SOC Workbooks & Lookups: The Secret Weapon Every SOC Analyst Needs to Master Alert Triage + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction:

In the high-stakes world of Security Operations Centers (SOCs), alert triage is rarely about looking at a single log and declaring it malicious or benign. Real-world investigations demand context—who is the user, what is this server supposed to do, and is this network communication expected? The TryHackMe “SOC Workbooks and Lookups” room, praised by industry professionals like Adam Ekengren (SEC+, Top 6% on TryHackMe), provides a hands-on framework for mastering these foundational yet critical skills. This article breaks down the core components of SOC enrichment—identity inventories, asset lookups, network diagrams, and structured workbooks—while providing actionable commands and workflows to elevate any analyst’s triage capabilities.

Learning Objectives:

• Familiarize yourself with SOC investigation workbooks and their role in standardizing alert response.
• Learn where to find and how to use asset and identity inventories for contextual enrichment during investigations.
• Understand the importance of corporate network diagrams in mapping attack paths and identifying anomalous behavior.
• Practice workflow building inside an interactive interface to create consistent, repeatable investigation processes.

1. Identity Inventory: Know Your Users Before You Judge Their Actions

The foundation of effective alert triage is understanding the human element. Identity inventory is a catalogue of corporate employees, service accounts, and their associated details—roles, departments, locations, access permissions, and privilege levels. When an alert triggers for a user accessing a sensitive server, the first question isn’t “Is this malicious?” but rather “Is this expected for this user?”

Step‑by‑Step Guide to Leveraging Identity Inventory:

1. Identify the User in the Alert: Extract the username or account identifier from your SIEM or EDR alert.
2. Query the Identity Source: Access your organization’s identity management system. Common sources include Active Directory, Microsoft Entra ID, Okta, Google Workspace, or even internal CSV/Excel tracking sheets.
3. Enrich with Context: Retrieve the user’s full name, role, department, and typical working hours.
4. Assess Legitimacy: Compare the user’s role against the action performed. For example, if G.Baker is the CFO and accesses financial records, the activity is likely legitimate. If a junior intern performs the same action, it warrants immediate escalation.

Practical Commands for Identity Lookups:

• Active Directory (Windows PowerShell):

  Get user details from Active Directory
  Get-ADUser -Identity "G.Baker" -Properties Department, , Manager, LastLogonDate
  

• LDAP Query (Linux):

  Query LDAP for user information
  ldapsearch -x -H ldap://dc.corporate.local -b "dc=corporate,dc=local" "(cn=G.Baker)" cn title department
  

• Okta API (REST):

  Fetch user profile via Okta API
  curl -X GET "https://your-org.okta.com/api/v1/users/g.baker" -H "Authorization: SSWS YOUR_API_TOKEN"
  

2. Asset Inventory: Know Your Infrastructure

Asset inventory, or asset lookup, is the counterpart to identity inventory. It provides critical metadata about servers, workstations, and network devices—hostnames, IP addresses, operating systems, business owners, and purpose. Without this context, an analyst is guessing. Knowing that `HQ-FINFS-02` is the Financial Records File Server transforms a suspicious file access into a routine business operation.

Step‑by‑Step Guide to Asset Enrichment:

1. Extract the Asset Identifier: Note the hostname, IP address, or asset tag from the alert.
2. Consult the Asset Database: Query your CMDB (Configuration Management Database), EDR platform, SIEM enrichment tables, or MDM solutions.
3. Determine Business Purpose: Identify what the asset is supposed to do. Is it a domain controller, a database server, a developer workstation, or a public-facing web server?
4. Assess Risk: Based on the asset’s purpose and the action performed, determine if the activity aligns with normal operations.

Practical Commands for Asset Discovery:

• Nmap (Linux) – Network Inventory:

  Scan a subnet for live hosts and open ports
  nmap -sn 192.168.1.0/24
  Detailed OS and service detection
  nmap -O -sV 192.168.1.100
  

• PowerShell (Windows) – Local Asset Info:

  Get system information
  Get-ComputerInfo | Select-Object CsName, WindowsVersion, WindowsInstallationType
  List installed software
  Get-WmiObject -Class Win32_Product | Select-Object Name, Version
  

• EDR API Query (Example – CrowdStrike):

  Query asset details via Falcon API
  curl -X GET "https://api.crowdstrike.com/devices/entities/devices/v1?ids=123456" -H "Authorization: Bearer YOUR_API_TOKEN"
  

3. Network Diagrams: Visualizing the Attack Path

Network diagrams transform disconnected IP addresses and firewall logs into a coherent story. They map subnets, DMZs, firewall rules, VPN gateways, and critical infrastructure, allowing analysts to trace an attacker’s movement. For instance, an external IP hitting TCP/10443, being NATed to an internal IP, and then scanning internal subnets becomes a clear pattern of reconnaissance and potential breach when viewed against a network diagram.

Step‑by‑Step Guide to Using Network Diagrams:

1. Obtain the Corporate Network Diagram: This should be a living document maintained by the network or infrastructure team.
2. Map the Alert to the Diagram: Plot the source IP, destination IP, and ports involved in the alert.
3. Identify Anomalies: Look for communication that crosses security boundaries (e.g., from a user VLAN to a server VLAN) or involves unexpected ports.
4. Trace Possible Paths: If an attacker compromised one host, where could they go next? Use the diagram to identify high-value targets and lateral movement paths.

Practical Commands for Network Analysis:

• Traceroute (Linux/Windows):

  Linux
  traceroute 10.10.0.53
  Windows
  tracert 10.10.0.53
  

• Netstat (Windows/Linux) – Active Connections:

  Linux
  netstat -tulpn
  Windows
  netstat -ano
  

• Wireshark/TShark – Packet Analysis:

  Capture traffic on interface eth0 for port 10443
  tshark -i eth0 -f "tcp port 10443" -c 100
  

• Firewall Log Analysis (Example – iptables):

  View iptables logs
  sudo tail -f /var/log/kern.log | grep "iptables"
  

1. SOC Workbooks (Playbooks): The Blueprint for Consistent Investigations

A SOC workbook, also known as a playbook, runbook, or workflow, is a structured document that defines the steps required to investigate and remediate specific threats efficiently and consistently. Workbooks act as a roadmap, reducing confusion and providing actionable steps for each type of alert. They are the bridge between raw alerts and decisive action, and they are foundational for scaling into SOAR (Security Orchestration, Automation, and Response) environments.

Step‑by‑Step Guide to Building a SOC Workbook:

1. Identify a Common Alert Type: Start with a frequent or high-impact alert, such as “Suspicious PowerShell Execution” or “Malicious Email Attachment Detected.”
2. Define Triage Steps: Outline the initial steps an L1 analyst should take. This includes checking identity and asset inventories, reviewing network context, and gathering additional logs.
3. Create Decision Points: Include conditional logic. For example, “If the user is in the IT department, proceed to Step 4; otherwise, escalate to L2.”
4. Document Escalation Criteria: Clearly define when and to whom the alert should be escalated.
5. Test and Refine: Regularly update the workbook based on real-world investigations and feedback.

Example: PowerShell Analysis Workbook Snippet

| Step | Action | Command/Tool | Expected Outcome |

||–|–||

| 1 | Identify the user executing the script | `Get-ADUser -Identity $User` | User role and department |
| 2 | Check the script content | `Get-Content -Path $ScriptPath` | Identify suspicious cmdlets |
| 3 | Verify network connections | `netstat -ano | findstr $PID` | Unexpected outbound connections |
| 4 | Check VirusTotal hash | `curl -X GET “https://www.virustotal.com/api/v3/files/$HASH”` | Malware detection ratio |
| 5 | Escalate if: | Hash > 5 detections OR unknown user | Notify L2/SOC Manager |

Practical Commands for Workbook Automation:

• PowerShell Script to Automate Triage:

  Basic triage automation script
  param($AlertUser, $AlertHost, $AlertHash)
  
  Enrich with AD
  $UserInfo = Get-ADUser -Identity $AlertUser -Properties , Department
  
  Enrich with Asset DB (simulated)
  $AssetInfo = Invoke-RestMethod -Uri "http://asset-db/api/host/$AlertHost"
  
  Check hash against VT (requires API key)
  $VTResult = Invoke-RestMethod -Uri "https://www.virustotal.com/api/v3/files/$AlertHash" -Headers @{"x-apikey"="YOUR_API_KEY"}
  
  Generate report
  $Report = [bash]@{
  User = $UserInfo.SamAccountName
  Role = $UserInfo.
  Host = $AssetInfo.hostname
  HostPurpose = $AssetInfo.purpose
  VTDetections = $VTResult.data.attributes.last_analysis_stats.malicious
  Verdict = if ($VTResult.data.attributes.last_analysis_stats.malicious -gt 5) {"Escalate"} else {"Monitor"}
  }
  $Report | Export-Csv -Path "triage_report.csv" -1oTypeInformation
  

5. Alert Enrichment and Lookup Integration

The true power of SOC workbooks and lookups lies in their integration. An alert is just a notification; enriched data turns it into an intelligence product. Modern SOCs integrate identity and asset inventories directly into their SIEM dashboards, allowing analysts to click a username and instantly see their role, or click an IP and see the hostname and purpose.

