Security Analyst Level 1 (SAL1) Exam Takeaways from TryHackMe

Listen to this Post

Adrian Iovita, a Senior Security Engineer at American Greetings, recently passed the Security Analyst Level 1 (SAL1) exam from TryHackMe. Here are his key insights:

  • The exam combines question-based and hands-on tasks, making it suitable for entry-level candidates.
  • Focuses on alert triage and incident documentation (False Positive vs. True Positive).
  • Lacks deeper log investigation, which is crucial for real-world security analysts.

You Should Know:

1. Basic Security Analyst Commands (Linux & Windows)

  • Linux Log Analysis:
    grep "Failed password" /var/log/auth.log # Check failed SSH attempts 
    journalctl -u sshd --no-pager | grep "error" # Systemd-based SSH logs 
    
  • Windows Event Logs:
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} # Failed logins 
    Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object {$_.ID -eq 1} # Process creation 
    

2. Triage & Incident Documentation

  • False Positive Verification:
    sudo tcpdump -i eth0 port 80 -w suspicious_traffic.pcap # Capture traffic for analysis 
    
  • True Positive Escalation:
    sudo netstat -tulnp | grep "suspicious_port" # Check open ports 
    

3. Log Investigation Techniques

  • Zeek (Bro) for Network Analysis:
    zeek -r suspicious.pcap # Analyze PCAP files 
    cat conn.log | awk '$6=="TCP" && $7>1000 {print}' # Filter large TCP transfers 
    
  • SIEM Query (Example: Splunk):
    index=security (failed OR denied) | stats count by src_ip # Count failed attempts by IP 
    

4. TryHackMe-Style Practice

  • Scanning with Nmap:
    nmap -sV -A -T4 target_ip # Aggressive scan 
    
  • Metasploit for Exploitation:
    msfconsole 
    use exploit/multi/handler 
    set payload windows/x64/meterpreter/reverse_tcp 
    exploit 
    

What Undercode Say:

The SAL1 exam is a good starting point, but real-world security analysis requires deeper log inspection, threat hunting, and automation. Practicing with tools like Zeek, Splunk, and ELK Stack will enhance skills beyond basic triage.

Expected Output:

  • Security logs analyzed
  • False Positives documented
  • Incident reports generated
  • Commands executed for verification

For further learning, visit:

References:

Reported By: Adrian Iovita – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image