soc30 / lms
connected
back to day 2
WEEK_1 · DAY_02 · LAB

Lab 2 — Map a Triage Workflow

The 3-tier model, specialist roles, alert lifecycle, and shift handovers

LAB PROGRESS0/5 steps · 0%

Lab Objectives

  • Map the 3-tier SOC model (T1, T2, T3)
  • Understand specialist roles (IR, TI, Detection Engineer, SOAR Engineer, SOC Manager)
  • Trace an alert from generation to closure
  • Know what each tier owns and escalates

Lab Instructions

  1. 1
    Open the Splunk ES lab → Incident Review.
  2. 2
    Pick the 3 newest notable events.
  3. 3
    For each, write a 4-line triage note (Who · What · When · Action).
  4. 4
    Decide for each: false positive, escalate to T2, or contain.
  5. 5
    Note which tier you'd hand off to and why.
← LAB 1
Lab 1 — Tour the SOC Platform
LAB 3
Lab 3 — Design Your Stack