Lab 1: Synthetic Alert Triage¶
Difficulty: ⭐⭐ Intermediate Duration: 60–75 minutes Chapter Reference: Chapter 6 — Triage and Investigation Nexus SecOps Controls: Nexus SecOps-051, Nexus SecOps-052, Nexus SecOps-053, Nexus SecOps-058, Nexus SecOps-059
Learning Objectives¶
By completing this lab, you will be able to:
- Apply a structured triage methodology to a queue of mixed alerts
- Distinguish true positives, false positives, and benign-but-suspicious events
- Practice SLA-aware triage prioritization
- Document triage decisions with clear, auditable reasoning
- Identify patterns that indicate false positive tuning opportunities
Setup¶
No tooling required. Use the alert table below as your "alert queue." Use a text file or spreadsheet to document your triage decisions.
Simulated environment: - You are a Tier 1 analyst at Meridian Financial Services - Your shift started at 08:00 UTC - The alert queue contains 20 alerts from the last 4 hours - SLA: Critical ≤ 15min, High ≤ 30min, Medium ≤ 2h
Alert Queue¶
Work through the alerts in order. For each alert, document your triage decision before checking the answer key.
| # | Alert Name | Sev | User | Host | Time | Key Detail |
|---|---|---|---|---|---|---|
| 1 | Brute Force — Failed Auth Threshold | HIGH | svc-backup | SQLSRV01 | 07:45 | 52 failures in 5 min; same IP |
| 2 | Impossible Travel | HIGH | jsmith | — | 07:51 | Login from US at 07:45, UK at 07:51 |
| 3 | Ransomware Behavior Detected | CRIT | mlopez | FINANCE-WS-042 | 08:03 | Mass file rename .encrypted extension |
| 4 | Suspicious PowerShell Execution | HIGH | IT-Admin | SRV-PATCH01 | 07:30 | PowerShell -EncodedCommand flag used |
| 5 | Large File Upload to Cloud | MED | tcarter | ACCT-WS-011 | 07:12 | 4.2 GB uploaded to Dropbox |
| 6 | New Admin Account Created | HIGH | svc-deploy | DC01 | 06:55 | Account: temp-admin-deploy |
| 7 | Lateral Movement — SMB Admin$ | HIGH | jsmith | FINANCE-WS-099 | 08:07 | Admin share access from WS-042 |
| 8 | DNS Query to Known Bad Domain | MED | FINANCE-WS-042 | — | 08:01 | Query to c2.evilsite.ru |
| 9 | USB Device Inserted | LOW | agarcia | HR-WS-003 | 07:22 | USB mass storage device |
| 10 | Credential Dumping — LSASS Access | CRIT | mlopez | FINANCE-WS-042 | 08:04 | Process accessed lsass.exe |
| 11 | Brute Force — Failed Auth Threshold | MED | jdoe | CORP-WS-101 | 07:55 | 6 failures then success; same IP |
| 12 | Scheduled Task Created | MED | mlopez | FINANCE-WS-042 | 08:05 | Task: SysUpdate; runs cmd.exe |
| 13 | MFA Push — Multiple Denials | HIGH | pchen | — | 08:10 | 8 MFA push denials in 10 min |
| 14 | Shadow Copy Deletion | CRIT | mlopez | FINANCE-WS-042 | 08:06 | vssadmin.exe delete shadows |
| 15 | Service Account Login from New Location | HIGH | svc-monitoring | MONSVR01 | 07:40 | First login from 10.5.0.0/16 subnet |
| 16 | Anomalous Data Access — After Hours | MED | rlopez | FILESVR01 | 02:15 | Accessed 340 files in 20 min |
| 17 | Antivirus Detection — Quarantined | HIGH | bwilson | SALES-WS-007 | 07:33 | Trojan.GenericKD.47 quarantined |
| 18 | Failed Login — Disabled Account | LOW | ex-emp-kholt | DC01 | 08:00 | Login attempt on disabled account |
| 19 | Data Exfiltration — Email Large Attachment | MED | mlopez | — | 08:02 | 890MB attachment to gmail.com |
| 20 | Printing — Large Document After Hours | LOW | rlopez | HR-PRINTER01 | 02:30 | 340-page document printed |
Triage Worksheet¶
For each alert, fill in:
| # | Your Classification | Confidence | Key Evidence | Immediate Action |
|---|---|---|---|---|
| 1 | ||||
| 2 | ||||
| 3 | ||||
| ... |
Classification options: TP (True Positive) / FP (False Positive) / Benign / Escalate T2 / Declare Incident
Task 1: Priority Queue Order¶
Before triaging all 20 alerts, list them in the order you should work through them (highest priority first).
Your priority order: __
Hint: Consider severity and SLA time elapsed. Time of detection vs. current time (08:15) matters.
Task 2: Alert 3 — Triage Decision¶
Alert 3 (Ransomware Behavior) is Critical. Walk through this alert fully:
- What is your immediate action within the first 2 minutes?
- Who do you notify and how?
- What do you need to check before escalating?
