Hands-on LabIntermediate·~70 min·Includes challenge

Lab 6.1 — Triage Under Pressure

30 alerts. Target: 85% accuracy.

Tools needed:Wazuh Dashboard

What You'll Learn

  • Triage 30 alerts under time pressure and classify each as true positive, false positive, or requires escalation
  • Apply a structured triage decision framework to rapidly assess alert severity and context
  • Identify common false-positive patterns that waste analyst time (scheduled tasks, vulnerability scanners, admin activity)
  • Recognize true-positive indicators that demand immediate escalation (lateral movement, data exfiltration, persistence)
  • Score your triage accuracy against an answer key and identify areas for improvement

Lab Overview

DetailValue
Lab Profilelab-wazuh
ContainersWazuh Manager, Wazuh Indexer, Wazuh Dashboard
Estimated Time60–75 minutes
DifficultyIntermediate
Browser AccessWazuh Dashboard (Web UI)
Pre-Loaded Data30 curated alerts: 12 true positives, 14 false positives, 4 ambiguous
DeliverableCompleted Triage Worksheet with classifications and accuracy score

The 80% of SOC work. Triage is the single most important skill for any SOC analyst. You will spend the majority of your shift looking at alerts, deciding what is real and what is noise. Speed matters — but accuracy matters more. A missed true positive means an attacker moves freely. A false escalation wastes senior analyst time.

The Triage Decision Framework

Before diving into alerts, understand the framework you'll apply to every single one:

Triage Decision Framework

For every alert, ask these 5 questions in order:

  1. What fired? — Read the rule name and description. What behavior triggered this?
  2. Who / What? — Which host, user, or IP is involved? Is this an asset we care about?
  3. When? — Is the timestamp during business hours, maintenance window, or an unusual time?
  4. How often? — Is this a one-off event or a pattern? Check for similar alerts in the last 24 hours.
  5. What else? — Are there correlated alerts on the same host/user/IP? Multiple alerts = higher confidence.
ClassificationCriteriaAction
True Positive (TP)Alert matches known attack behavior AND context supports malicious intentEscalate immediately with summary
False Positive (FP)Alert triggered by legitimate activity (scanning, admin tools, scheduled jobs)Close with justification note
Requires EscalationAmbiguous — cannot determine TP/FP without deeper investigationEscalate with "needs investigation" flag

Common trap: closing alerts too fast. New analysts often close alerts just because the source IP is internal. Internal IPs can be compromised. Always check what the internal host is doing, not just where it is.

Before You Begin

  1. Start your lab — the Wazuh Dashboard opens automatically
  2. Log in with credentials: admin / SecretPassword
  3. Navigate to Security Events → set time range to Last 24 hours
  4. You should see approximately 30 alerts across multiple severity levels
💡

Set up your workspace. Open a text editor or spreadsheet alongside the Wazuh Dashboard. For each alert, record: Alert #, Rule ID, Rule Name, Host, User, Your Verdict (TP/FP/Escalate), and a 1-sentence justification. This is your Triage Worksheet.

Part 1: High-Severity Alerts (Critical + High)

Start with the alerts that matter most. Filter by severity:

rule.level: >= 12

You should find approximately 8 high-severity alerts. For each one:

Step 1: Read the Rule

Click on the alert to expand it. Note the rule.id, rule.description, and rule.level.

Step 2: Check the Source

Look at agent.name (which host), data.srcip or data.src_ip (source IP), and data.dstuser or data.win.eventdata.targetUserName (target user).

Step 3: Check for Patterns

Search for the same source IP or same host in the last 24 hours:

data.srcip: "<the IP you found>"

Step 4: Make Your Call

Classify as TP, FP, or Escalate. Write your justification.

🚨

Do not skip context. An alert for "Multiple authentication failures" (rule 5551) could be a brute-force attack (TP) or a user who forgot their password (FP). The difference is in the details: How many failures? Over what time period? Did a success follow? From what IP?

Part 2: Medium-Severity Alerts

Filter for medium severity:

rule.level: >= 7 AND rule.level: <= 11

You should find approximately 12 medium-severity alerts. These are trickier — many will be false positives, but some contain real threats hiding in the noise.

Common FP patterns to watch for:

  • Vulnerability scanner IP ranges hitting multiple ports
  • Scheduled backup tasks triggering file integrity monitoring
  • Admin accounts running management tools during business hours
  • DNS queries to CDN domains that look suspicious but are legitimate

Common TP indicators hiding in medium alerts:

  • A new service installed on a server that hasn't changed in months
  • PowerShell execution with encoded commands on a workstation
  • Outbound connections to newly registered domains
  • File modifications in system directories outside maintenance windows

Alert Classification Matrix

Part 3: Low-Severity Alerts

Filter for low severity:

rule.level: >= 3 AND rule.level: <= 6

Approximately 10 low-severity alerts. Most are informational, but don't dismiss them all:

  • A low-severity alert combined with a high-severity alert on the same host = important context
  • Look for alerts that individually are benign but form a pattern when combined

The Correlation Challenge

After triaging all low-severity alerts individually, go back and look for cross-alert correlations:

  1. Are there multiple low-severity alerts from the same host within a short timeframe?
  2. Do any low-severity alerts share a source IP with a high-severity alert?
  3. Do the timestamps suggest a sequence of actions (reconnaissance → exploitation → persistence)?
💡

Real-world skill: alert fatigue management. In a production SOC, you might see 500+ alerts per shift. The ability to quickly dismiss obvious FPs while catching the real threats in the noise is what separates effective analysts from overwhelmed ones.

