⭐ Day 7 – SOC Alerts, Correlation, and Dashboards (Beginner Friendly)
Today students will learn 3 powerful SOC skills:
- How SOC alerts work
- How to build correlation rules
- How to create a real SOC dashboard in Splunk
This is a very important practical day.
🧠 1. What Is SOC Alerting?
A SOC alert is a notification that something suspicious or dangerous happened.
Examples:
- Multiple failed logins → Brute Force
- Remote login at midnight → Unusual behavior
- New admin account → Privilege escalation
- RDP login from another country → Possible compromise
Alerts help SOC analysts detect attacks quickly.
🔥 2. Alert Life Cycle (Explain to Students)
Every SOC uses this simple flow:
1️⃣ Alert Triggered
SIEM sees suspicious behavior.
2️⃣ L1 Analyst Reviews Alert
Checks logs, decides if real or false.
3️⃣ L2 Analyst Investigates
Deeper investigation, correlates logs.
4️⃣ L3/IR Takes Action
Blocks IP, resets password, isolates machine.
5️⃣ Close Ticket + Write Notes
Document everything.
This is daily SOC life.
🔍 3. Simple Alert Conditions for Students (Very Easy)
Alert 1 – Brute Force Attempt
Condition:
- More than 5 failed logins from same IP
Splunk query:
index=* fail | stats count by IP | where count > 5
Alert 2 – Successful login after many failures
index=* ("Failed" OR "fail")
| transaction IP maxspan=5m
| search "Successful"
Alert 3 – PowerShell encoded command
index=* powershell "EncodedCommand"
MITRE Mapping:
- T1110 Brute Force
- T1059 Execution
🔄 4. What Is Correlation? (Simple Explanation)
Correlation means combining multiple logs to see a bigger picture.
Example:
🔹 10 failed logins
🔹 Then 1 successful login
🔹 From same IP
→ This is a clear brute-force attack.
SOC analysts use correlation to understand attacks.
🧩 5. Splunk Correlation Examples
Correlation 1 – Failed + Successful Login
index=* ("Failed" OR "fail" OR "4625")
OR ("4624")
| stats values(status) count by IP, user
Correlation 2 – Remote Login + Admin Action
index=* EventCode=4624 Logon_Type=10
| join user
[search index=* EventCode=4720 OR EventCode=4732]
Correlation 3 – Discovery + Lateral Movement
index=* ("nmap" OR "portscan")
| append
[search index=* “RDP” OR Logon_Type=10]
📊 6. Building a Simple SOC Dashboard (3 Panels)
Panel 1 – Failed Logins by IP (Bar Chart)
index=* fail | stats count by IP
Panel 2 – Login Trend Over Time (Line Chart)
index=* | timechart count
Panel 3 – Event Status Distribution (Pie Chart)
index=* | stats count by status
Let students build this inside Splunk Dashboard Studio.
🧪 7. Day 7 Hands-On Tasks
Task 1: Create a Brute Force Alert
Run:
index=* fail | stats count by IP | where count > 5
Ask students:
- Which IP is attacking?
- Which MITRE technique?
Task 2: Correlate Failed + Successful Logins
index=* ("Failed" OR "fail")
| append [search index=* "Successful"]
Task 3: Build 1 Dashboard Panel
Any panel is fine:
- Bar chart
- Pie chart
- Line chart
Task 4: Identify Lateral Movement
index=* 4624
| search Logon_Type=10
🎤 Trainer Script (Use in Class)
“Alerts tell us when something suspicious happens.
Correlation tells us the full story behind the alert.
Dashboards help us see attacks in real time.
Today you learned how a SOC analyst monitors, detects, and visualizes attacks.”
📝 Homework
Each student must submit:
- One alert query
- One correlation query
- One dashboard panel
- MITRE tactic mapped to each query
Example:
Query: index=* fail
MITRE: Credential Access – T1110
"Share Knowledge" 
Leave a comment