Step‑by‑Step Guide to Integration:

1. Identify Data Sources: List all identity, asset, and network data sources.
2. Build Lookup Tables: Ingest these sources into your SIEM as lookup tables or reference sets.
3. Create Enrichment Rules: Configure your SIEM to automatically append context to alerts. For example, when an alert includes a username, automatically add the user’s department and manager.
4. Develop Dashboards: Create analyst dashboards that display enriched alert data, reducing the need to switch between multiple tools.

SIEM Query Examples:

• Splunk – Enrichment with Lookup:

  index=security sourcetype=windows_security EventCode=4624
  | lookup user_roles.csv User as TargetUserName OUTPUT Role Department
  | table _time, TargetUserName, Role, Department, Workstation_Name
  

• Elasticsearch – Enrichment Pipeline:

  {
  "processors": [
  {
  "enrich": {
  "policy_name": "user-role-policy",
  "field": "user.name",
  "target_field": "user.role"
  }
  }
  ]
  }
  

• QRadar – AQL Query with Reference Data:

  SELECT username, 
  referenceData('user_roles', username) AS role,
  sourceIP
  FROM events
  WHERE username IS NOT NULL
  

6. Cloud and Hybrid Environment Considerations

Modern SOCs rarely operate in purely on-premises environments. Cloud providers like AWS, Azure, and GCP introduce new asset types (instances, containers, serverless functions) and identity sources (IAM roles, service principals). Enrichment must extend to these domains.

Practical Cloud Commands:

• AWS CLI – Describe EC2 Instance:

  aws ec2 describe-instances --instance-ids i-1234567890abcdef0
  

• Azure CLI – Get VM Details:

  az vm show --resource-group MyResourceGroup --1ame MyVM
  

• GCP – Get Instance Info:

  gcloud compute instances describe my-instance --zone=us-central1-a
  

• Kubernetes – Pod and Service Info:

  kubectl describe pod my-pod
  kubectl get services --all-1amespaces
  

7. SOAR and Automation: The Next Step

Once workbooks are documented and enrichment sources are integrated, the natural progression is automation. SOAR platforms allow you to codify workbooks into playbooks that execute automatically, reducing Mean Time to Response (MTTR) and allowing L1 analysts to focus on complex threats.

Step‑by‑Step Guide to SOAR Playbook Creation:

1. Select a Platform: Choose a SOAR tool (e.g., Palo Alto Cortex XSOAR, Splunk SOAR, IBM Resilient).
2. Define Triggers: Determine which alerts will trigger the playbook.
3. Add Enrichment Steps: Automate the lookup of identity and asset data via API calls.
4. Implement Decision Logic: Use conditional blocks to branch based on enrichment results.
5. Add Response Actions: Include automated responses like isolating a host, blocking an IP, or creating a ticket.
6. Test in a Sandbox: Validate the playbook with historical alerts before deploying to production.

What Undercode Say:

• Context is King: Raw alerts are noise without context. Identity and asset inventories are not optional—they are the bedrock of effective SOC operations.
• Workbooks Drive Consistency: Standardized workbooks ensure that every analyst, regardless of experience, follows the same rigorous investigation steps, reducing errors and improving escalation quality.
• Visualization Accelerates Understanding: Network diagrams turn abstract IP addresses into actionable intelligence, revealing attack paths that would otherwise remain hidden.
• Automation is the Force Multiplier: Integrating lookups and automating workbook steps through SOAR transforms a reactive SOC into a proactive, efficient machine.

Analysis: The “SOC Workbooks and Lookups” room on TryHackMe brilliantly addresses a critical gap in many SOCs—the lack of structured, context-rich triage processes. By emphasizing the practical use of identity, asset, and network data, it moves analysts beyond the “alert fatigue” mindset and empowers them to make informed, confident decisions. The room’s interactive approach ensures that these concepts are not just theoretical but are practiced in realistic scenarios, preparing analysts for the complexities of live environments. As Adam Ekengren notes, even with two years of experience, revisiting these basics is never a bad idea—they are the fundamentals that scale with your career.

Prediction:

+1 The continued emphasis on SOC workbooks and lookups will drive a new wave of standardized, high-quality training across the industry, elevating the baseline competency of L1 analysts globally.

+1 As SOAR platforms become more accessible, we will see a proliferation of community-shared playbooks, accelerating the automation of routine triage tasks and allowing human analysts to focus on advanced threat hunting.

+1 The integration of AI and machine learning into enrichment processes will enable real-time, predictive context generation, where systems proactively suggest the most relevant lookups based on the alert type, further reducing investigation time.

-1 Organizations that fail to invest in maintaining accurate and up-to-date identity and asset inventories will find their SOCs increasingly ineffective, drowning in false positives and unable to distinguish real threats from noise.

-1 The reliance on manual lookups without automation will create significant bottlenecks as alert volumes grow, leading to analyst burnout and missed critical alerts—a risk that will widen the gap between mature and immature SOCs.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Adam Ekengren – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky