What You'll Learn
- Investigate a single suspicious logon alert by pivoting across multiple data dimensions
- Check geographic context, historical login patterns, and user behavior baselines
- Use Wazuh query syntax to search for correlated events on the same account and host
- Determine whether an account has been compromised or if the alert is a legitimate anomaly
- Write a structured 5-line investigation summary with a confident TP or FP verdict
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-wazuh |
| Containers | Wazuh Manager, Wazuh Indexer, Wazuh Dashboard |
| Estimated Time | 45–60 minutes |
| Difficulty | Intermediate |
| Browser Access | Wazuh Dashboard (Web UI) |
| Pre-Loaded Data | Target account login history (30+ events over 7 days) + the suspicious logon alert + surrounding context |
| Deliverable | 5-line investigation summary with TP/FP verdict and supporting evidence |
One alert, many questions. In Lab 6.1, you triaged 30 alerts quickly. Now you go deep on one. Real SOC work often starts with a single alert that looks suspicious — your job is to pull on the thread until you can confidently say "this is real" or "this is benign." The pivot technique you learn here is the core skill of SOC investigation.
The Scenario
Your SIEM fires an alert:
Alert: Successful authentication from unusual location
Rule: 18152 — Windows logon success
User:j.martinez
Source IP:185.156.73.118
Host:WIN-SERVER-01
Time: 02:47 AM (local time)
Logon Type: 10 (RemoteInteractive — RDP)
The user j.martinez is an IT administrator. The alert triggered because the source IP geolocates to Eastern Europe, while the user is based in the United States.
Don't jump to conclusions. The IP being from Eastern Europe doesn't automatically make this malicious. Administrators sometimes use VPNs, travel, or access systems from unexpected locations. Your job is to gather evidence, not assume.
Part 1: Examine the Alert
Step 1: Find the Alert
In the Wazuh Dashboard, navigate to Security Events and search:
rule.id: 18152 AND data.win.eventdata.targetUserName: j.martinez
Expand the alert and record these fields:
| Field | What to Note |
|---|---|
data.win.eventdata.ipAddress | Source IP of the logon |
data.win.eventdata.logonType | Type 10 = RDP, Type 3 = Network, Type 2 = Interactive |
data.win.eventdata.workstationName | The machine name the connection came from |
timestamp | Exact time of the logon |
data.win.eventdata.targetUserName | The account used |
Step 2: Enrich the IP
Open AbuseIPDB in a separate tab. Look up 185.156.73.118:
- How many abuse reports does it have?
- What country does it geolocate to?
- Is it associated with a hosting provider or a residential ISP?
- Has it been reported for brute force, scanning, or other abuse?
Hosting provider vs residential. If the IP belongs to a hosting/VPS provider, it's more likely to be used by an attacker (cheap VPS for C2/proxy). If it's a residential ISP, it could be someone's home connection — possibly legitimate if the user is traveling.
Part 2: Build the Login History
Step 3: Check j.martinez's Normal Pattern
Search for all logon events for this user in the past 7 days:
data.win.eventdata.targetUserName: j.martinez AND rule.id: 18152
Set the time range to Last 7 days. Build a login profile:
| Question | How to Find It |
|---|---|
| What times does j.martinez normally log in? | Look at timestamps — are they typically 8 AM–6 PM? |
| What IPs does j.martinez normally log in from? | List all unique data.win.eventdata.ipAddress values |
| What logon types are normal? | Type 10 (RDP), Type 3 (Network), Type 2 (Interactive)? |
| Has this user ever logged in from 185.156.73.118 before? | Search specifically for this IP |
Step 4: Check for Failed Attempts
Search for failed logons targeting this account:
data.win.eventdata.targetUserName: j.martinez AND rule.id: 18151
- Were there failed attempts before the successful logon?
- Did the failures come from the same IP (185.156.73.118)?
- How many failures and over what time span?
Red flag pattern: Multiple failed logons from the suspicious IP followed by a single success = brute force that worked. This changes the verdict from "maybe suspicious" to "almost certainly compromised."
Part 3: Check What Happened After
Step 5: Post-Logon Activity
This is the most critical step. Search for ALL events on WIN-SERVER-01 from the suspicious IP after the logon time:
agent.name: WIN-SERVER-01 AND data.srcip: 185.156.73.118
Also search for any events by j.martinez after 02:47 AM:
agent.name: WIN-SERVER-01 AND data.win.eventdata.subjectUserName: j.martinez AND timestamp:[02:47 TO 06:00]
Look for:
- New process creation (Event ID 4688) — did they run anything suspicious?
