This repository contains multiple SIEM alert and incident response investigations performed in a SOC (Security Operations Center) lab environment.
Each case demonstrates alert analysis, log correlation, endpoint investigation, and classification of security events as true or false positives. The projects also showcase hands-on experience with incident response workflows, including detection, investigation, and containment of threats.
- Investigated triggered alerts
- Analyzed suspicious activity
- Correlated events across logs
- Performed log correlation
- Identified abnormal behavior patterns
- Investigated security events
- Investigated phishing attack via email attachment
- Analyzed endpoint activity using EDR
- Identified malware execution on host
- Performed containment actions (quarantine & isolation)
This project documents a SIEM alert investigation performed in a SOC (Security Operations Center) lab environment. The goal was to analyze a triggered alert, review log data, and determine whether the activity was malicious or expected.
- Investigate a SIEM alert
- Analyze network log data
- Identify suspicious indicators
- Determine if the alert is a true or false positive
- TryHackMe SIEM lab environment
- SIEM dashboard and logs
- Alert Type: Port Scanning Activity
- Severity: High
- Source IP: 10.0.0.8
- Destination IP: 10.0.0.3
- Time: June 12, 2024 17:24
The alert indicated port scanning activity originating from IP address 10.0.0.8 targeting another internal host.
I reviewed the SIEM logs and observed:
- Multiple connection attempts occurring at the same time
- Traffic targeting multiple ports (e.g., 22, 53, 443)
- Repeated activity from a single source IP
These patterns are consistent with port scanning behavior.
By analyzing the logs, I identified the source host name as Nessus, a known vulnerability scanning tool.
The SOC team had prior knowledge that a vulnerability assessment was being conducted. Additionally, the Vulnerability Assessment Team had notified the SOC in advance that they would be running a spot scan. This confirmed that the activity was expected and authorized.
- Who: Vulnerability Assessment Team (internal) using NESSUS
- What: Port scanning activity
- When: During the scheduled testing period
- Where: Internal network (10.0.0.8 → 10.0.0.3)
- Why: Authorized vulnerability assessment (spot scan)
- Port scanning behavior detected
- Activity originated from an internal scanning tool (Nessus)
- Multiple ports targeted in a short time frame
- Activity aligned with a planned security test
- A response was observed from the target system back to the scanning IP on port 22 (SSH)
- Classification: False Positive
- Reason: The activity was part of an authorized internal vulnerability scan
- Action Taken: Alert was acknowledged and closed
- Not all alerts indicate malicious activity
- Context is critical when investigating SIEM alerts
- Recognizing legitimate tools (like Nessus) helps reduce false positives
- Proper documentation is essential in SOC workflows
- Observed responses (e.g., port 22/SSH) should be reviewed to ensure proper security configuration
The screenshot below shows the SIEM alert triggered by detected port scanning activity
The screenshot below shows log evidence of multiple connection attempts across different ports from the same source IP
- Alert Type: Potential CryptoMiner Activity
- Severity: Medium/High
- Source: Internal host activity
- Host: HR_02
- User: chris
A SIEM alert was triggered indicating potential cryptomining activity based on predefined detection rules.
Reviewing the event logs showed a suspicious process execution:
- Process Name: cudominer.exe
- File Path: C:\Users\chris\temp\cudominer.exe
The alert was triggered based on:
- Event ID: 4688 (process creation)
- Condition: Process name contains "miner" or "crypt"
- User: chris
- Host: HR_02
- Malicious process detected: cudominer.exe
- Executed from temp directory
- Matches cryptomining behavior
- Classification: True Positive
- Action Taken: Host should be isolated
- Process names are strong indicators
- SIEM rules help detect threats
- True positives require immediate action
The screenshot below shows SIEM alert triggered by cryptomining activity
The screenshot below shows why SIEM alert triggered based this rule
A phishing email was sent to multiple users within an organization. The email contained a malicious attachment (Payslip.pdf). Once downloaded and executed, the file triggered malicious activity across several hosts.
The objective was to investigate the incident using EDR tools, identify affected systems, and take appropriate response actions.
- Malicious email sender identified as: Jeff Johnson
- Threat vector: Email attachment
- Malicious file: Payslip.pdf
- Multiple hosts downloaded the file
- Only one host executed the malware
- Malicious activity included PowerShell execution and DNS queries
-
Number of devices that downloaded the file: 3
-
Number of devices that executed the file: 1
-
Affected Hosts:
- Host-ATYU → Downloaded (Quarantined)
- Host-IOPE → Downloaded (Quarantined)
- Host-HKNV → Executed (Investigated & Isolated)
- User received phishing email
- User downloaded
Payslip.pdf - File executed on host
- PowerShell process launched
- Malicious DNS query detected
- EDR triggered alert: Malware detected
- Response actions taken:
- Quarantine affected hosts
- Isolate infected machine
- Quarantined hosts that downloaded the file
- Isolated infected host (Host-HKNV)
- Investigated process execution chain
- Confirmed malicious behavior via EDR telemetry
- EDR Platform (TryHackMe Lab)
- Windows Environment
- Process Timeline Analysis
This incident demonstrates how phishing emails can lead to malware infections within an organization. Through EDR analysis, it was possible to:
- Identify the initial infection vector
- Track execution across hosts
- Contain the threat quickly
Proper endpoint monitoring and rapid response are critical in minimizing the impact of such attacks.