SOC Level 2 Workflow – Room Summary
Final Thoughts
This was one of my favorite TryHackMe rooms so far because it focused on an area of cybersecurity that I genuinely enjoy: log analysis and incident triage. Rather than simply acknowledging alerts, the room demonstrates how a SOC Level 2 analyst investigates security incidents by building timelines, analyzing evidence, validating suspicious activity, and coordinating an appropriate response. It felt more like solving a puzzle than completing a checklist, which made the exercises both engaging and realistic.
One of the biggest takeaways was understanding the difference between SOC Level 1 and Level 2 responsibilities. While Level 1 analysts focus on reviewing, triaging, and escalating alerts within established SLAs, Level 2 analysts dig deeper to determine what actually happened. That means analyzing process execution, network connections, file activity, and user behavior to reconstruct the full attack timeline before deciding on the appropriate response.
The room also reinforced a structured investigation methodology. Instead of immediately searching through logs, the analyst first determines why an alert was generated, develops an initial hypothesis, and then builds a detailed timeline of related events. Using examples such as PowerShell launching Rundll32, the investigation expands from a single alert into a complete view of the attack chain, revealing additional indicators of compromise that might otherwise be overlooked.
Another concept I found particularly valuable was the iterative nature of threat hunting. Analysts continuously form hypotheses, gather new evidence, refine the timeline, and repeat the process until the complete picture emerges. This evidence-driven approach closely reflects real-world incident response and emphasizes the importance of following facts rather than assumptions.
The room also covered the response process, including validating suspicious activity with users or internal teams, handling true and false positives appropriately, tuning detections to reduce future noise, and understanding when immediate containment should take priority over completing an investigation. It provided a solid introduction to the containment, eradication, and recovery phases of incident response while highlighting the importance of communication throughout the process.
Overall, this room does an excellent job of demonstrating that effective log analysis is much more than searching through events. It is about reconstructing the attack story, validating hypotheses, identifying indicators of compromise, and making informed decisions that help protect an organization. I would highly recommend this room to anyone interested in blue team operations, incident response, threat hunting, or pursuing a career as a SOC analyst.