- New service installation (Event ID 7045) — persistence?
- Privilege escalation — did they access admin resources?
- File access — did they touch sensitive directories?
- Additional network connections — lateral movement?
Step 6: Check Other Hosts
Search for the suspicious IP across ALL hosts:
data.srcip: 185.156.73.118
- Has this IP targeted other accounts or hosts?
- Is this an isolated logon or part of a broader campaign?
Part 4: Make Your Verdict
Based on your investigation, determine:
| Evidence | Points Toward TP | Points Toward FP |
|---|---|---|
| IP geolocation | Eastern Europe, user is US-based | User could be traveling or using VPN |
| IP reputation | Multiple abuse reports, hosting provider | Clean IP, residential ISP |
| Login time | 02:47 AM — unusual for business hours | User is an admin, may work odd hours |
| Prior failed attempts | Multiple failures before success = brute force | No failures = direct access with valid creds |
| Post-logon activity | Suspicious commands, new services, lateral movement | Normal admin tasks, no red flags |
| Login history | IP never seen before for this user | IP used by user on previous occasions |
Deliverable
Write your 5-Line Investigation Summary:
ALERT: Successful RDP logon from unusual location
USER: j.martinez
EVIDENCE: [2-3 key findings from your investigation]
VERDICT: [TP / FP]
ACTION: [What should happen next — escalate? reset password? monitor?]
This is what you hand to your supervisor. In a real SOC, your shift lead or L2 analyst will read this summary and decide next steps. Clear, concise, evidence-based — that's what earns trust and career advancement.
Key Takeaways
- A single alert can require checking 5+ data sources before reaching a verdict
- Geographic anomalies are a starting point, not a conclusion — always gather corroborating evidence
- The login history baseline is critical: has this user EVER logged in from this IP or at this time?
- Post-logon activity is the strongest verdict indicator: what did they DO after logging in?
- Failed attempts before a success dramatically increases the likelihood of credential compromise
- Always check if the suspicious IP targeted other accounts — isolated vs campaign changes severity
- The 5-line summary format is how professional analysts communicate findings efficiently
What's Next
Lab 6.3 shifts from alert investigation to payload analysis. You'll decode a Base64-encoded PowerShell command using CyberChef — a critical skill for understanding what attackers are actually trying to execute on your systems.
Lab Challenge: Investigate Suspicious Logon
10 questions · 70% to pass
In this lab, the suspicious logon alert shows logon type 10 for user j.martinez on WIN-SERVER-01. What does logon type 10 indicate?
You search for j.martinez's login history over the past 7 days and find 23 logon events. All previous logins came from IPs in the 10.0.1.x range during 8 AM–6 PM. The alert IP (185.156.73.118) appears only once, at 02:47 AM. What does this tell you?
When enriching IP 185.156.73.118 on AbuseIPDB, you find it belongs to a VPS hosting provider with 34 abuse reports for brute force and port scanning. How does this affect your investigation?
You search for failed logon attempts (rule.id: 18151) for j.martinez and find 8 failed attempts from 185.156.73.118 in the 3 minutes before the successful logon. What attack technique does this represent?
After the suspicious logon, you find Event ID 4688 (process creation) showing j.martinez ran 'net user /domain' and 'net group "Domain Admins" /domain' on WIN-SERVER-01. What is the attacker likely doing?
You search for IP 185.156.73.118 across all hosts and find it also attempted (but failed) to log into accounts 'administrator' and 'svc_backup' on the same server. What does this broader pattern indicate?
Your investigation reveals: unusual IP, unusual time, 8 failed attempts before success, post-logon reconnaissance commands, and the IP targeted other accounts. Based on the lab's investigation framework, what is the correct verdict?
In the 5-line investigation summary format, which line is MOST important for the receiving analyst to act on quickly?
While investigating, you check whether j.martinez's account has been used for any file access after the suspicious logon. You find access to '\\fileserver\finance\Q4-earnings.xlsx' at 03:02 AM. Why is this significant?
If your investigation had found NO failed attempts, the IP belonged to a residential ISP in a city where j.martinez has family, the time was 7 PM (evening), and post-logon activity was normal admin tasks, what would be the correct verdict?
0/10 answered