Module 6: Alert Triage — The Core Skill

SOC analysts do this 80% of the time. Get fast. Get accurate.

Tools:WazuhCyberChef
5
Lessons
4
Hands-on Labs

Lessons

1

True Positive vs False Positive

Fast classification patterns

2

Context Is Everything

Asset value, user role, time of day

3

Investigation Workflow

Alert → pivot → decide

4

Decoding & Deobfuscation

Base64, PowerShell with CyberChef

5

Escalation: When and How

What, when, who to escalate

Labs

Lab 6.1 — Triage Under Pressure

30 alerts. Target: 85% accuracy.

Intermediate

Lab 6.2 — Investigate Suspicious Logon

Unusual country logon. TP or FP?

Intermediate

Lab 6.3 — Decode the Payload

Browser-only: Decode Base64 PowerShell with CyberChef. No cloud lab needed.

Intermediate

Lab 6.4 — Alert Queue Challenge

50 alerts. Prioritize, triage, handoff.

Advanced