Lab 3.1 — Network Alert Triage

Lab Overview

The Scenario

You are a Tier 1 SOC analyst starting your shift. Overnight, the network IDS (Suricata) generated alerts that have been collected into EveBox. Your shift lead has asked you to triage all outstanding alerts before the morning standup. You need to classify each alert group, escalate true positives, and document your reasoning.

The alerts come from Operation Wire Tap — a simulated attack scenario that includes reconnaissance, exploitation, command-and-control, and lateral movement. But not every alert is malicious. Your job is to figure out which ones matter.

Part 1: Orientation — The EveBox Interface

Accessing EveBox

Once your lab environment is ready, click Open Lab to access the EveBox dashboard. You will see the main alert inbox view.

Understanding the Inbox

EveBox groups related alerts together. Each row in the inbox represents an alert group — multiple individual alerts that share the same signature (rule). The key columns are:

Initial Survey

Before triaging individual alerts, get the big picture:

1. Total alert groups: Note the number in the inbox (should be approximately 49)
2. Severity distribution: How many are severity 1 vs. 2 vs. 3?
3. Top signatures by count: Which rules fired the most?
4. Unique source IPs: How many distinct sources generated alerts?

Record these numbers — they form the baseline for your triage report.

Part 2: Triage Methodology — The 3-Bucket System

Professional SOC teams use a classification system for every alert. We will use three categories:

True Positive (TP)

The alert correctly identifies malicious or suspicious activity. Action required — escalate or investigate further.

Indicators of a True Positive:

• Alert signature matches observed payload content
• Source IP is external or unexpected for the traffic type
• Multiple related alerts form an attack chain
• Destination is a high-value asset (server, database)

False Positive (FP)

The alert fired but the traffic is legitimate. No action needed, but document why.

Indicators of a False Positive:

• Known internal scanner or vulnerability assessment tool
• Signature is overly broad (matches benign patterns)
• Context shows normal business traffic
• Source/destination pair is expected for the protocol

Informational (INFO)

The alert provides useful context but does not indicate an active threat. Useful for enrichment, not escalation.

Indicators of Informational:

• Policy-based alerts (e.g., "ET POLICY" signatures)
• Protocol anomaly detections without malicious intent
• DNS queries to unusual but not malicious domains
• Version detection or banner grab signatures

Part 3: Triage the Alerts — Attack Categories

Work through the alert groups in EveBox. Click each alert group to expand it and examine the details. For each group, record your classification.

Category A: Reconnaissance & Scanning

Look for signatures containing words like "SCAN", "recon", "probe", or "discovery". These represent the first phase of the attack.

For each recon alert, determine:

• Is this an external scan targeting our network? (likely TP)
• Is this an internal asset performing legitimate discovery? (likely FP)
• Is this a general port scan policy alert? (likely INFO)

Category B: Exploitation Alerts

Look for signatures related to "SQL injection", "web shell", "exploit", "overflow", or "RCE". These represent active exploitation attempts.

For each exploitation alert, determine:

• Does the payload content match the signature description?
• Is the destination a web server or database?
• Did the exploitation appear to succeed (check response indicators)?

Category C: Command & Control (C2)

Look for signatures containing "C2", "beacon", "callback", "trojan", or patterns indicating encoded communications.

For each C2 alert, determine:

• Is there periodic communication (beaconing pattern)?
• Is the destination IP known-bad or unusual?
• Is the traffic encrypted or encoded to hide content?

Category D: Lateral Movement

Look for signatures about internal scanning, SMB activity, credential use, or east-west traffic anomalies.

Category E: Policy Violations & ET Community Rules

Look for "ET POLICY", "ET INFO", or "GPL" prefixed signatures. These are typically informational but can provide attack context.

Click to enlarge

Part 4: Build Your Classification Sheet

As you work through the alerts, fill in a classification sheet using this format:

ALERT TRIAGE CLASSIFICATION SHEET
═══════════════════════════════════
Analyst: [your name]
Date: [today's date]
Environment: CyberBlue Lab — Operation Wire Tap
Total Alert Groups: 49

SIGNATURE                                    | COUNT | CLASS | REASON
─────────────────────────────────────────────|────---|────---|──────────────
ET SCAN Nmap SYN Scan                        |  [n]  |  TP   | External recon from attacker IP
ET SQL Injection UNION SELECT                |  [n]  |  TP   | Valid SQLi payload targeting web server
ET POLICY DNS Query to .onion domain         |  [n]  |  INFO | Policy alert, no active exfiltration
[... continue for all 49 groups ...]

SUMMARY
───────
True Positives:   [count] ([%])
False Positives:  [count] ([%])
Informational:    [count] ([%])

ESCALATION LIST (True Positives requiring investigation):
1. [signature] — [brief reason]
2. [signature] — [brief reason]
...

Part 5: Triage Speed Challenge

After classifying all 49 groups, test your speed:

1. Reset your view — go back to the inbox
2. Set a timer for 10 minutes
3. Re-classify the top 20 alerts by count without looking at your sheet
4. Compare your quick-triage results against your detailed analysis

Professional SOC analysts aim to triage 20–30 alerts in 10 minutes. How close did you get?

Click to enlarge

Part 6: Escalation Report

For each True Positive, write a one-line escalation note:

ESCALATION REPORT
═════════════════
Priority 1 — Immediate Investigation Required
  [signature]: [source IP] → [dest IP], [count] events, [brief description]

Priority 2 — Investigate Within Shift
  [signature]: [source IP] → [dest IP], [count] events, [brief description]

Priority 3 — Monitor & Document
  [signature]: [source IP] → [dest IP], [count] events, [brief description]

Deliverable Checklist

Before completing the lab, ensure you have:

• Initial survey — total alert groups, severity distribution, top signatures, unique source IPs
• Classification sheet — all 49 alert groups classified as TP / FP / INFO with reasoning
• Summary counts — percentage breakdown of each classification
• Escalation list — all True Positives ranked by priority with one-line descriptions
• Speed triage results — your 10-minute re-triage score compared to your detailed analysis

What's Next

In Lab 3.2 — Read a Suricata Rule, you will go behind the scenes to analyze the actual Suricata rules that generated these alerts. Understanding rule structure helps you determine why a rule fired, whether it is too broad (causing false positives), and how to write your own custom detections.