Categorize Intrusion Events
Understanding intrusion event classification for SOC analysts
Intrusion Event Classification
Intrusion events are security incidents that indicate unauthorized access attempts or malicious activity on a network or system. SOC analysts must quickly categorize these events to prioritize response and allocate resources effectively.
Why Categorization Matters
Prioritization
Different event types require different response urgency. Critical intrusions need immediate action.
Trending
Categorization enables pattern recognition across multiple events and time periods.
Automation
Well-defined categories enable SOAR playbooks to automate initial response actions.
Reporting
Consistent categorization supports compliance reporting and executive dashboards.
Triage Priority Matrix
When multiple alerts fire simultaneously, use this priority matrix to decide what to investigate first:
| Priority | Event Type | Response | Example |
|---|---|---|---|
| P1 | Active data exfiltration | Immediate containment | Large outbound transfer to unknown IP during off-hours |
| P1 | Ransomware execution | Isolate + IR team | Mass file encryption detected by EDR |
| P2 | C2 beacon detected | Investigate within 15 min | Regular interval connections to suspicious domain |
| P2 | Credential compromise | Force password reset | Impossible travel login + privilege escalation |
| P3 | Reconnaissance activity | Monitor + document | Port scan from external IP against DMZ |
| P4 | Policy violation | Log + notify manager | Unauthorized software installation |
Foundation ContentThis topic extends the Threat Hunting presentation from Eye House, adding SOC-specific categorization frameworks.
Source: Eye House > Presentations > Threat Hunting
Open Source Content →
Intrusion Event Categories
Kill Chain Stage Categories
| Stage | Event Type | Example Indicators | Priority |
|---|---|---|---|
| Reconnaissance | Port Scan, Service Enumeration | Nmap signatures, sequential port access | Low-Medium |
| Weaponization | Malware Download | Known malware hashes, suspicious downloads | High |
| Delivery | Phishing, Drive-by | Email attachments, malicious URLs | High |
| Exploitation | Vulnerability Exploit | CVE signatures, buffer overflow patterns | Critical |
| Installation | Malware Persistence | Registry changes, scheduled tasks | Critical |
| C2 | Command & Control | Beaconing, DNS tunneling | Critical |
| Actions | Data Exfiltration | Large outbound transfers, encryption | Critical |
MITRE ATT&CK Tactics
Initial Access
T1566 Phishing, T1190 Exploit Public-Facing App, T1133 External Remote Services
Execution
T1059 Command Line, T1204 User Execution, T1053 Scheduled Task
Persistence
T1547 Boot Autostart, T1136 Create Account, T1078 Valid Accounts
Lateral Movement
T1021 Remote Services, T1570 Lateral Tool Transfer, T1080 Taint Shared Content
Categorization ChallengeA single intrusion often spans multiple categories. Analysts must identify the primary category for triage while tracking the full attack chain.
SOC Analyst Perspective
Triage Decision Matrix
| Event Type | Confidence | Impact | Action |
|---|---|---|---|
| Known Malware Hash | High | High | Immediate containment + IR |
| C2 Beacon Detected | High | Critical | Network isolation + forensics |
| Port Scan from External | High | Low | Log, monitor, block if persistent |
| Failed Login Burst | Medium | Medium | Verify account, check for compromise |
| Anomalous DNS Query | Low-Medium | Unknown | Investigate, correlate with other events |
SIEM Alert Example
SOC Analyst TipContext is King: A single port scan from a known penetration testing IP is noise. The same scan from an unknown IP during off-hours targeting sensitive systems is actionable intelligence.
Event Severity Levels
Low (Informational)
Policy violations, failed authentications, routine scans. Log and trend.
Medium (Warning)
Suspicious patterns, anomalies, potential misconfigurations. Investigate within 24h.
High (Alert)
Confirmed malicious activity, successful exploits. Investigate within 4h.
Critical (Incident)
Active breach, data exfiltration, ransomware. Immediate response required.
Knowledge Check
Test your understanding of intrusion event categorization. Score 80% or higher to pass.
1. Which kill chain stage would a "beaconing" alert typically indicate?
2. A SOC analyst sees 500 failed SSH logins from one IP in 10 minutes. What is the most likely event type?
3. Which MITRE ATT&CK tactic includes creating scheduled tasks for persistence?
4. What is the appropriate response to a confirmed C2 beacon detection?
5. Why is categorization important for SOAR playbooks?