Jasper Alblas
TryHackMe: SOC L1 Alert Triage Walkthrough
Welcome to this walkthrough of the SOC L1 Alert Triage room (that’s a mouthful!) on TryHackMe. In this room we learn about the different kind of alerts and we learn about a systematic approach to efficiently triage them.
Room URL:
https://tryhackme.com/room/socl1alerttriage
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Table of Contents
Task 1: Introduction
An alert is a core concept for any SOC team, and knowing how to handle it properly ultimately decides whether a security breach is detected and prevented, or missed and devastating. This is an entry level but essential room for SOC L1 analysts to understand the concept and lifecycle of alerts, from event generation to correct resolution.
Learning Objectives
- Familiarise with the concept of SOC alert
- Explore alert fields, statuses, and classification
- Learn how to perform alert triage as an L1 analyst
- Practice with real alerts and SOC workflows
- Prepare for SOC Simulator and SAL1 certification
Prerequisites
- Understand common attacks on networks, Windows, and Linux
- Know SOC roles and duties, especially of L1 analysts
SOC Dashboard
You were granted access to the SOC dashboard in the TryHackMe SIEM, and you will need it to complete most of the tasks. Open the attached website in a separate window, familiarise yourself with it, and move on to the next task!
When you open the website you are met by the following screen:
Clearly this is not a real professional SOC solution, but the basics are all there. Let’s move on!
Questions
I am ready to start!
Answer: No answer needed
Task 2: Events and Alerts
Imagine sitting beside a SOC analyst as hundreds of alerts flash across the screen — “Email Marked as Phishing”, “Unusual Login Location”, and even a red “Unapproved Mimikatz Usage”. These alerts don’t appear by magic.
Every alert starts as an event — a login, process launch, or file download — logged by systems like firewalls, operating systems, or cloud platforms. These logs are sent to security tools such as SIEM or EDR, which analyze millions of entries to surface only the suspicious ones. Instead of drowning in raw data, analysts can now focus on a manageable number of alerts that might indicate real threats.
Alert management tools vary:
- SIEM systems (e.g., Splunk ES, Elastic) – the main workhorses of most SOCs.
- EDR/NDR tools (e.g., Defender, CrowdStrike) – detect endpoint or network issues but often feed into SIEMs.
- SOAR systems (e.g., Splunk SOAR, Cortex SOAR) – automate and centralize alerts for large SOCs.
- ITSM tools (e.g., Jira, TheHive) – manage alerts as tickets for workflow efficiency.
Within this ecosystem, SOC L1 analysts are the first line of defense — reviewing, validating, and escalating alerts. L2 analysts dive deeper into confirmed threats, while SOC engineers fine-tune alert quality, and SOC managers oversee triage performance to ensure no real attack slips through.
Questions
What is the number of alerts you see in the SOC dashboard?
Simply open the page (or look at my screenshot above), and you will see 5 alerts.
Answer: 5
What is the name of the most recent alert you see?
The name of the most recent alert is “Double-Extension File Creation”.
Answer: Double-Extension File Creation
Task 3: Alert Properties
Now that we know how alerts are created, let’s look at what’s inside them. Every alert in a SOC dashboard contains key pieces of information that help analysts decide how serious it is and what to do next. While details vary between tools, most alerts share the same core properties:
- Alert Time – When the alert was created, usually a few minutes after the original event.
- Alert Name – A short description of the detected activity, like “Unusual Login Location” or “Potential Data Exfiltration.”
- Severity – How urgent the alert is, often color-coded from 🟢 Low to 🔴 Critical.
- Status – Tracks progress, from New to In Progress to Closed.
- Verdict – The final classification: was it a real attack (🔴 True Positive) or harmless (🟢 False Positive)?
- Assignee – The analyst responsible for investigating and resolving the alert.
- Description – A detailed explanation of what triggered the alert, why it might be suspicious, and sometimes guidance for triage.
- Fields – Technical data like hostnames, command lines, or other values linked to the suspicious activity.
Understanding these properties helps SOC analysts quickly filter noise, prioritize urgent threats, and ensure nothing slips through the cracks.
Questions
What was the verdict for the “Unusual VPN Login Location” alert?
Alright, let’s find this alert. It is alert number 4:
The verdict is the 5th column, and this alert is judged to be a false positive. This means that the alert is harmless.
Answer: False Positive
What user was mentioned in the “Unusual VPN Login Location” alert?
To answer this question, we need to open the details by pressing the dropdown arrow on the far right:
The user mentioned as source user is M.Clark.
Answer: M.Clark
Task 4: Alert Prioritisation
Once you understand an alert, the next challenge is deciding which one to tackle first. In a busy SOC, hundreds of alerts can pile up, so prioritising correctly is vital to catching real threats in time. This process is called Alert Prioritisation.
