Alert Triage With Elastic Tryhackme Walkthrough

Master alert triage using Elastic SIEM in this TryHackMe room. Learn how to investigate security alerts, analyze logs, and perform threat detection using the ELK Stack. Ideal for SOC analysts, blue teamers, and cybersecurity learners.

ELASTIC SIEMLOG ANALYSISDFIR TRAININGINCIDENT RESPONSESPLUNKTOOLSTRYHACKME WRITEUPSCTFSECURITYTRYHACKME WALKTHROUGHCYBERSECURITY CHALLENGESTRYHACKME ANSWERSTHREAT DETECTIONCYBERSECURITY LABSBLUE TEAM TRAININGCYBERSECURITYTRYHACKMEOPEN-SOURCE TOOLSSOC AND SIEM LABSDEFENSIVE SECURITYSECURITY OPERATIONS (SOC)

Jawstar

11/3/20252 min read

Task 1 : Introduction

As a Security Operations Center (SOC) analyst, you aim to investigate alerts and escalate incidents with clear evidence to support your findings. In this guided-challenge room, you'll use Kibana (part of the Elastic Stack) to perform alert triage and initial investigations, analyzing suspicious activity on an IIS and Windows server. You’ll explore potential indicators of compromise (IoCs) and collect evidence by correlating events across multiple log sources to gain a deeper understanding of the attack.

Objectives

  • Use Kibana to analyze common security logs

  • Learn how to identify key indicators of compromise

  • Correlate events across multiple log sources

  • Uncover the breach through a series of SOC alerts

Task 3 : Investigating Web Attacks

How many logs are available for analysis within the entire time range?
1467
What is the field value for the client.ip in the weblogs index?
203.0.113.55

Task 2 : Scenario Briefing

How many POST requests did the IP address 203.0.113.55 make to proxyLogon.ecp?
3
Which user.agent paired with the IP address 203.0.113.55 made the POST requests?
python-requests/2.25.1
How many logs contain the cmd= query parameter in the url.path field?
20
Which command was run utilizing errorEE.aspx on Jul 20, 2025 @ 04:45:50.000?
hostname

Task 4 : Uncovering Account Activity

What is the winlog.record_id of the Administrator 4624 logon event?
17166
What is the process.pid of the Sysmon 1 event that occurred on Jul 20, 2025 @ 05:11:27.996?
964
What is the winlog.event_id for the new user account being created?
4720
What is the name of the new user account?
svc_backup
In this guided-challenge room, you stepped into the role of a SOC analyst investigating suspicious activity targeting your client, SomeCorp’s infrastructure. Along the way, you learned to utilize the Kibana interface. You explored its features, searched and filtered for both web and Windows logs, identified key indicators of compromise (IOCs), and correlated events across multiple log sources.
Explore the rooms below to further enhance your Elastic knowledge and test your understanding!

Task 5 : Exposing Command Execution

Task 6 : Conclusion

What command does the attacker use to add the new account to the "Remote Desktop Users" group?
net localgroup "Remote Desktop Users" svc_backup /add
What is the winlog.record_id of the 4732 Security event when the attacker adds the user to the Administrator group?
17254
What PowerShell command did the attacker run on Jul 20, 2025 @ 05:16:14.628?
net group "Domain Admins" /domain
What is the name of the archive that the attacker creates using the Rar.exe executable?
finance_it_archive.rar

Support me Tryhackme Family

By Subscribing

Connect

Secure your future with expert cybersecurity solutions

Support

Quick Links

© 2025. All rights reserved.

contact@jawstarsec.in

Services
Blog
Contact Us
Homepage