SOC L1 Alert Reporting | TryHackMe Writeup

Task 1. Introduction

I am ready to start!

No answer needed

---

Task 2. Alert Funnel

What is the process of passing suspicious alerts to an L2 analyst for review?

Alert escalation

What is the process of formally describing alert details and findings?

Alert reporting

---

Task 3. Reporting Guide

According to the SOC dashboard, which user email leaked the sensitive document?

m.boslan@tryhackme.thm

Looking at the new alerts, who is the "sender" of the suspicious, likely phishing email?

support@microsoft.com.

Open the phishing alert, read its details, and try to understand the activity. Using the Five Ws template, what flag did you receive after writing a good report?

THM{nice_attempt_faking_microsoft_support}

---

Task 4. Escalation Guide

Who is your current L2 in the SOC dashboard that you can assign (escalate) the alerts to?

E. Fleming

What flag did you receive after correctly escalating the alert from the previous task to L2? Note: If you correctly escalated the alert earlier, just edit the alert and click "Save" again

THM{looks_like_webshell_via_old_exchange}

---

Task 5. SOC Communication

Should you first try to contact your manager in case of a critical threat (Yea/Nay)?

Nay

Should you immediately contact your L2 if you think you missed the attack (Yea/Nay)?

Yea

---

Task 6. Conclusion

I am ready to move on!

No answer needed

---