alert and click “Save” again
1
THM{good_job_escalating_your_first_alert}
Change the “Assignee” column value to E.Fleming and keep the alert “in progress”.
Now, investigate the second new alert in the queue and provide a detailed alert comment. Then, decide if you need to escalate this alert and move on according to the process. After you finish your triage, you should receive a flag, which is your answer!
1
THM{looks_like_webshell_via_old_exchange}
Write the report for the alert “Spike of Domain Discovery Commands”. Remember about the 5W.
[Task 5] SOC Communication
Should you first try to contact your manager in case of a critical threat (Yea/Nay)?
1
Nay
At first contact L2.
Should you immediately contact your L2 if you think you missed the attack (Yea/Nay)?
1
Yea
Prioritise the alerts according to the workflow, but inform your L2 on shift about the situation.