Part 4: Score Your Accuracy

After classifying all 30 alerts, compare your results against the answer key below.

Answer Key Categories

The 30 pre-loaded alerts break down as:

CategoryCountWhat They Are
True Positives12Brute force, lateral movement, persistence, C2 callback, privilege escalation, data staging
False Positives14Vulnerability scans, admin tools, backup jobs, DNS CDN queries, legitimate software updates
Ambiguous4Could go either way depending on additional context — escalation is the correct answer

Scoring

  • Correct TP identified: +1 point
  • Correct FP identified: +1 point
  • Correct escalation on ambiguous: +1 point
  • Missed TP (classified as FP): -2 points (this is the dangerous mistake)
  • FP classified as TP: 0 points (conservative but wastes time)

Target: 85% accuracy (26/30 correct)

The asymmetry of errors. In SOC triage, false negatives (missing a real attack) are FAR worse than false positives (escalating something benign). If you're unsure, escalate. It's always better to waste 10 minutes of a senior analyst's time than to let an attacker persist for days.

Deliverable

Your completed Triage Worksheet should contain:

ColumnDescription
Alert #1-30
Rule IDThe Wazuh rule that fired
Rule NameBrief description
HostAgent name
SourceSource IP or user
VerdictTP / FP / Escalate
Justification1 sentence explaining your reasoning
AccuracyCorrect / Incorrect (after checking answer key)

Final row: Total Score: X/30 (Y%)

Key Takeaways

  • Triage is a structured decision process, not guesswork — apply the 5-question framework every time
  • High-severity alerts get attention first, but real threats can hide in medium and low severity
  • False negatives (missing attacks) are far more costly than false positives (over-escalating)
  • Correlation across alerts reveals attack chains that individual alerts cannot show
  • Speed improves with practice, but never sacrifice accuracy for speed
  • Target: 85% accuracy. Below 70% means you need to review the Alert Triage lessons before proceeding
  • Document your reasoning — "I closed it because" is as important as the verdict itself

What's Next

Now that you can classify individual alerts, Lab 6.2 puts you in an investigation scenario: a single suspicious logon alert that requires deep-dive analysis. You'll pivot from the alert to user history, geographic data, and correlated events to determine if an account has been compromised.

Lab Challenge: Triage Under Pressure

10 questions · 70% to pass

1

You find a rule.level 14 alert for 'Multiple authentication failures' (rule 5551) from IP 91.234.99.87 targeting WIN-SERVER-01. The IP has 47 AbuseIPDB reports. What is your verdict?

2

In the Wazuh Dashboard, you see a medium-severity alert for a new Windows service installation (Event ID 7045) on WIN-SERVER-01 during a weekend at 02:30 AM. The service name is 'WindowsPerformanceMonitor'. What is the most appropriate triage action?

3

During your triage, you find 6 low-severity DNS query alerts from linux-web-01 all pointing to subdomains of 'update-service-cdn.net'. Each subdomain is a different 32-character hexadecimal string. What pattern does this indicate?

4

You classify an alert as False Positive because the source IP 10.0.1.50 is internal. Later, you discover that host is compromised and performing lateral movement. In SOC triage scoring, what type of error did you make?

5

In the pre-loaded alert data, you find a rule.level 10 alert for 'Successful login after multiple failures' on WIN-SERVER-01. The previous 15 failed attempts came from IP 185.220.101.42 over 3 minutes. What does this sequence indicate?

6

While triaging, you see an alert for 'File integrity monitoring: file modified' on /etc/crontab on linux-web-01 at 03:15 AM. The previous day's alerts show a successful SSH login from an unusual IP at 03:10 AM on the same host. How should you classify the FIM alert?

7

You encounter an alert for 'Vulnerability scanner detected' (rule 31151) from IP 10.0.2.200. Your organization's IT team confirms 10.0.2.200 is the Nessus scanner running a scheduled weekly scan. What is the correct triage action?

8

In the triage framework used in this lab, what is the correct ORDER of the 5 questions you should ask for every alert?

9

After completing triage of all 30 alerts, you scored 22/30. According to the lab's scoring criteria, which statement is correct?

10

During your triage, you notice 3 separate low-severity alerts from the same host within a 10-minute window: a DNS query to a suspicious domain, an outbound connection on port 443 to an IP not in your CDN list, and a small file write to /tmp/.cache/. Individually, each is low severity. What is the correct triage approach?

0/10 answered

Next Lab