The SOC Simulator (SOC Sim) section presents two real-world security incidents where you will investigate alerts in real time using the Analyst VM and Splunk. Alerts trigger dynamically, simulating a real SOC workflow and requiring a structured approach to incident analysis.
​

Treat the scenario as you would in a real SOC—identify threats, escalate when necessary, and report findings clearly. Staying methodical will help you navigate the alerts efficiently.
​

The Analyst VM provides tools needed for investigation - use them methodically.

In Splunk, craft precise queries to filter out noise and focus on key logs.

Understand the typical cyber kill chain and MITRE ATT&CK framework. Identify attacker behaviour across multiple alerts to piece together the full incident.
​

The documentation is critical - understand log sources, attack patterns, and response steps.
​

Not all alerts require escalation - focus on those with clear indicators of compromise (IoCs). Make sure to check for repeat offenders or correlations between different alerts.
​

Start by checking alert timestamps and affected assets, look for related log entries to confirm malicious activity. Ensure to follow a structured classification and escalation process.
​

Document each step of your investigation in case reports, ensure findings are actionable and well-structured for escalation.
​

The exam is time-sensitive, so don’t get stuck on one alert for too long. If unsure, document findings and move forward - just like in a real SOC.