DEV Community

Cover image for Advent of Cyber 2025 Day 10 Writeup: SOC Alert Triaging | TryHackMe
Mahin Ahmad
Mahin Ahmad

Posted on

Advent of Cyber 2025 Day 10 Writeup: SOC Alert Triaging | TryHackMe

#tryhackme

๐Ÿ‘‰Room Link

Today we have to login into Microsoft's cloud platform called Azure. There are multiple access pass available in case Azure blocks the accounts for suspicious activity!. usr-aoc25-eu@tryhackme.onmicrosoft.com email worked for me.

Today's tasks focuses on Triaging in the face of a digital attack. From the SOC tool we can see all kinds of logs and infiltrations done by foreign actors.

Fast Response:
Analysts should priorities first. Filter by security level(How bad?), timestamp and frequency, attack stage(Where in the attack lifecycle), and affected assets(what or who is affected).

Deep Dive Steps:

  1. Investigate the alert in detail
  2. Check the related logs
  3. Coordinate multiple alerts
  4. Build context and timeline
  5. Decide on the following action
  6. Document findings and lessons learned

Example Scenario of Deep Dive Steps:
An SOC receives an alert: โ€œMultiple failed login attempts followed by a successful loginโ€.

Step 1. Alert checking

  • The analyst opens the alert and reviews the details.
  • Entity: user j.doe, source IP 203.0.113.45
  • Detection logic: 10 failed logins within 5 minutes, then 1 success
  • Initial assessment: This could indicate a brute-force attempt. The analyst confirms the behavior is suspicious and not explained by a known system process.

Step 2. Log checking

  • The analyst checks authentication logs from the identity provider and VPN.
  • Finds repeated failed login events from the same IP, followed by a successful login at an unusual time.
  • Notices the IP is from a country where the user normally does not log in.

In the azure portal, once you have logged in search for Sentinel and click the workspace called 'law-aoc2025'

Click Logs and then you will see an introductory video; click on the cross icon, and then you will see a query editor like this.

azure sentinel logs editor?

Click on this table icon and look for syslog-cl
azure sentinel Log table

When you click on the log table 'syslog_cl', you will see "no results". We need to increase the time range.

Sentinel logs, custom time range

This is how we can pull up the logs form our cloud SIEM tool that is Microsoft Sentinel.

Microsoft Sentinel, a cloud-native SIEM and SOAR platform, collects data from various Azure services, applications, and connected sources to detect, investigate, and respond to threats in real time.
Through Sentinel, McSkidy can view and manage alerts, analyse incidents, and correlate activities across multiple logs. It provides visibility into what's happening within the Azure tenant and efficiently allows analysts to pivot from one alert to another.

Next is to analyze the incidents. Below "Logs", click on Incidents. You may see that its empty; refresh the page and you will see a 'different incident page' (dont worry thats just how microsoft is ๐Ÿ˜‘)

Microsoft Sentinel Incidents page

Choose 'last 30 days' to see some incidents...

Microsoft Sentinel Incident Page Custom Date Range

The column Incident number and dates are a little different than TryHackMe's literature. It does not matter, click on the High severity alert and see the details in the right sidebar.

We will focus on this question:

THM Day 10

Note that the alert's name is: "Linux PrivEsc - User Added to Sudo Group". Search for this in the searchbar:

Microsoft Sentinel Incidents

I could not find how many accounts were added to the sudoer group, searched for other people's blogs but they just listed the single digit answer, not how they found it!

You can click the blue 'view full details' button.

Microsoft Sentinel View full Details

I even went to the investigation graph! But 3 is not the answer.

Sentinel Investigation Graph

4 is the answer :)

Find in page feature Microsoft sentinel

Task 5:
I could not follow this instruction, the event is not clickable:

If we go back to the alert's full details view, we can try clicking the Events from the Evidence section.

Skipping down, open the query editor in KQL mode:

Microsoft Sentinel KQL Mode logs

Copy paste the KQL query from THM, But change two things. The time range(in red arrow) and the date(yellow)

logs at a specific time using KQL

Task 5 Questions:

  • What is the name of the kernel module installed in websrv-01?

    • You can search for 'kernel' KQL Output Search bar

  • What is the unusual command executed within websrv-01 by the ops user?

    • Search for 'ops' but you will also have to edit the query. Replace 'app-02' with 'websrv-01'.

  • Same approach for other questions. Search for sudo, ssh etc and change the KQL accordingly.

This took longer time than I thought... onto the next one!

Top comments (0)