# SOC Triage Lab â€“ Notebook

This notebook is used to manually analyze SOC alerts from the `alerts/` folder.

**Workflow:**
1. Set the alert file you want to analyze.
2. Load and inspect the alert.
3. Use this notebook together with the corresponding report in `reports/`.

Current sample alert: `alerts/alert_001_ssh_bruteforce.json`

In [1]:
from pathlib import Path
import json
from pprint import pprint

# Set which alert to load
ALERT_FILE = Path("../alerts/alert_001_ssh_bruteforce.json")

with ALERT_FILE.open("r", encoding="utf-8") as f:
    alert = json.load(f)

pprint(alert)

{'cloud_provider': 'Azure',
 'dst_host': 'webserver-01.example.internal',
 'event_count': 120,
 'id': 'ALERT-001',
 'log_snippet': ['Jan 24 12:15:03 webserver-01 sshd[1024]: Failed password for '
                 'root from 203.0.113.45 port 51234 ssh2',
                 'Jan 24 12:17:41 webserver-01 sshd[1056]: Failed password for '
                 'root from 203.0.113.45 port 51302 ssh2',
                 'Jan 24 12:19:22 webserver-01 sshd[1077]: Failed password for '
                 'root from 203.0.113.45 port 51388 ssh2',
                 'Jan 24 12:24:55 webserver-01 sshd[1099]: Accepted password '
                 'for root from 203.0.113.45 port 51410 ssh2',
                 'Jan 24 12:29:57 webserver-01 sshd[1113]: Session opened for '
                 'user root by (uid=0)'],
 'product': 'Azure VM / Linux auth logs',
 'severity': 'Medium',
 'source': 'SIEM',
 'src_ip': '203.0.113.45',
 'timestamps': {'detection_time': '2025-01-24T12:30:10Z',
                'first_seen': '2

## Triage Notes (ALERT-001)

**Short summary:**  
- 120 failed SSH attempts from a single external IP (`203.0.113.45`) targeting `root` on `webserver-01`
- Followed by a succesful root login.
- Strong indication of brute-force compromise.

**Key indicators:**  
- User / account:  root
- Source IP:  203.0.113.45 (external)
- Destination host:  webserver-01 (Azure VM)
- Time window:  12:15 -> 12:29 UTC
- Event count:  ~120 failed logins + 1 success

**Initial assessment:**  
- [ ] False Positive  
- [ ] Benign but risky  
- [x] True Positive  
- [ ] Needs more information  

**Severity:**  
- [ ] Low  
- [ ] Medium  
- [ ] High  
- [x] Critical  

**Decision (L1):**  
- [ ] Close  
- [x] Escalate to L2 / IR  
- [ ] Create follow-up task  

**Notes for L2:**  
- Confirmed unauthorized root login after repeated failures.
- Recommended immediate VM isolation, credential reset, and forensic review.