SIEM, Alerts & SOC Triage

Real-world analogy

What is it?

SOC Tier-1 is the on-call triage layer of security operations. It’s an achievable first security job with a clear progression to Tier-2 (deeper investigation), threat hunting, and detection engineering.

Real-world relevance

Alert: ‘Impossible travel — user signed in from Dhaka and Lagos within 30 minutes.’ Junior pulls sign-in logs, sees both IPs, matches location against travel calendar, identifies it as VPN/cloud proxy. Documents as false positive with context. Proposes a rule tweak. Handoff note is 8 lines. Senior approves.

Key points

• What a SIEM actually does — Collects logs from many sources (AD, endpoints, firewalls, cloud), normalizes them, and runs rules/analytics to generate alerts. Popular: Microsoft Sentinel, Splunk, QRadar, Elastic Security, Wazuh (open source).
• The Tier-1 mental model — Tier-1 triage is not ‘solve the attack.’ It’s: acknowledge alert → gather context → decide true positive or false positive → escalate to Tier-2 with a good handoff → document. Speed + discipline beat cleverness.
• IOC vs IOA — Indicators of Compromise: artifacts you can search for (hashes, IPs, domains). Indicators of Attack: behaviors (unusual login pattern, process chain). Modern detection favors behavior; hash-based IOCs are necessary but insufficient.
• False positives — your daily companion — Most alerts are false positives. A good Tier-1 analyst closes them quickly and accurately, without becoming cynical. Document why it was FP (‘scheduled task X by sysadmin group’) so rules can be tuned.
• Handoff quality is your reputation — When you escalate: alert title, first-seen timestamp, affected user/host, what you checked, what you ruled out, hypothesis, suggested next step. That note is your work portfolio as a SOC junior.
• MITRE ATT&CK vocabulary — Recognize tactic categories: Initial Access, Execution, Persistence, Credential Access, Lateral Movement, Exfiltration, Impact. Describe incidents in this language — it’s the lingua franca of SOC teams worldwide.
• Log sources a junior must know — Windows Security logs (4624 success, 4625 failure, 4672 priv logon, 4720 user created), Entra sign-in logs, EDR process trees, firewall connection logs, proxy logs, DNS query logs.
• Shift discipline — SOC is 24/7 shift work in many shops. Handover notes, pending alerts, watch-list items, and on-call rules matter. A SOC without clean handovers leaks incidents at shift boundaries.

Code example

// Sample SOC Tier-1 alert triage note

--- Alert #SIEM-00042 ---
Title:       Impossible travel - user alice@contoso.com
First seen:  2026-04-20 03:11 UTC
Severity:    Medium (per rule)
User:        alice@contoso.com
Source IPs:  203.0.113.42 (Dhaka), 198.51.100.77 (Lagos)
Timespan:    28 minutes

Checks:
  - Entra sign-in logs confirm both sign-ins succeeded
  - Second IP geolocates to a known cloud proxy / mobile VPN
  - User has no access to sensitive resources in the session
  - No MFA challenge failures observed
  - Endpoint compliance healthy
  - EDR timeline shows no malicious process activity

Decision: False positive (known VPN provider)
Action:   Close + propose rule tuning to allow-list this VPN ASN
Handoff:  N/A (closed at Tier-1)
Tagged:   FP, VPN, impossible-travel
Time spent: 18 min
---

Line-by-line walkthrough

1. 1. Tier-1 triage template
2. 2. Alert ID
3. 3. First-seen timestamp
4. 4. Severity
5. 5. User
6. 6. Source IPs
7. 7. Timespan
8. 8. Blank separator
9. 9. Checks header
10. 10. Entra sign-in confirmation
11. 11. Geolocation check
12. 12. Resource exposure check
13. 13. MFA challenge check
14. 14. Device compliance check
15. 15. EDR timeline check
16. 16. Blank separator
17. 17. Decision
18. 18. Action
19. 19. Handoff
20. 20. Tags
21. 21. Time spent

Spot the bug

Tier-1 analyst closes 200 alerts in 2 hours with the note ‘false positive’ and no details.

Explain like I'm 5

Fun fact

Hands-on challenge

More resources

• MITRE ATT&CK (MITRE)
• Microsoft Sentinel overview (Microsoft Learn)
• Wazuh (open-source SIEM) (Wazuh)