Module 4: Alert Triage — The Core Skill
SOC analysts do this 80% of the time. Get fast. Get accurate.
You'll triage Shadow Broker alerts under time pressure — separating the APT from scanner noise and false positives.
Lessons & Labs
Lesson 4.1 — True Positive vs False Positive
Fast classification patterns
Lab 4.1 — Triage Under Pressure
30 alerts. Target: 85% accuracy.
Lesson 4.2 — Context Is Everything
Asset value, user role, time of day
Lab 4.2 — Investigate Suspicious Logon
Unusual country logon. TP or FP?
Lesson 4.3 — Investigation Workflow
Alert → pivot → decide
Lesson 4.4 — Decoding & Deobfuscation
Base64, PowerShell with CyberChef
Lab 4.3 — Decode the Payload
Browser-only: Decode Base64 PowerShell with CyberChef. No cloud lab needed.
Lesson 4.5 — Escalation: When and How
What, when, who to escalate
Lab 4.4 — Alert Queue Challenge
50 alerts. Prioritize, triage, handoff.
Lesson 4.6 — Web Attack Signatures in Logs
Recognizing SQLi, XSS, Command Injection, and Path Traversal patterns in web server logs and SIEM alerts
Web Attack Alert Triage
Classify 20 web application attack alerts by type (SQLi, XSS, Command Injection, Path Traversal), separate scanner noise from targeted attacks, and write an escalation summary.
Lesson 4.7 — Recognizing Anomalies: The Analyst's Mental Model
Seven anomaly categories — masquerading, frequency, temporal, location, structure, entropy, absence — with SOC examples
Anomaly Detection Challenge
Hunt for 7 planted anomalies hidden among normal Wazuh activity, classify each by category, and document investigation steps for every finding.