TryHackMe: SOC Metrics and Objectives Walkthrough (SOC Level 1)

Welcome to this walkthrough of the SOC Metrics and Objectives Room on TryHackMe. In this room we learn about the different ways of measuring the effectiveness of our SOC work. This way we can objectively monitor how we are doing as SOC team.

Room URL:
https://tryhackme.com/room/socmetricsobjectives

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Task 1: Introduction

As with any other department, the efficiency of the SOC team can be measured using different indicators and metrics. This room explores the most common evaluation approaches like MTTD and MTTR and describes both methods to improve the metrics and potential consequences of ignoring them.

Learning Objectives

• Discover the concepts of SLA, MTTD, MTTA, and MTTR
• Understand the importance of the False Positive rate
• Learn why and how to improve the metrics as an L1 analyst
• Practice with managing SOC team performance metrics

Prerequisites

• Complete the preceding SOC Workbooks and Lookups room
• Understand key alert properties like severity or verdict
• Know the difference between in-house and managed SOC

Questions

Let’s begin!

Answer: No answer needed

Task 2: Core Metrics

SOC Goals

• The Security Operations Center (SOC) protects the confidentiality, integrity, and availability of digital assets.
• SOC teams achieve this by developing, receiving, and triaging alerts.
• L1 analysts focus on reliably reporting True Positives to L2 analysts.

Key SOC Metrics

1. Alerts Count (AC)
   • Formula: AC = Total Count of Alerts Received
   • Measures analyst workload.
   • Too many alerts → overwhelming, risk of missing threats.
   • Too few alerts → possible SIEM issues or lack of visibility.
   • Ideal: 30 alerts per day per L1 analyst.
2. False Positive Rate (FPR)
   • Formula: FPR = False Positives / Total Alerts
   • Measures noise level in alerts.
   • High FPR (80%+) → analysts lose vigilance, threats may be missed.
   • Solution: tune detection rules and tools (“False Positive Remediation”).
3. Alert Escalation Rate (AER)
   • Formula: AER = Escalated Alerts / Total Alerts
   • Measures L1 analyst experience and independence.
   • Too high → over-reliance on L2.
   • Target: below 50%, ideally below 20%.
4. Threat Detection Rate (TDR)
   • Formula: TDR = Detected Threats / Total Threats
   • Measures SOC reliability.
   • Example: 4 detected out of 6 threats → 67% (unacceptable).
   • Goal: 100% detection, since missed threats can cause severe damage (ransomware, data theft).

Questions

Is zero alerts for one month a good sign for your SOC team? (Yea/Nay)

This is not a good sign. There is likely something wrong with the SIEM and/or you are missing some threats that are going unnoticed.

Answer: Nay

What is the False Positive Rate if only 10 out of 50 alerts appear to be real threats?

This means that 40 out of 50 alerts are false positives. In other words, this means that the false positive rate is 80%.

Answer: 80%

Task 3: Triage Metrics

Service Level Agreements (SLA) in SOC

• Purpose: Ensure threats are detected, acknowledged, and responded to quickly before attackers achieve their goals.
• Definition: SLA is a formal agreement between the SOC team and management (or MSSP and customers) that sets performance expectations.

Key SLA Metrics

1. SOC Team Availability
   • Common SLA: 24/7 coverage (sometimes 8/5 for smaller teams).
   • Ensures analysts are always available to handle alerts.
2. Mean Time to Detect (MTTD)
   • SLA: 5 minutes.
   • Measures how quickly SOC tools detect an attack after it begins.
3. Mean Time to Acknowledge (MTTA)
   • SLA: 10 minutes.
   • Measures how quickly L1 analysts begin triaging a new alert.
4. Mean Time to Respond (MTTR)
   • SLA: 60 minutes.
   • Measures how quickly SOC takes action to stop the breach (e.g., isolate device, secure account).

Questions

Imagine a scenario where the SOC team receives a critical alert on Saturday. If the team works 8/5, on which day of the week will they acknowledge the alert?

8/5 means that the SOC team works 8 hours on each working day. Since Saturday is part of the weekend, the alert will first get acknowledged on monday.

Answer: monday

Imagine a scenario where an employee was lured into running data stealer malware.
1. The SOC team received the “Connection to Redline Stealer C2” alert after 12 minutes.
  2. One of the L1 analysts on shift moved the alert to In Progress 10 minutes later.
3. After 6 minutes, the alert was escalated to L2, who spent 35 minutes cleaning the malware.

Provide the MTTD, MTTA, and MTTR via comma as your answer (e.g. 10,20,30).

The MTTD is 12 minutes, since it took 12 minutes for the SIEM to detect the attack. Afterwards, it look the L1 analyst 10 minutes to triage the alert, which is the MTTA. Finally, the MTTR is 41 as it took an additional 10+6+35 = 51 minutes to take action (the time it took from the creation of the alert in the SIEM til the malware was cleaned).

