The SOC Gauntlet • Room 1

Scenario: Breach Triage

**Scenario:** A correlation search fires for "Excessive Failed Logins" targeting user `jdoe`. 15 minutes later, a second correlation search fires for "Successful Login After Multiple Failures" for the same user from an IP geolocated in a foreign country.

As the SOC analyst, you must: 1) Open Incident Review 2) Correlate the two notable events 3) Check the Asset & Identity framework for jdoe's role 4) Determine if the IP is on any threat intelligence list 5) Execute an Adaptive Response action.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 1

In this breach scenario, which ES framework would you use to check if the suspicious IP address is a known malicious indicator?

AGlass Tables

BThreat Intelligence Framework

CContent Update Manager

DData Model Acceleration