TryHackMe: SOC Workbooks and Lookups Walkthrough (SOC Level 1)

Welcome to this walkthrough of the SOC Workbooks and Lookups room on TryHackMe. In this room we will discuss why workbooks exist and how they make the process of triaging alerts easier for SOC analysts.

SOC Workbooks and Lookups Banner

Room URL:
https://tryhackme.com/room/socworkbookslookups

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Task 1: Introduction

Alert triage is a complex process that often requires analysts to gather additional information about affected employees or servers. This room explores SOC workbooks designed to streamline alert triage and explains various lookup methods to quickly retrieve user and system context.

Learning Objectives

  • Familiarise yourself with SOC investigation workbooks
  • Learn where to find and how to use asset inventory in SOC
  • Understand the importance of corporate network diagrams
  • Practice workflow building inside an interactive interface

Prerequisites

  • Complete the SOC L1 Alert Triage and Alert Reporting rooms
  • Have practice with investigating common attack chains
  • Understand the fundamental networking concepts
  • Preferably, be familiar with the concept of SOAR playbooks

Questions

I am ready to start!

Answer: No answer needed

Task 2: Assets & Identities

Scenario

An alert shows G.Baker logged into the HQ-FINFS-02 server, downloaded a financial report, and shared it with R.Lund. To triage this, analysts must answer:

  • Who are G.Baker and R.Lund, and what are their roles?
  • What is HQ-FINFS-02, and who should access it?
  • Why would R.Lund need financial records?

Identity Inventory

  • Definition: A catalogue of employees, service accounts, and their details (roles, privileges, contacts, access).
  • Purpose: Provides context about user activity and helps determine if behavior is expected.
  • Examples:
    • Gregory Baker (CFO, UK, access to VPN/HQ/Finance).
    • Raymond Lund (US Financial Adviser, US, access to VPN/Finance).
    • Service accounts like svc-veeam-06 (backup) or svc-nginx-pp (web app).
  • Sources:
    • Active Directory (on-prem or cloud).
    • SSO providers (Okta, Google Workspace).
    • HR systems (SAP, BambooHR).
    • Custom solutions (CSV/Excel maintained by IT/security).

Asset Inventory

  • Definition: A list of computing resources (servers, workstations) in the IT environment.
  • Purpose: Helps analysts understand the role and sensitivity of systems involved in alerts.
  • Examples:
    • HQ-FINFS-02 (Windows Server 2022, UK datacenter, file server for financial records).
    • HQ-ADDC-01 (domain controller).
    • Workstations like PC-891D (accountants) or laptops for HR/DevOps staff.
  • Sources:
    • Active Directory (identity + asset database).
    • SIEM/EDR tools (Elastic, CrowdStrike).
    • MDM solutions (Intune, Jamf).
    • Custom solutions (CSV/Excel).

Key Takeaway

  • Identity inventory explains who is acting.
  • Asset inventory explains where the activity happens. Together, they provide the context SOC analysts need to decide if an alert is normal business activity or a potential security incident.

Questions

Looking at the identity inventory, what is the role of R.Lund at the company?

Raymond is US Financial Adviser 🙂

Answer: US Financial Adviser

Checking the asset inventory, what data does the HQ-FINFS-02 server store?

Simply look it up in the table. HQ-FINFS-02 stores financial records.

Answer: financial records

Finally, does the file sharing from the scenario look legitimate and expected? (Yea/Nay)

Yea! This looks legit. R.Lund requires this kind of materials for his jobs, and the financial records are indeed stores on the server he accessed. False positive.

Answer: yea

Task 3: Network Diagrams

Scenario

Firewall logs show suspicious activity:

  • 08:00 → External IP 103.61.240.174 connects to firewall on TCP/10443.
  • 08:23 → Connection translated internally to 10.10.0.53.
  • 08:25 → Internal IP scans 172.16.15.0/24 (Database subnet), no open ports found.
  • 08:32 → Same IP scans 172.16.23.0/24 (Office subnet), attack continues.

Network Diagrams

  • Definition: Visual maps showing subnets, servers, and connections.
  • Purpose: Help SOC analysts understand suspicious activity by placing IPs and ports into context.
  • Example Setup:
    • Firewall exposes VPN service on port 10443 and web services on HTTP.
    • Firewall protects three subnets:
      • VPN subnet10.10.0.0/16
      • Database subnet172.16.15.0/24
      • Office subnet172.16.23.0/24

Attack Path Reconstruction

  1. Threat actor at 103.61.240.174 performs VPN brute force against vpn.tryhatme.thm.
  2. After success, attacker is assigned internal IP 10.10.0.53 from the VPN subnet.
  3. Attacker scans the Database subnet, but firewall rules block access.
  4. Attacker shifts to scanning the Office subnet, searching for new targets.

Key Takeaway

Network diagrams allow SOC analysts to:

  • Identify services exposed (e.g., VPN on port 10443).
  • Understand subnet roles (Office, Database, VPN).
  • Reconstruct attack paths and see how adversaries move through the environment.

Questions

According to the network diagram, which service is exposed on the TCP/10443 port?

