๐ŸŽฏ From Suspicion to Confirmation: How I Caught a True Positive in a Live SOC Environment

Ashish GhimireAshish Ghimire
2 min read

Working as a Student SOC Analyst at LSU Shreveport has given me the chance to experience firsthand how real-world threat detection works โ€” and recently, I encountered my first true positive security incident that tested my analytical and investigative skills.


๐Ÿšจ The Alert: Impossible Travel Detected

It all started with an alert in Splunk that flagged "Impossible Travel" activity. This means a user account had two logins from geographically distant locations โ€” in this case, one from the U.S., and another from a foreign country, only minutes apart.


๐Ÿ” Investigating with Microsoft Entra ID

I pivoted to Microsoft Entra ID to review the sign-in logs and post compromise activities, and the deeper I looked, the more suspicious it became:

  • The browser and OS used were unfamiliar.

  • The device had never been seen associated with this account before.

  • Shortly after the login, the password was changed โ€” a major red flag.

These behavioral indicators hinted at a potential account compromise.


๐Ÿ›ก๏ธ Correlation Is Key: Acting on Evidence

Even though no malicious execution like ransomware or malware deployment occurred, the combination of subtle anomalies was too strong to ignore.

Using Microsoft Defender and Splunk SOAR, I worked with the team to:
โœ… Initiate a password reset process
โœ… Alert the user and Senior IT department for further investigation and containment


๐Ÿ’ก Lessons Learned: Why Threat Correlation Matters

This incident was a powerful reminder of the importance of behavioral analysis and cross-tool correlation. Had I ignored the travel alert, the compromise couldโ€™ve escalated โ€” possibly leading to data exfiltration or lateral movement.

By combining SIEM alerts, Entra ID logs, and Defender telemetry, we validated a real threat โ€” no guesswork, just data-driven action.


๐Ÿ™ Gratitude for Hands-On Learning

I'm incredibly thankful to LSU Shreveport for providing access to a real SOC environment where students like me can observe, analyze, and respond to live incidents.

Every alert is a puzzle. Some are noise, but a few โ€” like this one โ€” tell a story that needs to be followed to the end.

0
Subscribe to my newsletter

Read articles from Ashish Ghimire directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Ashish Ghimire
Ashish Ghimire

Cybersecurity professional with a strong foundation in network security, GRC, system administration, SOC analyst, and threat hunting. Experienced in real-time threat detection, incident response, and security monitoring using tools such as Splunk, CrowdStrike Falcon, and Microsoft Entra ID. Skilled at securing enterprise environments and aligning security practices with compliance frameworks. Currently deepening expertise in penetration testing, red teaming, cloud security, malware analysis, and reverse engineering, with a strong commitment to continuous learning and operational excellence in cybersecurity.