Home/ Labs/ SOC Alert Triage
Beginner SOC SIEM Detection

SOC Alert Triage

โฑ 45โ€“60 minutes
๐ŸŽฏ Beginner
๐Ÿ“ฅ VirtualBox OVA
๐Ÿ”ง Splunk Free, Wireshark

Your first day as a Tier-1 SOC analyst. A Splunk dashboard is firing alerts โ€” your job is to triage them, separate noise from real threats, and document your findings.

๐Ÿงช Lab Description

This lab simulates a real-world SOC scenario where you're handed a Splunk dashboard with multiple active alerts. You'll learn to triage efficiently, apply analyst methodology, and build confidence reading logs and PCAP data.

The lab environment includes a pre-configured Splunk instance loaded with Windows Event Logs, network traffic data, and simulated alert rules โ€” all based on real detection logic.

๐ŸŽฏ Learning Objectives

  • Understand the alert triage workflow used in enterprise SOCs
  • Identify true positives vs false positives using evidence correlation
  • Navigate and query Splunk using basic SPL (Search Processing Language)
  • Analyze Windows Event Logs for suspicious authentication activity
  • Write a basic incident ticket / triage report
  • Apply the MITRE ATT&CK framework to categorize observed behaviour

๐Ÿ“‹ Prerequisites

  • Basic understanding of networking (IP, ports, protocols)
  • Familiarity with Windows Event Viewer (helpful but not required)
  • VirtualBox installed (version 6.1+)
  • 4GB RAM minimum for the VM (8GB recommended)

๐Ÿ“ Scenario

Date: 2024-11-15 09:14:33 UTC

You've just started your shift. Your SIEM shows 8 unresolved alerts from the past 2 hours. One alert is flagged HIGH priority โ€” a potential data exfiltration from a finance workstation. Your task: triage all 8 alerts, escalate if necessary, and close false positives with justification.

# Alert Queue (simulated) ALERT_001 [HIGH] - Outbound DNS query to suspicious TLD (.xyz) ALERT_002 [MED] - Multiple failed logins: FINANCE-WS-04 ALERT_003 [LOW] - USB device insertion: FINANCE-WS-04 ALERT_004 [MED] - PowerShell execution policy bypass ALERT_005 [LOW] - Scheduled task created by non-admin user ALERT_006 [HIGH] - Large outbound transfer (>50MB) to unknown IP ALERT_007 [LOW] - Windows Defender update failed ALERT_008 [MED] - Lateral movement: SMB connection to DC

โš  Walkthrough โ€” Spoiler Alert

โ–ผ Expand
โš  Try to complete the lab yourself first. The walkthrough is here if you're stuck.

Step 1: Boot the VM and open Splunk at http://localhost:8000. Default creds: admin / shewag123

Step 2: Navigate to the "SOC_TRIAGE" app dashboard. You'll see the alert queue pre-loaded.

Step 3: Start with ALERT_006 (HIGH - large outbound transfer). Run this SPL query:

index=network_logs src_ip="10.0.1.44" dest_port=443 | stats sum(bytes_out) as total_bytes by dest_ip | where total_bytes > 50000000 | sort -total_bytes

Step 4: ALERT_002 and ALERT_008 are correlated. The failed logins preceded SMB lateral movement โ€” this is a real incident. Escalate.

Step 5: ALERT_007 is a false positive โ€” Windows Defender update failures are common and benign without additional indicators. Close it.

Final answer: True positives: ALERT_001, 002, 004, 006, 008. False positives: 003, 005, 007. ALERT_002+008 should be escalated as Tier-2 incident.

๐Ÿ“ฅ Download Lab

VirtualBox OVA file. Import and run locally. No internet required after download.

Size: ~2.1 GB
Format: OVA (VirtualBox 6.1+)
OS: Ubuntu 22.04 + Splunk
โฌ‡ Download OVA

SHA256 checksum included

๐Ÿ”ง Tools Required

โ–ธ VirtualBox 6.1+
โ–ธ Splunk Free (pre-installed)
โ–ธ Wireshark (optional)
โ–ธ Text editor for notes

๐Ÿ”— Related Labs

โ— RDP Brute Force Detection โ— Suspicious PowerShell Analysis