Port 10443 is commonly used for SSL VPN connections, often as an alternative to the default port 443 to avoid conflicts with the web interface or to circumvent port blocking. This port is also seen on the network diagram as is listed as VPN.

Answer: VPN

Now, which subnet would the server behind 172.16.15.99 IP belong to?

The database subnet is listed as 172.16.15.0/24. So this means the IP 172.16.15.99 is part of that subnet. This is the database subnet.

Answer: database subnet

Finally, does the scenario look like a True Positive (TP) or False Positive (FP)?

This is definitely sounds like a true positive. The attacker brute forced a VPN and is actively scanning for vulnerabilities in the other subnets. Dangerous!

Answer: TP

Task 4: Workbooks Theory

SOC Workbooks

  • Definition: Structured documents (also called playbooks, runbooks, or workflows) that outline the exact steps analysts must follow to investigate and remediate threats.
  • Purpose: Ensure consistency, reduce mistakes, and streamline analysis—especially for junior analysts (L1).
  • Role of Senior Analysts: They prepare workbooks so L1 analysts can triage alerts correctly without missing vital details.

Workbook Example: Unusual Login Location

  • Flow: From receiving a login alert → identity enrichment → threat intelligence checks → SIEM investigation → escalation if needed.
  • Divided into three logical groups:
    • Enrichment → Gather context using identity inventory and threat intel.
    • Investigation → Analyze SIEM logs, user behavior, and IP details to decide if login is expected.
    • Escalation → Escalate to L2 analysts or confirm with the user if suspicious.

Key Takeaway

SOC workbooks provide a step‑by‑step guide that ensures analysts don’t skip critical steps. By following them, L1 analysts can deliver consistent, high‑quality triage and avoid premature or incorrect verdicts.

Questions

Which SOC role would use workbooks the most (e.g. SOC Manager)?

Workbooks outline the steps analysts must follow. This makes them perfect for relatively inexperienced analysts, commonly called SOC L1 Analysts.

Answer: SOC L1 Analyst

What is the process of gathering user, host, or IP context using TI and lookups?

The purpose of gathering information about the users, hosts and other relevant data is called enrichment.

Answer: Enrichment

Looking at the workbook example, what platform is used as an identity inventory source?

The workbook example on THM shows that the expected user’s location is found in BambooHR.

Answer: BambooHR

Task 5: Workbooks Practice

Different teams have different approaches to workbook building. Some teams may have hundreds of complex workbooks for every possible detection rule, more like a SOAR automation playbook than human guides. Other teams may prepare just a few high-level workbooks for the most common attack vectors and rely more on the experience and decision-making of L1 analysts. In any case, you as an L1 analyst should know how to divide your investigation into modular blocks and build simple workbooks around it.

Practice

View Site

Let’s practice building the workbooks! Open the attached site by pressing the View Site button and fill in the missing workbook steps from the options. Drag and drop the options to their respective positions. If the position is correct, the option will stick there. Once you are done, receive the flag and continue to the next section!

Questions

We need to put 6 out of 8 boxes into the right location on each workbook. I will post a screenshot of each workbook, and explain shortly the decisions made.

What flag did you receive after completing the first workbook?

Make sure the first workbook looks like this (apologies for the dark picture, as I had to hide the flag message but the background is still darkened):

Workbook 1

The first 3 steps all are about taking ownership, and gathering all the relevant information. Then we either conclude the email is safe and we close it as FP, or we gather triage evidence and escalate to L2 with a summary of your findings.

Answer: THM{the_most_common_soc_workbook}

What flag did you receive after completing the second workbook?

Your workbook should look like this:

Workbook 2

Again, first we assign the alert to ourselves, and afterwards we collect information. Finally, we either conclude it is a false positive, or write a alert report for L2 and assign it to them with all evidence.

Answer: THM{be_vigilant_with_powershell}

What flag did you receive after completing the third workbook?

Here is the complete third workbook:

Workbook 3

I hope you get this now. We assign the alert, collect information, and either reach a FP verdict (and get the rules tuned) or collect evidence and send it to L2.

Answer: THM{asset_inventory_is_essential}

Task 6: Conclusion

Nice work on building the workbooks! Remember to use the existing lookups like asset inventory or network map to better understand the alerts, and push your team to implement and maintain workbooks to streamline and simplify SOC operations. Hope you enjoyed the room!

Questions

I am ready to move on!

Answer: No answer needed.

Congratulations on completing SOC Workbooks and Lookups!!!

SOC Workbooks and Lookups done. Well done!

Congratulations on completing SOC Workbooks and Lookups! I hope you realise that while being a SOC Analyst can be difficult, there are a lot of processes and tools to help make our lives easier. Workbooks are a big part of it!

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Find my other TryHackMe SOC Level 1 Path walkthroughs here.

Find my other walkthroughs here.

Like my articles?

You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee
Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Tags

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Related Posts

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *


Trending now

TryHackMe: Splunk – The Basics Walkthrough (SOC Level 1)
TryHackMe: SOC Role in Blue Team Walkthrough (SOC Level 1)
TryHackMe: SOC L1 Alert Triage Walkthrough (SOC Level 1)
SOC L1 Alert Reporting
TryHackMe: SOC L1 Alert Reporting Walkthrough (SOC Level 1)