SOC Level 2 Workflow – Room Summary

Final Thoughts

This was one of my favorite TryHackMe rooms so far because it focused on an area of cybersecurity that I genuinely enjoy: log analysis and incident triage. Rather than simply acknowledging alerts, the room demonstrates how a SOC Level 2 analyst investigates security incidents by building timelines, analyzing evidence, validating suspicious activity, and coordinating an appropriate response. It felt more like solving a puzzle than completing a checklist, which made the exercises both engaging and realistic.

One of the biggest takeaways was understanding the difference between SOC Level 1 and Level 2 responsibilities. While Level 1 analysts focus on reviewing, triaging, and escalating alerts within established SLAs, Level 2 analysts dig deeper to determine what actually happened. That means analyzing process execution, network connections, file activity, and user behavior to reconstruct the full attack timeline before deciding on the appropriate response.

The room also reinforced a structured investigation methodology. Instead of immediately searching through logs, the analyst first determines why an alert was generated, develops an initial hypothesis, and then builds a detailed timeline of related events. Using examples such as PowerShell launching Rundll32, the investigation expands from a single alert into a complete view of the attack chain, revealing additional indicators of compromise that might otherwise be overlooked.

Another concept I found particularly valuable was the iterative nature of threat hunting. Analysts continuously form hypotheses, gather new evidence, refine the timeline, and repeat the process until the complete picture emerges. This evidence-driven approach closely reflects real-world incident response and emphasizes the importance of following facts rather than assumptions.

The room also covered the response process, including validating suspicious activity with users or internal teams, handling true and false positives appropriately, tuning detections to reduce future noise, and understanding when immediate containment should take priority over completing an investigation. It provided a solid introduction to the containment, eradication, and recovery phases of incident response while highlighting the importance of communication throughout the process.

Overall, this room does an excellent job of demonstrating that effective log analysis is much more than searching through events. It is about reconstructing the attack story, validating hypotheses, identifying indicators of compromise, and making informed decisions that help protect an organization. I would highly recommend this room to anyone interested in blue team operations, incident response, threat hunting, or pursuing a career as a SOC analyst.

Similar Posts

  • TryHackMe: Jump

    Jump is a Red Team-focused TryHackMe room that demonstrates how small trust relationships between users and automation can be chained together to achieve full system compromise. Rather than relying on a single vulnerability, the room requires moving through multiple privilege boundaries by abusing insecure automation and misconfigurations. The room begins with anonymous access to an…

  • W1seGuy

    W1seGuy introduces the fundamentals of XOR encryption and demonstrates how a known plaintext attack can recover a repeating key. This room helped me move beyond memorizing XOR and finally understand why it works, making it one of the most valuable introductory cryptography challenges I’ve completed.

  • OWASP Top 10 2025 – IAAA Failures

    Overview This room introduced the IAAA security model, a framework that explains how applications identify users, verify their identity, control what they can access, and record their actions. The room demonstrates how weaknesses in these areas relate directly to several vulnerabilities in the OWASP Top 10 (2025). Rather than focusing on exploitation, the room explains…