MODULE 01 — ANALYST TRAINING

Cybersecurity
Triage
Investigation

Step into a Security Operations Center. Analyze AI-generated alerts, investigate network traffic, and determine which threats are real.

15 ALERTS ML-BASED IDS LIME EXPLANATIONS PCAP INVESTIGATION WIRESHARK
SCROLL
Task Overview

What Is This Task

This training is modeled on real-world cybersecurity operations — the decisions, tools, and tradeoffs that SOC analysts face every day.

ROLE_01
🎯

Your Role

You are a cybersecurity triage analyst — the first line of defense when alerts arrive. You decide what is real and what is noise.

CONTEXT_02
🏢

The Scenario

Based on real SOC operations. The tools are authentic, the data is realistic, and the decisions reflect genuine analyst tradeoffs.

GOAL_03
📋

Your Goal

Determine which attacks are real, reconstruct attacker activity, and produce a clear report understandable by non-technical stakeholders.

⚠ WARNING — Some alerts are false positives. Not every flag from the AI represents a real attack. Critical evaluation is required.
Investigation Process

Analyst Workflow

Real SOC analysts follow a structured sequence. Understanding this workflow before you touch any data is what separates disciplined analysis from guesswork.

1
INITIAL

Alert Arrives

The intrusion detection system flags a suspicious network connection and surfaces a summary: source IP, destination IP, ports, timing, and the predicted attack category. This is your starting point — nothing more.

2
CRITICAL

Triage & Prioritize

Because alerts arrive continuously and analyst time is finite, you must decide which alerts deserve immediate investigation. This is one of the most consequential decisions in the entire process.

⚡ Time pressure is constant in a real SOC. Prioritization is how analysts protect their attention.
3
ACTION

Acknowledge the Alert

Formally take ownership of the selected alert. In production SOC environments, this prevents two analysts from investigating the same incident simultaneously and wasting resources.

4
DEEP DIVE

Investigate PCAP in Wireshark

Open the packet capture file and look for concrete packet-level evidence. Filter by IP, port, protocol, and time window. Look for the specific behavioral patterns the LIME explanation pointed you toward.

5
OUTCOME

Confirm or Dismiss

Based on the PCAP evidence — or lack of it — classify the alert: true positive (confirmed attack) or false positive (benign traffic misclassified by the AI). Document your reasoning either way.

Detection Systems

How Are Alerts Generated

Alerts come from Intrusion Detection Systems (IDS). There are two fundamentally different approaches — understanding the difference matters for how you evaluate alerts.

APPROACH A

Signature-Based

Rule-driven detection

  • Maintains a database of known attack patterns (signatures)
  • Raises an alert when traffic matches an existing signature exactly
  • Fast and highly reliable for previously documented attacks
  • Cannot detect novel or zero-day threats with no prior signature
  • Requires constant manual updates as new attacks emerge
VS
★ USED IN THIS TASK

Machine Learning-Based

Anomaly detection

  • Trained on large volumes of real network traffic data
  • Learns a statistical model of what "normal" behavior looks like
  • Raises an alert when a connection deviates from the learned baseline
  • Can detect novel, unknown, and zero-day attacks
  • May produce false positives — human review is always required
Explainable AI

Reading a LIME Explanation

Every alert includes a visual explanation generated by LIME (Local Interpretable Model-agnostic Explanations). You don't need to know the math — here's how to read it.

Prediction Probabilities

NORMAL0.47
0.47
ABNORMAL0.53
0.53
① Confidence A score of 0.53 is borderline. The model barely leans toward flagging this as suspicious. Low confidence = treat the alert with more skepticism before investing investigation time.
④ Feature Values The table on the right shows the actual measured values for the top-influencing features. Use these as specific data points to search for when you open Wireshark.

Feature Impact Chart — ② Orange = Abnormal  |  ③ Blue = Normal

Bwd IAT Min
Fwd Pkt Len Mean
Init Bwd Win Byts
FIN Flag Cnt
Flow Byts/s
Tot Bwd Pkts
← pushes toward NORMAL  |  pushes toward ABNORMAL →
The longer the orange bar, the more that feature contributed to the abnormal prediction. Significant blue bars argue against classification as an attack — high blue volume increases false positive probability.

Feature Values

Bwd IAT Min 384
Fwd Pkt Mean 32
Init Bwd Win 64163
FIN Flag Cnt 0
Flow Byts/s 256720
Tot Bwd Pkts 4
PCAP Evidence Patterns

What to Look For in Wireshark

Each attack type leaves a distinctive fingerprint in the packet data. Know the pattern before you open the capture file.

TYPE_01
Port Scan

A reconnaissance technique where an attacker systematically probes a target machine by sending connection requests to many different port numbers. The goal is to discover which ports are open and which services are running, in order to identify potential entry points before launching a more targeted attack.

TRAFFIC PATTERN TO LOOK FOR
  • A single source IP sending connection attempts to many different destination ports on the same target
  • Connections happen in rapid succession within a very short time window
  • Most connections receive no response or are immediately reset — the attacker is just probing, not establishing sessions
  • Very low packet count per connection — typically just one or two packets each
TYPE_02
Brute Force

An automated attack where the attacker repeatedly attempts to authenticate to a service — such as SSH, FTP, or a web login — by trying many different username and password combinations in quick succession, hoping to eventually guess valid credentials.

TRAFFIC PATTERN TO LOOK FOR
  • A single source IP making repeated connection attempts to the same destination port on the same target
  • Each connection is short-lived and ends with an authentication failure or reset
  • The pattern repeats at machine speed — far faster than a human could type credentials manually
  • High connection count to a login-related port within a very narrow time window
TYPE_03
HTTP DDoS

A volumetric denial-of-service attack where the target web server is overwhelmed with a massive flood of HTTP requests, far exceeding what any legitimate user traffic could produce. The aim is to exhaust server resources — CPU, memory, or bandwidth — so that the service becomes unavailable to real users.

TRAFFIC PATTERN TO LOOK FOR
  • An abnormally high volume of HTTP requests all directed at a single destination IP address
  • Requests arrive at a rate that is orders of magnitude above normal web traffic
  • Traffic is sustained over time rather than being a single brief burst — the flow duration is comparatively long
  • Packets are small and uniform — consistent with automated request flooding rather than genuine browsing behaviour
Step 2 Deep Dive

How to Prioritize

You cannot investigate 15 alerts with equal depth. Time is always limited. Here is how to decide what to investigate first.

The Real-World Constraint

  • Hundreds of alerts may arrive in a single shift
  • Each full investigation can take 30–90 minutes
  • New, critical alerts keep arriving while you work
  • Missing a real attack has direct organizational consequences
  • False positives are expected and must be cleared efficiently

Prioritization Criteria

Attack Type
DDoS and Brute Force carry higher immediate operational impact than Port Scans. Lead with the most disruptive category.
📊
AI Confidence Score
Higher abnormal probability = stronger signal. An alert at 0.85 takes precedence over one at 0.55.
🔗
Repeated Source IPs
Multiple alerts from the same source IP strongly suggests coordinated, intentional activity — not coincidence.
Prioritization is not ignoring alerts. It is working intelligently under real-world time pressure — the defining skill that separates experienced analysts from beginners.
Step 5 — Final Call

Confirm or Dismiss

After the PCAP investigation, you reach a binary decision. Both outcomes are valid — identifying false positives is as important as confirming real attacks.

False Positive

← NO EVIDENCE FOUND
  • No packet evidence matches the claimed attack behavior
  • Traffic appears benign — AI misclassified it
  • Mark alert as false alarm and close it
  • Document your reasoning — why you ruled it out
EVIDENCE
Evidence
Found?
FOUND?

True Positive

EVIDENCE CONFIRMED →
  • Packet evidence clearly matches the claimed attack type
  • Record packet numbers, timestamps, and behavior observed
  • Escalate to incident response as appropriate
  • Include in final investigation report
False positives are not failures. Machine learning models are imperfect and false alarms are expected in production. Correctly identifying and clearing them is a core analyst competency — it protects team focus for real threats.
Before You Begin

Task Summary

Everything you need to carry into the investigation.

01
Review 15 AI-Generated Alerts

Read each alert and its LIME explanation. Form an initial impression of what is being flagged and how confident the model is. Do not investigate yet — observe first.

02
Prioritize Under Time Pressure

Rank alerts by attack type, confidence score, and source IP patterns. Select which to investigate first, just like a real SOC analyst working under shift time pressure.

03
Acknowledge & Investigate

Take ownership of selected alerts and investigate the PCAP data in Wireshark. Apply the attack pattern knowledge from this training to locate specific packet-level evidence.

04
Confirm or Dismiss — Then Report

Classify each investigated alert as a true positive or false positive. Compile your findings into a structured investigation report written clearly enough for non-technical stakeholders.

You are now ready to begin. Good luck, analyst. SOC_TRAINING_MODULE_01 // READY
Ready to start? Open the SOC Analyst Platform to begin your investigation — review the alerts, investigate the PCAP in Wireshark, and complete your incident report. Keep this training page open in a separate tab for reference.
Open SOC Platform