- What does the correlation of alerts 3, 7, 8, 10, 12, 14, and 19 tell you?
Task 3: False Positive Identification¶
Review the full alert list. Which alerts are most likely false positives? For each probable FP:
- Identify the alert
- State the most likely benign explanation
- State what evidence you would need to confirm it is a FP
- State whether this FP should trigger a rule tuning request
Answer Key¶
Click to reveal answers — complete your triage first!
Priority Queue Order¶
Correct order (highest priority first): 1. Alert 3 (CRIT, Ransomware) — 08:03, 12 min old 2. Alert 10 (CRIT, LSASS Dump) — 08:04, 11 min old 3. Alert 14 (CRIT, Shadow Delete) — 08:06, 9 min old 4. Alert 2 (HIGH, Impossible Travel) — 08:07, 8 min old ← note: related to #3? 5. Alert 7 (HIGH, Lateral SMB) — 08:07, 8 min old ← related to #3 6. Alert 13 (HIGH, MFA Denials) — 08:10, 5 min old 7. Continue by severity then age...
Alert Classifications¶
| # | Classification | Reasoning |
|---|---|---|
| 1 | FP likely | Service account backup jobs often trigger auth failures; verify against backup schedule |
| 2 | TP — Escalate | Impossible travel from US to UK in 6 min; no flight achieves this; likely credential compromise |
| 3 | TP — INCIDENT | Ransomware confirmed; mass file rename + C2 DNS (alert 8) + LSASS (alert 10) = active attack |
| 4 | FP likely | IT-Admin on patch server using encoded PowerShell = common, expected for deployment scripts; verify change window |
| 5 | Escalate T2 | 4.2 GB Dropbox upload warrants investigation; may be FP (backup) or exfiltration |
| 6 | TP — Escalate | New admin account on DC requires investigation; check if authorized in change mgmt |
| 7 | TP — INCIDENT | Admin share access from WS-042 (ransomware host) = confirmed lateral movement |
| 8 | TP — INCIDENT | Known C2 domain from ransomware host = confirmed C2 communication |
| 9 | Benign | USB insertion alone is not malicious; low severity; no further action if user is authorized |
| 10 | TP — INCIDENT | LSASS access = credential dumping = part of ransomware attack chain |
| 11 | FP likely | 6 failures then success = possible mistyped password; check if from same device |
| 12 | TP — INCIDENT | Malicious scheduled task on ransomware host = persistence mechanism |
| 13 | TP — Escalate | MFA fatigue attack in progress; contact user immediately via secondary channel |
| 14 | TP — INCIDENT | Shadow copy deletion = ransomware pre-encryption step; already have incident declared |
| 15 | Escalate T2 | Service account from new subnet is anomalous; may be authorized new monitoring host |
| 16 | TP — Escalate | After-hours mass file access by rlopez; possible exfiltration; check employment status |
| 17 | Benign — Monitor | AV quarantined = threat contained; no further action needed unless detection not trusted |
| 18 | Benign | Disabled account login attempt = common noise; log for access management; no escalation |
| 19 | TP — INCIDENT | 890MB email to Gmail from ransomware actor's account = exfiltration attempt; part of incident |
| 20 | Benign | After-hours printing by same user as alert 16; low priority; note as corroborating data |
The Incident¶
Alerts 3, 7, 8, 10, 12, 14, 19 form a single ransomware incident involving host FINANCE-WS-042 and user mlopez. Timeline: - 02:15–02:30: rlopez accesses 340 files and prints documents (possible earlier staging) - 08:01: C2 DNS query from WS-042 - 08:02: Email exfiltration from mlopez - 08:03: Ransomware file encryption begins - 08:04: LSASS credential dumping - 08:05: Persistence scheduled task - 08:06: Shadow copies deleted - 08:07: Lateral movement to FINANCE-WS-099
This is a full kill chain in 6 minutes. MTTD from first C2 query (08:01) to detection (08:03) = 2 minutes.
FP Tuning Candidates¶
- Alert 1: Add exception for svc-backup from backup server IPs during backup window
- Alert 4: Add exception for IT-Admin hosts using encoded PowerShell during change windows
- Alert 11: Increase threshold to 10+ failures to reduce low-confidence brute force FPs
Scoring¶
Grade your triage decisions:
| Criteria | Points |
|---|---|
| Correctly identified all 7 incident alerts (3, 7, 8, 10, 12, 14, 19) | 35 pts (5 each) |
| Correctly classified ≥4 FPs (1, 4, 11) | 15 pts |
| Correctly identified benign alerts (9, 17, 18, 20) | 20 pts |
| Escalated uncertain alerts appropriately (5, 6, 13, 15, 16) | 25 pts |
| Documented clear reasoning in worksheet | 5 pts |
| Total | 100 pts |
Score ≥ 80: Ready for Tier 1 alert triage work Score 60–79: Review Chapter 6 triage methodology Score < 60: Revisit triage fundamentals before operational work
Lab 1 complete. Proceed to Lab 2: Detection Tuning