Students · Investigating incidents
Investigating incidents
When an incident opens, your job isn't to guess — it's to gather evidence and reason from it. This is the method real SOC analysts use, and it's the heart of everything you'll do in the labs.
Start with a triage mindset
An incident is an alert that a detection rule decided was worth your attention. It is not yet a confirmed threat — it's a question waiting for an answer. Your first move is always the same: assume nothing, and let the evidence make the call for you. A good analyst is calm, curious, and skeptical. You're not trying to prove the alert right or wrong; you're trying to find out what actually happened.
The four questions
You can investigate almost any alert by answering four plain questions. Each one points you at a specific piece of evidence in the incident.
| Question | What it tells you | Where the evidence lives |
|---|---|---|
| What happened? | The nature of the activity — the kind of event, and whether it succeeded or failed. | The activity itself (e.g. failed root logins). |
| From where? | Whether the activity comes from one place or many — a single attacker, or scattered noise. | The source IP. |
| How much? | The volume — whether it cleared the detection's threshold, and by how much. | The count of matching events. |
| How fast? | The pace — whether a human could plausibly produce this, or whether it's automated. | The timing, inside the detection's window. |
Take the flagship brute-force lab. What happened? Repeated failed logins for the most privileged account. From where? A single source IP — 203.0.113.66 — is responsible for all of them. How much? 25 attempts, well past the detection threshold of 20. How fast? All inside a 5-minute window. Four answers, one clear picture: one machine relentlessly guessing a password, far faster than a person could. That's an attack.
Reading the technique tag
Every incident is tagged with a MITRE ATT&CK technique — a shared, industry-wide catalogue of how attackers operate. The brute-force lab carries T1110 · Brute Force. The technique id is a shortcut: it tells you the category of behaviour the detection believes it saw, what attackers typically do next, and what evidence would confirm or deny it. When you open an incident, read the technique tag first — it frames the whole investigation. (You don't need to memorise T-numbers; you need to know how to look one up and use what it tells you.)
Real threat, harmless noise, or expected?
The four questions feed directly into your verdict. Three outcomes are easy to confuse, so anchor each to evidence:
- True positive — the evidence confirms a real threat. High volume, fast pace, a single hostile source, a privileged target: the brute-force lab is the textbook case.
- False positive — the detection fired, but the evidence shows the activity is harmless. The rule was too eager, or matched on something that only looks like an attack.
- Benign — the activity is real and expected. A backup job, a scheduled task, or an admin doing legitimate work that happened to trip a rule.
The difference between false positive and benign is subtle: a false positive is the rule being wrong, while benign is real activity that's simply allowed. Both mean "no threat" — but naming which one shows you understood the evidence, not just the headline.
Use the AI analyst as a second opinion, not a crutch. The platform's AI analyst investigates the same incident and records its own verdict, shown next to yours. Always form your own call first, then compare. When you agree, you've got confirmation; when you disagree, that gap is the most valuable thing on the page — work out who's right and why.
Being thorough
A few habits separate a quick guess from a real investigation:
- Read the whole incident before deciding — detection name, severity, start time, and technique tag.
- Answer all four questions, even when the first one feels obvious. The volume and the pace are what turn "suspicious" into "confirmed".
- Write down your evidence as you find it. Your rationale should be a record of what you saw, not an afterthought.
- If something doesn't fit, slow down. A single source IP doing one failed login is very different from one doing twenty-five.
Once you've reached a verdict, you'll submit it as a graded disposition. See Dispositions & grading for exactly how the four choices and the scoring work.
This method — gather evidence, answer the four questions, form a call, justify it — is how analysts work every alert, every day. To see it run end to end on a real incident, follow the brute-force walkthrough.