Skip to main content

SOC L1 Alert Reporting

Shubham
Cybersecurity Enthusiast

1. System Overview

Triage is just the filtering mechanism. Reporting is the output mechanism. After validating an alert (Triage), the information must be structured and moved upstream. This phase bridges the gap between "I found something" and "We fixed it."

  • L1 Role: Validate, document, and route.
  • L2 Role: Receive valid threats, perform deep forensics, and execute remediation (containment/cleaning).
  • Communication: The critical link to external stakeholders (IT, HR, Management).

2. The Reporting Lifecycle

The goal is to create "Actionable Intelligence." A report is useless if the next person has to redo your investigation.

Step A: The "5 Ws" Framework (Standardization)

Every report must follow a strict schema to ensure no critical data is lost during handoff.

  1. Who: The entity involved.
    • User: m.clark
    • Privilege: NT AUTHORITY\SYSTEM (Highest risk).
  2. What: The specific action.
    • Action: Executed revshell.exe via cmd.exe.
  3. When: The exact timestamp (SIEM time, not current time).
    • Critical: Helps correlate with other logs (e.g., firewall traffic at the exact same second).
  4. Where: The location.
    • Host: DMZ-MSEXCHANGE-2013 (High value target).
    • Path: C:\Users\Public\ (Common malware drop zone).
  5. Why: The Verdict justification.
    • Reasoning: "Parent process is IIS Worker (w3wp.exe) spawning a shell. This indicates a web shell exploitation."

Step B: The Decision Matrix (Escalate vs. Close)

Not every validated alert goes to L2. You must filter based on the "Alert Funnel."

StatusDefinitionAction
False PositiveBenign activity (e.g., Admin testing).Close. Add note: "Authorized activity per Change Request #123."
True Positive (Low)Minor policy violation (e.g., P2P software).Close (usually). Send automated email to user/manager. (Check specific SOC policy).
True Positive (High)Active threat (Phishing, Malware, Root access).Escalate. Assign to L2 immediately.
UncertainYou cannot confirm if it's safe or malicious.Escalate/Request Info. Do not guess. Ask L2 for a second opinion.

Step C: Escalation Protocol

When moving a ticket from L1 -> L2, follow this "Handshake":

  1. Update Status: Move from "In Progress" to "Escalated" (or reassign owner to L2).
  2. The Handoff:
    • Procedural: Assign ticket in the system.
    • Direct: Ping the L2 on shift (Slack/Teams). Crucial for Critical alerts.
  3. No "Throwing over the fence": You remain responsible until the L2 acknowledges receipt.

3. Communication Procedures (Crisis Management)

The system breaks down when people panic. Follow these rules when standard workflows fail.

  • The "Silent" Attacker: If you suspect a user's communication channel (Slack/Email) is compromised, do not contact them there. Call them on a mobile phone.
  • The Unresponsive L2: If a Critical alert sits for >30 mins with no L2 response:
    1. Call L2 directly.
    2. Escalate to L3.
    3. Escalate to SOC Manager. (Do not jump straight to Manager unless necessary).
  • The "Missed" Attack: If you realize you closed a ticket yesterday that was actually malware:
    • Do not hide it.
    • Re-open immediately and inform L2. Time is the enemy; hiding mistakes helps the attacker.

4. Technical Indicators in Reporting

When writing the "Why" section, focus on these proof points:

  • Email Analysis:
    • SPF/DKIM Fail: The sender is not who they claim to be (Spoofing).
    • Urgency: "Action Required Immediately" (Social Engineering).
    • Attachment: .zip or .html attachments from unknown senders.
  • Web Shells:
    • Process Tree: w3wp.exe (Web Server) -> cmd.exe or powershell.exe. Web servers should serve pages, not run commands.
  • Reconnaissance:
    • Commands: whoami, net user, nltest. These are "enumerating" the network to find the next target.

5. Operational Reality

  • Documentation is Evidence: In a legal breach, your notes are evidence. "I think it's bad" is useless. "Hash X matches Trojan Y on VirusTotal" is evidence.
  • The "Bus Factor": Write every report as if you will be hit by a bus tomorrow. Can the next person understand exactly what happened without asking you?