SOC L1 Alert Triage | TryHackMe Writeup

SolveniteSolvenite
2 min read

Task 1. Introduction

I am ready to start!

No answer needed

Task 2. Events and Alerts

What is the number of alerts you see in the SOC dashboard?

5

What is the name of the most recent alert you see?

Double-Extension File Creation

Task 3. Alert Properties

What was the verdict for the "Unusual VPN Login Location" alert?

False Positive

What user was mentioned in the "Unusual VPN Login Location" alert?

M. Clark

Task 4. Alert Prioritisation

Should you first prioritise medium over low severity alerts? (Yea/Nay)

Yea

Should you first take the newest alerts and then the older ones? (Yea/Nay)

Nay

Assign yourself to the first-priority alert and change its status to In Progress. The name of your selected alert will be the answer to the question.

Potential Data Exfiltration

Alert Triage

Which flag did you receive after you correctly triaged the first-priority alert?

THM{looks_like_lots_of_zoom_meetings}

💡
Traffic seems to be someone using zoom for a meeting. Perfectly safe.

Which flag did you receive after you correctly triaged the second-priority alert?

THM{how_could_this_user_fall_for_it?}

💡
This is a h0t.exe cryptominer trojan. Definitely malicious. The double extension is also a dead giveaway

Which flag did you receive after you correctly triaged the third-priority alert?

THM{should_we_allow_github_for_devs?}

💡
User downloaded the react library from the official github source. Perfectly safe

Task 6. Conclusion

I am ready to move on!

No answer needed

0
Subscribe to my newsletter

Read articles from Solvenite directly inside your inbox. Subscribe to the newsletter, and don't miss out.

tryhackmeTryHackMe Walkthroughtryhackmewalkthroughtryhackme, tryhackme avenger, tryhackme walkthrough, cybersecurity, privilege escalation, wordpress exploitation, reverse shell, rdp access, hoaxshell, bug bounty, CTFSOC#cybersecuritycybersecurityCyberSeccybercyberSecurityAnalystcyber security

Written by

Solvenite
Solvenite