Each SOC defines its own rules, often automated within tools like SIEM or EDR. However, most teams follow a simple, effective approach:
- Filter the Alerts – Skip alerts already assigned or under investigation. Focus only on new and unresolved ones.
- Sort by Severity – Handle Critical alerts first, followed by High, Medium, and Low. Severity reflects potential impact and likelihood of a real threat.
- Sort by Time – Address the oldest alerts first. If two breaches are happening, the older one is likely already causing damage, while the newer may still be in its early stages.
Smart prioritization helps SOC analysts stay focused, efficient, and ahead of attackers — ensuring the most dangerous threats are neutralized first.
Questions
Should you first prioritise medium over low severity alerts? (Yea/Nay)
Yes! Our simple rules tell us to focus on severity first. This means we take medium severity alerts before low severity alerts.
Answer: Yea
Should you first take the newest alerts and then the older ones? (Yea/Nay)
No. All things equal we should focus on old alerts first. The older one is more likely to be causing critical damage.
Answer: Nay
Assign yourself to the first-priority alert and change its status to In Progress. The name of your selected alert will be the answer to the question.
Edit the alert so that it looks like this:
Make sure you have changed the Status to “in progress” and the Assignee should be “You”. The name of this alert is the answer.
Answer: Potential Data Exfiltration
Task 5: Alert Triage
You’ve picked your alert — now it’s time to triage it. Also known as alert handling, processing, or investigation, this is where SOC analysts dive deep to determine whether an alert represents a real cyber threat or just harmless noise.
The process typically happens in three stages:
1. Initial Actions
Before starting, take ownership of the alert. Assign it to yourself, mark it as In Progress, and review its details — name, description, and key indicators. This ensures you don’t step on another analyst’s work and that you’re fully prepared to investigate.
2. Investigation
This is the heart of alert triage. Using your technical knowledge and logs from SIEM or EDR systems, you must determine what really happened. Many SOCs use Workbooks (or playbooks/runbooks) to guide analysts through standard procedures. If none are available, focus on:
- Identifying who or what is affected (user, host, network, etc.)
- Understanding the suspicious action (login attempt, malware detection, phishing, etc.)
- Reviewing nearby events for additional clues
- Using threat intelligence to validate your findings
3. Final Actions
Once you’ve completed your analysis, it’s time to conclude. Decide whether the alert is a True Positive (a real threat) or a False Positive (benign). Write a clear comment explaining your reasoning and investigation steps, then mark the alert as Closed.
Triage may seem repetitive at first, but every step ensures accuracy, accountability, and — most importantly — that no real threat goes unnoticed.
Questions
Which flag did you receive after you correctly triaged the first-priority alert?
Let’s continue with the critical alert, the one we assigned to ourselves earlier. All we lack now is to assign a verdict.
I am going to say this is a false positive, as it seems to be related to zoom calls.
Make sure to set the status to closed. You should receive the flag 🙂
Answer: THM{looks_like_lots_of_zoom_meetings}
Which flag did you receive after you correctly triaged the second-priority alert?
Now, let’s look at the Double-Extension File Creation alert, which has a high severity:
This definitely looks suspicious. The user seems to have downloaded some kind of cats video, but the file has a double extension, and is actually an executable. Furthermore, we can check the md5 hash at VirusTotal:
https://www.virustotal.com/gui/file/86d50a7fc8d245876b791efe85eb7f64cd48b9e9648b4bf8bee22dbae66fe3aa
This is definitely a trojan! Go ahead and edit the alert. Assign it to yourself, close it and give it a “true positive” verdict.
A flag should show up.
Answer: THM{how_could_this_user_fall_for_it?}
Which flag did you receive after you correctly triaged the third-priority alert?
Let’s look at the final alert: Download from GitHub Repository.
If you have some basic frontend web development experience, you will recognize React as one of the most popular Javascript frameworks out there. The Github repository is the official one:
https://github.com/facebook/react
Edit the alert. Assign it to youself, close it and give it the “False Positive” verdict.
The flag pops up!
Answer: THM{should_we_allow_github_for_devs?}
Task 6: Conclusion
Congratulations on successfully triaging the alerts! Of course, closing the alert as True Positive won’t prevent the attack, but it is a great start. Next, you will learn about proper alert commenting and case reporting, correct escalation procedures, and actions made by L2 analysts after the escalation. We hope you enjoyed the room!
Questions
I am ready to move on!
Answer: No answer needed
Congratulations on completing SOC L1 Alert Triage!!!
Congratulations on completing SOC L1 Alert Triage. I hope you liked it! Even though the system was pretty basic, it actually reflects the fundamentals of all SOC systems out there.
Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.
Find an overview of all my walkthroughs of the TryHackMe SOC Level 1 Path here.
Find my other walkthroughs here.
Like my articles?
You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
