Listen to this Post
Adrian Iovita, a Senior Security Engineer at American Greetings, recently passed the Security Analyst Level 1 (SAL1) exam from TryHackMe. Here are his key insights:
- The exam combines question-based and hands-on tasks, making it suitable for entry-level candidates.
- Focuses on alert triage and incident documentation (False Positive vs. True Positive).
- Lacks deeper log investigation, which is crucial for real-world security analysts.
You Should Know:
1. Basic Security Analyst Commands (Linux & Windows)
- Linux Log Analysis:
grep "Failed password" /var/log/auth.log # Check failed SSH attempts journalctl -u sshd --no-pager | grep "error" # Systemd-based SSH logs
- Windows Event Logs:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} # Failed logins Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object {$_.ID -eq 1} # Process creation
2. Triage & Incident Documentation
- False Positive Verification:
sudo tcpdump -i eth0 port 80 -w suspicious_traffic.pcap # Capture traffic for analysis
- True Positive Escalation:
sudo netstat -tulnp | grep "suspicious_port" # Check open ports
3. Log Investigation Techniques
- Zeek (Bro) for Network Analysis:
zeek -r suspicious.pcap # Analyze PCAP files cat conn.log | awk '$6=="TCP" && $7>1000 {print}' # Filter large TCP transfers - SIEM Query (Example: Splunk):
index=security (failed OR denied) | stats count by src_ip # Count failed attempts by IP
4. TryHackMe-Style Practice
- Scanning with Nmap:
nmap -sV -A -T4 target_ip # Aggressive scan
- Metasploit for Exploitation:
msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp exploit
What Undercode Say:
The SAL1 exam is a good starting point, but real-world security analysis requires deeper log inspection, threat hunting, and automation. Practicing with tools like Zeek, Splunk, and ELK Stack will enhance skills beyond basic triage.
Expected Output:
- Security logs analyzed
- False Positives documented
- Incident reports generated
- Commands executed for verification
For further learning, visit:
References:
Reported By: Adrian Iovita – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅



