Lab 5.1: What's Going On?

CLASS ACTIVITY

A collaborative class activity exploring incident identification and initial analysis. Work with your team to identify potential security incidents from limited information.

Activity Overview

In this class activity, you will be presented with scenarios that a SOC analyst might encounter. Your goal is to determine: Is this a security incident? What additional information do you need? What are the next steps?

  • Format: Group discussion / tabletop exercise
  • Duration: 30-45 minutes
  • Team Size: 3-5 members per team
  • Instructor: Facilitates discussion and provides scenario details

Sample Scenario

A user reports their computer is "running slow" and they noticed some files on their desktop that they don't remember creating. The help desk ticket shows the user works in the Finance department. What questions would you ask? What logs would you check? Is this an incident?

Discussion Questions

  1. What indicators would classify this as a security incident vs. a support issue?
  2. What additional context do you need from the user?
  3. Which logs and systems would you check first?
  4. At what point would you escalate this alert?
  5. How would you document your findings?
Back to Week 5