Answer: 12,10,51

Task 4: Improving Metrics

Here is a table to lookup possible improvements based on different scenarios:

Questions

What is the highest acceptable False Positive Rate for SOC teams

The false positive rate should not be above 80%. This high number of false positives will swamp L1 analysts, and will also reduce their ability to catch the real threats.

Answer: 80%

Should all SOC roles work together to keep metrics improving? (Yea/Nay)

Yes! This requires a team effort!

Answer: yea

Task 5: Practice Scenarios

While metrics tracking is usually the SOC manager’s job, a technical person is always required to propose improvements or highlight the issues. As a SOC L1 analyst, you are the first to notice excessive alert numbers or a high False Positive rate, so make sure you know how to communicate the issue and what to do to fix it.

Practice

For this lab of the SOC Metrics and Objectives, imagine yourself as a SOC manager receiving different complaints related to the SOC team. Open the attached site by clicking the View Site button and try to improve SOC metrics across three scenarios by correctly assigning improvement tasks from the list. Once completed, claim the flags and answer the task questions!

Questions

What flag did you get after completing the first scenario?

Open up the static page and you will be met by the first scenario:

We got three boxes: Problematic Metric, Improvement Task & Assign Task To. We need to assign three of the statements into the correct boxes, so that the most correct statements about the text are picked.

Unhappy Customer

Dear SOC manager, our biggest customer, OpenDoor Inc., was dissatisfied with how we handle breaches. When their CFO’s email and Entra ID account were breached, it took us almost 6 hours to kick out the hacker from the mailbox, and threat actors had enough time to dump all emails and leak them on Darknet. Looking at the report, looks like we had a critical alert and spent 5 hours trying to properly reset the victim’s Entra ID password and MFA. How could it happen, and what would be your actions?

Problemetic Metric

Time to respond was to high, too much time spend to contain the attack. This is the real problem. The alert got solved, but the team took way to much time resolving it.

Improvement Task

Create a workbook explaining credential rotation steps, and present it to the team. Creating a workbook will make future events much quicker to solve.

Assign Task To:

Assign the research and workbook creation task to the L2 that handled the incident. The L2 that handled the incident took a lot of time to find out the proper procedure. He should be the one writing the workbook.

Answer: THM{mttr:quick_start_but_slow_response}

What flag did you get after completing the second scenario?

Great job so far. Let’s look at the second scenario.

Delayed Alert

Hey, thanks for the SOC demo for our top management. They loved your ransomware simulation and were shocked at how your team managed to stop the attack in 40 minutes. However, for the first 20 minutes, everyone was just looking at the screen, waiting for some alerts to appear. It would be nice to somehow reduce this huge delay, what do you think?

Problemetic Metric

Time to Detect of 20 minutes led to a delayed alert triage. This is a unnecessary problem, since we had the necessary manpower to solve the attack earlier.

Improvement Task

Tune the SIEM and the detection rules to run more often, every 5 minutes. Since the attack got catched by the SIEM there is nothing wrong with its rules. But the rules should run more often.

Assign Task To:

Assign the detection rules’ schedule review to the dedicated SOC engineer. We should let a SOC engineer look at the schedules!

Answer: THM{mttd:time_between_attack_and_alert}

What flag did you get after completing the third scenario?

Alright, the final scenario. Let’s do this.

Tired Analysts

Dear SOC manager, on behalf of all L1 analysts, I want to raise an issue that may require your help. On average, during an 8-hour shift, our L1 analysts close 760 alerts, 95% of which is system noise from our IT team or automation scripts. It is impossible to perform a vigilant triage with such a big load, and analysts are starting to get exhausted. Moreover, as the company grows, we receive more and more alerts. Can you help us with it, please?

Problemetic Metric

False Positive Rate is the core of the problem. The analysts are getting flooded by false postives, and they have trouble remaining vigilant.

Improvement Task

Schedule a call with the team to implement the False Positive remediation process. It is important to talk to the team to find out what the real challenges are, before talking with engineers.

Assign Task To:

Assign the task to SOC engineers to exclude the system and IT noise from the rules. Now that we have talked with the team we can discuss with the engineers how to reduce the number of false positives by looking at reducing system and IT noise from the rules.

Answer: THM{fpr:the_main_cause_of_l1_burnout}

Task 6: Conclusion

Well done completing the room and learning about SOC metrics! Throughout the tasks we explored core internal metrics like False Positive or threat detection rate, and key performance metrics – MTTD, MTTA, and MTTR – often shared with other parties as part of an SLA. Also, we explored ways to track and improve the metrics, which you should definitely try on your SOC analyst job!

Questions

Well done on completing the room!

Answer: No answer needed.

Congratulations on completing SOC Metrics and Objectives!!!

Congratulations on completing SOC Metrics and Objectives. I loved learning about the different kind of metrics we can measure to see how we are doing as a SOC team. Data can drive us to make better decisions so. that we can keep our company safe.

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Find my other TryHackMe SOC Level 1 Path walkthroughs here.

Find my other walkthroughs here.

Like my articles?

You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg