SOC Analyst Simulation

Experience a day in the life of a Security Operations Center (SOC) analyst. Monitor alerts, investigate incidents, and respond to security threats in this interactive simulation.

Alert Filters
SEVERITY
SOURCE
STATUS
Total Alerts: 0
New Alerts: 0
Critical Alerts: 0
MTTR (Average): 2.3h
Alerts
Dashboard
Playbooks
Cases
Reports

Alert Details

Severity: Critical
Source: EDR - Endpoint
Detected: N/A
User: N/A
Alert ID: N/A

Alert Description

Loading alert details...

Detected Activities

Timestamp Activity Details Severity
10:42:15 AM Process Creation Suspicious PowerShell command with encoded parameters High
10:43:22 AM Command Execution vssadmin delete shadows /all /quiet Critical
10:43:48 AM Registry Modification Multiple registry keys associated with persistence High
10:44:05 AM Network Connection Connection to known C2 server (185.122.58.12) Critical
10:44:37 AM File System Activity Multiple file extension changes (.doc → .encrypted) Critical

System Information

Hostname DESKTOP-FINANCE03
IP Address 192.168.1.45
User jsmith@company.com (John Smith - Finance Department)
Operating System Windows 10 Pro 21H2 (OS Build 19044.2251)
Last Patch April 28, 2025

PowerShell Command Details

Encoded Command:

powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZ QByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQAxAFYAVwBhACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQB

Decoded (Partial Analysis):

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAA1VWa")); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

Recommended Actions

  1. Isolate the affected endpoint immediately to prevent lateral movement and further encryption.
  2. Disable the user account and force password reset for all accounts that may have been logged into the affected system.
  3. Block all communication to the identified command and control IP address (185.122.58.12) at the firewall.
  4. Scan all systems for similar indicators of compromise, especially within the same department.
  5. Preserve forensic evidence for detailed analysis and potential legal requirements.
  6. Initiate incident response plan and notify appropriate stakeholders according to the procedure.
0
Total Alerts Today
0
Critical Alerts
2.3h
Mean Time to Resolve
Alerts by Severity
Day
Week
Month
[Severity Distribution Chart Visualization]
Alerts by Source
Day
Week
Month
[Alert Source Distribution Chart Visualization]
Security Playbooks
Playbook Name Category Last Updated Status
Active Incidents
Case ID Title Severity Assigned To Status
Security Reports
Report Name Type Generated Action